230 Million Records Belonging to US Citizens for Sale on Database Sharing Platform


CloudSEK’s XVigil discovered a post, on a surface web database marketplace, advertising the data of 230 million records belonging to US citizens.
Adversary Intelligence
Affected Industries
Affected Region(s)
Data Fields
Email Address, Mobile number, Address, Income

Discovery of the Leak

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a surface web database marketplace, advertising the data of 230 million records belonging to US citizens. The post was published on 22 April 2021. The poster claims that the 263 GB file contains 59 million unique email addresses and has highlighted that the leak does not contain any passwords.
Post shared by threat actor
Post shared by threat actor

Contents of the Leak

The leaked database contains the following data fields:
  • HH_ID
  • ID
  • First_Name_01
  • Alphafirstname_sort
  • Phonetic_First_Name
  • Middle_Name_01
  • Last_Name_01
  • Alphalastname_sort
  • Phonetic_Last_Name
  • Address
  • Alphaaddress_sort
  • City
  • Alphacity_sort
  • Cities
  There are 59 million unique emails present in the database are distributed across the following domains:
25987376 yahoo.com 813295 netzero.net 255787 prodigy.net
16348340 gmail.com 777126 cox.net 242859 lycos.com
15192759 aol.com 722168 worldnet.att.net 241463 iwon.com
12692882 hotmail.com 665467 excite.com 230769 mail.com
3822315 msn.com 625490 netscape.net 227588 frontiernet.net
3727998 comcast.net 577755 charter.net 216468 alltel.net
2490479 att.net 485109 live.com 209631 centurytel.net
2120678 bellsouth.net 454116 adelphia.net 208704 rocketmail.com
2053038 sbcglobal.net 439034 peoplepc.com 206158 blackplanet.com
1505939 att.com 354191 webtv.net 204464 pacbell.net
1346057 sbcglobal.com 346773 ymail.com 201895 attbi.com
1133534 earthlink.net 330262 mindspring.com 200970 ameritrade.com
1010741 juno.com 294525 address.com 193412 cfl.rr.com
955291 verizon.net 280489 ameritech.net 193211 netzero.com
837589 cs.com 255813 gte.net 190661 angelfire.com
  Data Verification and Validation  The sample data is currently being validated. Multiple other actors on the forum have claimed this data is part of the SolarWinds attack. Verification and Validation Another threat actor has posted a thread advertising SolarWinds/ NSA data. The data schema of the second actor’s post matches that of the original poster. However, the original threat actor has denied these claims, referring to them as conspiracies. SolarWinds Database

Table of Contents

Request an easy and customized demo for free