The exposed.su website started drawing attention in March when it offered social security numbers and other information for everyone from Beyonce to Michelle Obama and the director of the CIA. Shocked by the breadth of data, both the FBI and Secret Service launched investigations — but today the security blogger Brian Krebs has beaten them to the punch, offering a comprehensive look at how all that personal data made it to the web.
Krebs traces the exposed.su data back to another site, SSNDOB.ms, which pulled the information through compromised servers at LexisNexis and two other companies that specialize in data for background checks. With this relatively small network, hackers were able to steal nearly 3.1 million date-of-birth records and over a million social security numbers, widely considered a weak point in online security. Krebs also reports that the malware used had no trouble evading anti-virus software. As of early September, none of the top 46 antivirus services detected the software as malicious. There's no word yet on who was operating the network, but the FBI says their investigation is ongoing and Krebs has promised more revelations in the coming weeks.