A company you’ve likely never heard of allegedly exposed some of the most personal data of “pretty much every U.S. citizen,” a security researcher said on Wednesday.

Exactis, a major data company based in Palm Coast, Fla., allegedly leaked the data of 340 million individuals, according to the security researcher Vinny Troia, who discovered what he described as a breach earlier this month. The records exposed comprise nearly two terabytes of data, according to a report from Wired published Wednesday.

Morgan & Morgan, a national law firm headquartered in New York, filed a class action lawsuit against Exactis on Friday. It alleges the firm failed to take adequate steps to protect millions of Americans from data breaches. The lawsuit was filed in Jacksonville, Fla. and seeks to recover monetary damages and other relief for people whose data was exposed in the breach.

The data in question does not include payment information or Social Security numbers but does include email addresses, home addresses, and phone numbers as well as other personal information like habits, hobbies and the number, ages, and genders of the person’s children.

Exactis did not respond to multiple requests by MarketWatch for comment. The exactis.com website was not loading in the early hours of Thursday.

What exactly is Exactis?

Exactis LLC is a compiler and aggregator of business and consumer data, with a “universal data warehouse” that stores 3.5 billion consumer, business and digital records, updated monthly. The privately held company, founded in 2015, has corporate offices in Florida, California and New York, and has just 10 employees, according to the company’s LinkedIn profile.

Chief Executive Steve Hardigree has been with Exactis since September 2015, according to LinkedIn. He is also presently the CEO of business-to-business data supplier BrightSpeed, which compiles 50 million business-level contacts daily for direct mail prospecting and telemarketing.

Hardigree also founded eDirect Inc., an email marketing and information services company, that was acquired by Seisent Corp. in April 1998, and is now known as Equifax Direct Marketing Services. The Exactis office address of 1 Florida Park Drive S., in Palm Coast, Fla., puts in it the B. Paul Katz Professional Center.

Meet the tech founders building the anti-smartphone

How does Exactis have this information?

Exactis gets information on users through cookies, small packets of data sent out by a website when a user visits it and stored in that user’s data, according to Mark Weinstein, privacy expert and founder of social media site MeWe. These files help the website keep track of the user’s movement within the site. When cookies are collected across different websites, it helps create a larger picture of a user’s browsing habits. This tracking has gotten more extreme and detailed in recent years, he said.

“As cookies track everything we do around the web, they sync together, pinging each other and sharing the data they have on you and requesting the sites you visit to do the same,” he said. “Today’s cookies can link your mobile phone to your laptop, to your home monitoring devices, and much, much more. Creepy? Scary? Orwellian? Yes, yes, yes! So imagine that Exactis, like Facebook FB, -0.18% , et.al, knows everything about you — really.”

Exactis is not the only company that uses cookies to gather information across the web. Others include Epsilon, Acxiom, Palantir, Google GOOG, Amazon AMZN, Facebook — none of which immediately responded to request for comment. “Big data” market revenue has increased from $7.6 billion in 2011 to $35 billion in 2017. It is projected to hit $103 billion by 2027.

What does the Exactis breach mean for you?

This breach could lead to identity theft for the millions of people affected, according to Steven Bearak, chief executive officer of identity-security company IdentityForce, said. Because there is no way yet to tell for sure if you’ve been affected, he suggests all consumers monitor social media accounts, bank accounts, and credit reports and be on alert for potential takeovers or stolen funds. Here are some other tips he suggested to do now:

• Request a free copy of your annual credit report: Take great care to review your credit reports. If you find inaccurate information, contact the companies listed on the credit report(s) directly. You can also contact the Identity Theft Resource Center, a non-profit, at (888) 400-5530 to assist you, and/or subscribe to an identity and credit monitoring service to alert you when your personal information is used.

• If you confirm that you’re a victim of identity theft, create an identity theft report with the Federal Trade Commission: Expect law enforcement to request a copy of this report when you contact them.

• Consider placing an extended fraud alert or security freeze on your credit: Creditors will still have access to your credit file, even though you’ve placed a 7-year extended fraud alert, but must first contact you to verify your identity before extending credit. A credit freeze generally prevents creditors from accessing your credit file. To request one, you must call each credit bureau directly. Laws vary by state.

• File your tax returns as soon as you can: Filing an early tax return protects you from identity thieves who could file and collect your tax refund before you do. You can also request a personal identification number (PIN) in order to submit your tax return. In the case with the Equifax EFX, -0.46% data breach, it’s especially pertinent to stay on top of this to allow time to remediate any issues.

• Contact the Social Security Administration: Request a copy of your wage earning report to verify that your Social Security number is not being used fraudulently, which could result in your owing taxes for wages earned by someone who’s stolen your information.

• Contact your health insurance carrier: Request a copy of your health insurance statement in order to identify any fraudulent medical claims.

How can consumers avoid tracking?

Consumers can cut down on the amount of data being collected on them by using privacy plugins like “Privacy Badger,” an add-on for Google Chrome and other browsers that doesn’t allow consumers to be tracked without their permission.

Most browsers, under “settings,” also allow users to send a “Do Not Track” request with browsing traffic. So when you visit a website, it will not collect data based on your visit and will not target you with advertisements based on past websites you’ve visited.

Weinstein recommends Apple’s AAPL, +0.96% Safari browser, which is eliminating cookies to give people stronger privacy. Until the government takes action to hold companies accountable, breaches like these will continue, Carl Wright, chief revenue officer for enterprise security company AttackIQ, said.

“When a breach such as this occurs, it reinforces the need for government to hold these organizations accountable to the individuals impacted,” he said. “This will be the only way to ensure that corporations take the necessary steps to secure consumer data.”

Tomi Kilgore and Ciara Linnane contributed to this story.