The sales intelligence firm Apollo sent a notice to its customers last week disclosing a data breach it suffered over the summer. "On discovery, we took immediate steps to remediate our systems and confirmed the issue could not lead to any future unauthorized access," cofounder and CEO Tim Zheng wrote. "We can appreciate that this situation may cause you concern and frustration." In fact, the scale and scope of the breach has a lot of people concerned.

Apollo is a data aggregator and analytics service aimed at helping sales teams know who to contact, when, and with what message to make the most deals. "No one ever drowned in revenue," the company says on its site. Apollo also claims in its marketing materials to have 200 million contacts and information from over 10 million companies in its vast reservoir of data. That's apparently not just spin. Night Lion Security founder Vinny Troia, who routinely scans the internet for unprotected, freely accessible databases, discovered Apollo's trove containing 212 million contact listings as well as nine billion data points related to companies and organizations. All of which was readily available online, for anyone to access. Troia disclosed the exposure to the company in mid-August.

"There is always a high risk for fraud, spam, or other even harmful actions when these types of data sets leak." Vinny Troia, Night Lion Security

As Apollo noted in its letter to customers, it draws a lot of its information from public sources around the web, including names, email addresses, and company contact information. But it also scrapes Twitter and LinkedIn. In fact, the information in the profiles Apollo compiles is so detailed that Troia originally mistook it for a trove from LinkedIn. Some of Troia's methods of investigating the Apollo breach have been called into question, though, particularly that he posted a listing for the exposed LinkedIn data on a dark web marketplace. Troia claims he never planned to actually sell the data, and that he made the post as a ruse to aid other ongoing research.

For its part, LinkedIn issued a firm rebuke. "Our investigation into this claim found that a third-party sales intelligence company that is not associated with LinkedIn was compromised and exposed a large set of data aggregated from a number of social networks, websites, and the company’s own customers," the company said in a statement.

Combining all of that public data in one easily accessible location creates inherent risk; if it leaks, as the Apollo data has, it enables scammers, fraudsters, and phishers to craft compelling targeted attacks against a huge number of people. But the Apollo breach has an additionally problematic layer. "Some client-imported data was also accessed without authorization," Zheng wrote in the disclosure to customers last week.

Customers access Apollo's data and predictive features through a main dashboard. They also have the option to connect other data tools they might use, for example authorizing their Salesforce accounts to port data into Apollo. Troia found that more than seven million pieces of internal "opportunity" data, information about impending sales commonly associated with Salesforce, were exposed in the breach. One Apollo client alone had almost a million records exposed.

"There is always a high risk for fraud, spam, or other even harmful actions when these types of data sets leak," Troia says. "People already receive phishing and voice-phishing messages every day. Now you are talking about exposing potentially hundreds of millions of people to more avenues for phishing and fraud. Meanwhile, Apollo seems to have about 530 clients who each had different amounts of valuable opportunity data caught up in this leak."

Apollo cofounder and CTO Ray Li told WIRED that the company is investigating the breach and has reported it to law enforcement. The data does not include financial data, Social Security numbers, or account credentials. Apollo said in its initial letter to customers that, "an unidentified third party accessed our systems without authorization before our remediation efforts," which could mean that the data is already in the hands of scammers.