Sales engagement startup Apollo says its massive contacts database was stolen in a data breach

Apollo, a sales engagement startup boasting a database of more than 200 million contact records, has been hacked.

The YC Combinator-backed company, formerly known as ZenProspect, helps salespeople connect with prospective customers. Using its massive prospect database of 200 million contacts at 10 million companies, Apollo matches sellers with potential buyers.

Apollo said that the bulk of the stolen data was from its prospect database.

Bjoern Zinssmeister, co-founder of Templarbit, which posts details of data breaches on its Breachroom page, obtained a copy of the email sent to affected customers and forwarded it to TechCrunch.

The email said that company said the breach was discovered weeks after system upgrades in July.

“We have confirmed that the majority of exposed information came from our publicly gathered prospect database, which could include name, email address, company names, and other business contact information,” said the email to customers. “Some client-imported data was also accessed without authorization,” the company said, but did not say what kind of data that included.

Apollo’s database contains publicly available data, including names, job titles, employers, social media handles, phone numbers and email addresses. It doesn’t include Social Security numbers, financial data or email addresses and passwords, Apollo said.

Although the company’s chief executive Tim Zheng said that the company had contacted customers in line with its “values of transparency,” Zheng declined to answer TechCrunch’s questions — including what data was taken and how many customers were affected.

“The investigation is still ongoing,” said Zheng in an email. He added that the “only statement that we’re making to press at this time is the customer communication” sent to affected users.

Zheng also refused to say if the company has informed state authorities of the breach. A spokesperson for the California attorney general did not immediately comment on whether Apollo has notified the state about the breach.

Apollo may also face action from European authorities under GDPR.

The data breach may not pose an immediate security risk to users such as if usernames and passwords are stolen, but exposed contact information can have a long-term effect on user security, such as making it easier for attackers to send targeted phishing emails.

Even if the stolen data isn’t considered that sensitive, the breach adds to a growing pile of companies hoarding vast amounts of data but failing to keep it safe.