Oracle’s BlueKai Leaked Billions of Records Online

BlueKai, a startup acquired by Oracle in 2014 just had a major database exposed online after they left billions of records of browsing history and data unprotected. This is arguably the largest data breach ever and definitely the largest breach of the year. According to TechCrunch, Oracle bought BlueKai for over $400 million in 2014, but BlueKai is barely known outside of marketing circles. BlueKai has quietly amassed one of the largest banks of web tracking data outside of the federal government. BlueKai uses website cookies and other tracking technology to track user activity on the web. They analyze the web data and information collected and map users’ online tendencies to sell to targeted advertising companies. 

Security researcher Anurag Sen discovered the data breach and disclosed his findings to Oracle through Roi Carthy, Chief Executive of cybersecurity company Hudson Rock, according to TechCrunch. Sen also shared his findings with TechCrunch who upon further examination found that the data contained names, home addresses, email addresses, and other personally identifiable information (PII) points. 

Some of the records were so detailed that TechCrunch was able to identify a person in Istanbul who purchased a piece of furniture for $899 because a large investment holding company in Turkey uses BlueKai to track users on their website. The record revealed the man’s name, email address, and direct web address. They could see that someone’s iPhone was out of date due to them unsubscribing to an email chain using their iCloud account. The data exposed ranged from web browsing activity like unsubscribing from emails to peoples’ online purchases made. According to Sen, some of the data went as far back as August 2019.

BlueKai works like many other data trackers where they collect small data points or “fragments” here and there from different sources to build a digital “fingerprint” to identify consumers for targeted advertising agencies to buy. As a majority of people continue to work from home, we are continuing to spend a substantial amount of our time online revealing more information than we realize. BlueKai, according to TechCrunch, tracks over 1% of all web traffic. These sites include Amazon, ESPN, Forbes, Glassdoor, Healthline, Levi’s, MSN.com, Rotten Tomatoes, and The New York Times as per the report. Even the TechCrunch report itself can be included on that list because TechCrunch is owned by Verizon Media who is partnered with BlueKai!

Oracle has responded to the discovery of the breach and assured their clients they are taking preventative security measures to ensure this type of breach never happens again. Oracle spokesperson Deborah Hellinger said, “While the initial information provided by the researcher did not contain enough information to identify an affected system, Oracle’s investigation has subsequently determined that two companies did not properly configure their services. Oracle has taken additional measures to avoid a reoccurrence of this issue.”