In a significant cybersecurity incident, researcher Jeremiah Fowler has revealed a critical data breach involving IMDataCenter, a Florida-based data solutions company. The breach has resulted in the exposure of a vast database that contains sensitive personal information belonging to individual users and various client organizations.
The compromised database, which includes both CSV and PDF files, holds approximately 38GB of data from over 10,800 records and was inadequately secured on the internet, lacking password protection or encryption. This alarming oversight poses a serious threat to data privacy and security.
This breach is especially concerning due to the nature of the information disclosed. The exposed files contain a wide array of personally identifiable information (PII), encompassing names, postal addresses, phone numbers, and email addresses. Furthermore, it also contains sensitive details regarding lifestyle and ownership of property or vehicles, making this data particularly valuable for malicious actors.
IMDataCenter typically utilizes this verified information to assist clients across various sectors, including healthcare, insurance, and political campaigns, in their marketing strategies. However, with the current breach, this data can easily become a tool for cybercriminals, significantly increasing the risk of identity theft and financial fraud.
The scale of IMDataCenter’s operation is noteworthy, with its database containing records of over 260 million individuals and 600 million email addresses. Vulnerabilities of such magnitude could lead to widespread exploitation, as even a single file can contain data for thousands of people, complicating any estimation of those affected.
“With each CSV document containing the data of thousands of individuals, it is difficult to calculate the total number of those who may have potentially had their data exposed,” Fowler commented in a blog post.
The potential fallout from this exposure can prove detrimental for the victims. The disclosed personal details can facilitate highly convincing phishing scams and other fraudulent activities. Scammers may leverage verified home addresses and phone numbers to create deceptive communications, increasing the likelihood of financial loss.
Upon identifying the exposed data, Fowler promptly issued a responsible disclosure notice to IMDataCenter, which responded quickly by restricting public access to the database. A representative from the company acknowledged the importance of data security and assured stakeholders that remedial actions were being taken.
The data breach raises critical questions regarding the oversight and management of the database. While the records seemed to originate from IMDataCenter, it is still undetermined whether the company is directly accountable for the misconfiguration or if a third-party contractor was involved.
However, There’s More to The Story…
In mid-July 2025, Hackread.com received communication from a BreachForum user identified as ThinkingOne, who claimed to have accessed an AWS bucket linked to IMDataCenter. This AWS bucket reportedly contained around 40GB of data, which expanded to approximately 75GB once uncompressed, with updates happening daily.
ThinkingOne expressed efforts to notify IMDataCenter about the leak but reported a lack of response. They managed to download extensive data, including 20 million unique email addresses and 37 million phone numbers. Additionally, they indicated that files containing sensitive information, such as over 50,000 Social Security Numbers and dates of birth, were retrieved. Although specific client names were not disclosed, the file structure suggested associations with various sectors including airlines, healthcare entities, and educational institutions.
Hackread.com has opted not to reveal the identities of these clients to safeguard their privacy. Nevertheless, it is crucial to note that at least one third party has already accessed and downloaded IMDataCenter’s exposed data.
It’s also pertinent to acknowledge that ThinkingOne has been previously associated with other high-profile data leaks, including the release of 2.8 billion X (formerly Twitter) user profile data in March 2025.
