404 Media reporting on a startup that is reportedly selling data hacked from over 50 million computers to various industries, including debt collectors and divorce attorneys. This practice raises serious ethical concerns, as experts point out that the sale of such information is not only unethical but may also be illegal. The company operates like a legitimate business, offering access to personal information such as passwords and email addresses for as little as $50. This trend highlights the growing market for compromised data, which was once primarily traded among anonymous criminals on underground platforms. Experts warn that individuals whose data is sold may remain unaware that their personal information is being exploited.
Nearly 2,000 Model Context Protocol servers exposed to the internet lack any form of authentication or access controls, putting sensitive data at risk. Researchers from Knostic discovered that of the 1,862 servers examined, none required authentication for querying their functions, allowing any user to access potentially private information. These servers, which facilitate connections between artificial intelligence models and data sources, have proliferated rapidly since their introduction. Knostic’s findings highlight a significant gap in security practices among users, many of whom are not implementing necessary protections. Heather Linn, a researcher at Knostic, noted that while some servers are used for benign purposes, such as sharing train schedules, others may expose sensitive corporate data or even allow for malicious activities. As the technology matures, experts are urging developers to prioritize security in future iterations of the Model Context Protocol.
Why do we care?
A startup is selling hacked data from 50 million computers—openly—to debt collectors and divorce lawyers. Meanwhile, researchers found almost 2,000 AI protocol servers on the internet, wide open, no authentication, leaking who-knows-what.
Here’s the kicker: in a lot of places, reselling this data isn’t even illegal. If there’s no clear law on data ownership, once it’s stolen and floating around, anyone can package it up and sell it.
For MSPs, this should set off alarms. Your clients think their data is safe because of “laws.” It’s not. You’re the last line of defense. That means locking down systems, scanning for leaks, and helping clients demand stronger data protections from their vendors—because regulators are still years behind.