zerofox logo

What Is a Data Broker?

A data broker is a company that collects personal information about individuals from public records, online activity, purchases, and other sources, then sells or publishes that information as searchable profiles. These profiles often include names, current and former addresses, phone numbers, email addresses, family members, employment details, and property records. Hundreds of data broker sites operate in the United States alone, and while they are mostly legal entities, the personal information they sell has become one of the most reliable starting points for phishing, social engineering, doxxing, and physical targeting campaigns against executives and employees.

How Data Brokers Collect Personal Information

Data brokers do not need to hack anything to build a profile on you. Most of their data arrives through legal channels.

Public records are the largest single source. Voter registration data, property filings, court documents, marriage and divorce records, business filings, and motor vehicle records are all publicly accessible in most U.S. jurisdictions, and brokers ingest them at scale. Online activity is the second major source: every form you fill out, every loyalty program you join, every app permission you grant, and every newsletter you subscribe to generates data that can be sold to aggregators downstream. Then, social media profiles contribute employer information, location history, relationships, and life events.

Some brokers also acquire data through less obvious channels. Scrapers compile profiles by pulling information from public websites without any user interaction. Data-sharing agreements between vendors move personal information from one database into many. And in some cases, data stolen in a breach and sold on dark web forums gets folded into broker profiles, blurring the line between what was leaked and what was legitimately collected.

The result is that most adults in the United States have a searchable profile across dozens of data broker sites, often without ever having interacted with the brokers themselves.

Types of Data Brokers

Not every data broker operates the same way. Three categories matter for security teams, and each presents a different kind of risk.

People Finder Sites

People finder sites are the most directly dangerous for executive and employee security. Sites like Spokeo, Whitepages, BeenVerified, and FastPeopleSearch sell access to names, current and former addresses, phone numbers, email addresses, family member names, and sometimes employer details. The profiles are detailed enough to enable targeted attacks, and the cost of access is low: a few dollars for a one-time lookup, or a monthly subscription for unlimited searches. This is the category of broker most commonly used by threat actors building dossiers on individuals.

Data Aggregators

Data aggregators collect information through bulk mechanisms: form submissions, purchase data, marketing databases, and licensed data feeds. The information tends to be less granular than people finder profiles (cities rather than street addresses, age ranges rather than exact dates of birth), but it still contributes to an attacker's ability to build a complete picture. Phone numbers, employer names, and geographic history all appear in aggregator data. These brokers often sell access to marketers, insurance companies, and background check services rather than directly to consumers.

Mirror Sites

Mirror sites do not collect original information. They scrape and republish data from other broker and aggregator sites, multiplying existing exposure across additional domains. This category is what makes data broker removal so difficult: even after a primary source honors an opt-out request, copies of the original profile may persist on mirror sites that indexed the information before removal went through.

What Information Data Brokers Have on You

A typical data broker profile goes well beyond a name and address. The fields most commonly available across people finder and aggregator sites include:

For an executive whose decisions affect stock prices, employee livelihoods, public policy, or contested political and social issues, this level of detail in the wrong hands is a direct security risk. A threat actor with a credit card and an internet connection can assemble a targeting package in under an hour.

Why Data Brokers Matter for Enterprise Security

Data brokers are most often discussed in the context of consumer privacy, but the enterprise security implications are equally serious. Every exposed address, phone number, and family detail gives threat actors the raw material for targeted attacks.

The most common ways broker-sourced data is weaponized against organizations include:

For corporate security teams, this means data broker exposure is not a privacy nuisance to delegate to legal. It is an active and ongoing component of the organization's external attack surface.

How to Protect Personal Information from Data Brokers

Reducing data broker exposure is a continuous process, not a one-time cleanup. Brokers rebuild profiles over time, mirror sites re-index removed data, and new brokers emerge as old ones consolidate. Effective protection involves a few coordinated steps.

  1. Inventory current exposure. Search for executive and employee names across the major people finder sites to understand the baseline. The volume is almost always higher than expected. ZeroFox proof-of-concept engagements consistently find 40 to 60 broker listings for the average professional, and significantly more for high-profile executives.
  2. Submit both opt-out and removal requests. Opt-out tells a broker to stop publishing your information going forward. Removal takes down the specific listing that currently exists. Both are needed: removal without opt-out means your information reappears, and opt-out without removal leaves the current listing live.
  3. Monitor for re-aggregation. Even after successful removal, brokers commonly relist individuals as they reacquire data from other sources. Continuous monitoring catches reappearances and triggers new removal cycles before the exposure persists.
  4. Extend coverage to family members. Family details are a major vector for social engineering and doxxing. Effective programs include immediate family members in the removal scope.
  5. Centralize visibility for security teams. Consumer PII removal tools report to the individual, not the organization. For corporate security programs, centralized reporting on what has been removed, what is still exposed, and where re-aggregation is occurring is essential.

ZeroFox PII and Doxxing Removal automates this entire cycle across 600+ data broker sites, with continuous re-monitoring, dual opt-out and removal requests, and centralized reporting designed for enterprise security workflows. ZeroFox also monitors dark web forums, paste sites, and breach marketplaces for personal information that appears outside the public broker ecosystem.

Data Broker vs. Data Aggregator

The terms are often used interchangeably, but the distinction matters in practice.

A data broker is the broader category, covering any company that collects, packages, and resells personal information. A data aggregator is one type of data broker that focuses on collecting bulk data through automated mechanisms (forms, purchase data, licensed feeds) and reselling it primarily to other businesses rather than to consumers directly. People finder sites, by contrast, are data brokers that sell consumer-facing access to individual profiles.

For security teams evaluating their exposure, people finder sites typically represent the highest-risk data brokers because the information is granular, accessible to anyone with a credit card, and aimed at locating specific individuals. Aggregators contribute to the overall threat picture but are usually a step removed from the targeting workflow.

Frequently Asked Questions

People search sites are a specific type of data broker focused on selling consumer-facing access to individual profiles. Data brokers as a broader category include people search sites, data aggregators that supply marketing and analytics data to businesses, and mirror sites that republish data from other brokers. People search sites are typically the highest-risk category for executive security because their profiles are granular and easily accessible to threat actors.