Cyber Incident Victim: Apollo

In July 2018, Apollo, a Y Combinator-backed sales engagement startup formerly known as ZenProspect, underwent system upgrades. Weeks after these upgrades, the company discovered a data breach involving unauthorized access to its databases. Apollo maintained a prospect database containing approximately 200 million contact records across 10 million companies, used to match salespeople with potential customers. The compromised data primarily consisted of publicly gathered business contact information, including names, email addresses, company names, job titles, employers, social media handles, and phone numbers. A smaller portion of client-imported data was also accessed without authorization, though Apollo did not specify the nature or scope of this secondary dataset. The company confirmed no Social Security numbers, financial data, or user credentials were exposed. Apollo CEO Tim Zheng notified affected customers via email in early October 2018, attributing the delayed disclosure to an ongoing investigation.

Apollo’s public communication emphasized transparency as a core value but provided limited details about the breach’s root cause, intrusion methods, or exact number of affected users. Zheng declined TechCrunch’s requests for specifics regarding the volume of stolen records, the timeline of attacker activity, or whether state authorities like the California attorney general’s office had been notified. The company acknowledged the breach’s potential long-term security implications, particularly the risk of targeted phishing campaigns leveraging exposed professional contact details. While downplaying immediate risks due to the absence of sensitive personal or financial data, the incident underscored operational vulnerabilities in Apollo’s management of large-scale datasets. Containment measures were not detailed beyond internal investigations, and no evidence suggested public disclosure of the stolen data at the time of reporting.