All Vendors
identity_resolution

FullContact

FullContact is an identity resolution vendor that operates a patented cross-device identity graph containing 900+ attributes per person, sourcing data from brokers, public records, and partner exchanges to resolve and enrich customer identities at scale.

80 IOCs
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what FullContact discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps

data_collection

CRITICAL
They Claim

Privacy-first identity resolution that does not rely on third-party cookies or PII

Observed Behavior

The identity graph explicitly contains PII including names, postal addresses, email addresses, phone numbers, and Mobile Ad IDs. Privacy policy acknowledges sensitive-inference data (health, religion, politics) is included and shared. Awaiting scanner verification.

data_sharing

HIGH
They Claim

Customers access identity graph without giving away their data

Observed Behavior

Identity Streme cooperative framework is designed for bidirectional data exchange using persistent Person IDs. The enrichment model inherently requires data input to produce data output. Awaiting verification of data flow directionality.

compliance

CRITICAL
They Claim

CCPA and GDPR compliance applied universally

Observed Behavior

Graph contains sensitive-inference data categories (health, religion, politics, citizenship) that require explicit consent under GDPR Article 9. Universal compliance claim needs verification against actual data handling for special category data. Awaiting runtime verification.

Customer Impact

What This Means For You

Organizations using FullContact face a dual risk: the data they contribute to enrichment flows strengthens an identity graph that serves their competitors, and the data they consume carries provenance risk from broker and partner sources with unknown collection practices. The sensitive-inference data acknowledged in FullContact's privacy policy (health, religion, politics, citizenship) creates regulatory liability for any organization that ingests and acts on enriched records containing these attributes. For organizations whose customers or employees have profiles in the FullContact graph — which at 85% match rates likely includes most B2B professionals — the risk is passive. Their personal data, device identifiers, and behavioral attributes are being resolved, enriched, and distributed through FullContact's API and partner network without their direct knowledge or consent relationship with FullContact. The Identity Streme cooperative model means this data may be shared across organizational boundaries that the individual has no visibility into.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for FullContact

  • - Audit all FullContact API integrations to map which customer record fields are being enriched and from what sources - Assess regulatory exposure from sensitive-inference data categories (health, religion, politics) in enriched records - Review Identity Streme participation agreements to understand bidirectional data sharing obligations - Implement data provenance tracking for any FullContact-enriched fields in your CRM - Evaluate whether enriched records containing sensitive-inference data trigger GDPR Article 9 obligations in your jurisdiction

Negotiation Leverage

  • FullContact's acknowledged inclusion of sensitive-inference data (health, religion, politics, citizenship) in its identity graph is the primary negotiation lever. Under GDPR Article 9 and various US state privacy laws, processing this data requires explicit consent or a specific legal basis. Demand contractual warranties that enrichment responses will exclude sensitive-inference categories unless explicitly requested, and require documentation of lawful basis for each data source contributing to your enriched records.
  • For Identity Streme participation, negotiate strict controls on how your contributed data is used within the cooperative framework. Require transparency on which partners receive data derived from your customer records, implement contractual limits on downstream data use, and secure audit rights over the cooperative data flows. Demand data deletion SLAs that cover not just your direct records but any derived or enriched data that has propagated through the identity graph and partner network. The 900+ attribute depth means deletion must be comprehensive across all attribute categories.
Runtime Detections

Runtime Detections

4 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Identity Streme enables cross-organization data sharing using persistent Person IDs, synchronizing identity data across partner boundaries and enabling cross-domain identity resolution.

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

IOC Manifest

80 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.fullcontact.com/wp-content/themes/fc-theme/assets/js/components/canvi.js*
Tracking script
TRACK
*www.fullcontact.com/wp-content/plugins/stop-user-enumeration/frontend/js/frontend.js*
Tracking script
TRACK
*www.fullcontact.com/wp-content/plugins/seoai-client/assets/js/front.js*
Tracking script
TRACK
*www.fullcontact.com/wp-content/themes/fc-theme/theme.js*
Tracking script
TRACK
*platform.fullcontact.com/lib/fc-attribution.js*
Tracking script
TRACK
*www.fullcontact.com/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*www.fullcontact.com/cdn-cgi/challenge-platform/h/g/scripts/jsd/*/main.js*
Tracking script
TRACK
*tags.fullcontact.com/anon/fullcontact.js*
Tracking script
TRACK
*go.fullcontact.com/analytics*
Tracking script
TRACK
www.fullcontact.com/wp-content/plugins/stop-user-enumeration/frontend/js/frontend.js
Auto-extracted from scan
TRACK
www.fullcontact.com/wp-content/themes/fc-theme/assets/js/components/canvi.js
Auto-extracted from scan
TRACK
www.fullcontact.com/wp-content/themes/fc-theme/theme.js
Auto-extracted from scan
TRACK
platform.fullcontact.com/lib/fc-attribution.js
Auto-extracted from scan
TRACK
www.fullcontact.com/wp-content/plugins/seoai-client/assets/js/front.min.js
Auto-extracted from scan
TRACK
www.fullcontact.com/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
tags.fullcontact.com/anon/fullcontact.js
Auto-extracted from scan
TRACK
www.fullcontact.com/cdn-cgi/challenge-platform/h/g/scripts/jsd/ea2d291c0fdc/main.js
Auto-extracted from scan
TRACK
go.fullcontact.com/analytics
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

FullContact sits at the center of a large identity data supply chain. Inbound data flows from data brokers (public records, private resellers), data partners (bidirectional exchanges), and public sources (APIs, research). Outbound data flows through the Enrich API (real-time identity append), Resolve API (cross-device resolution), and Identity Streme (cooperative partner sharing). Integration footprint includes Salesforce (CRM enrichment with 5+ MAIDs and hashed emails per record, claiming 60% increase in media reach), marketing automation platforms via Zapier, and custom integrations through their developer portal. The cooperative data sharing model via Identity Streme is particularly significant — it creates a network effect where each participating organization's data strengthens the graph for all participants, incentivizing data contribution and creating dependency on the FullContact identity infrastructure. The graph's coverage of 900+ attributes per person, sourced from multiple broker relationships, makes FullContact a primary data supply chain node for any organization using identity resolution or enrichment services.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

80 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details