Over 2 billion records exposed by email marketing firm


The repository of email addresses and other records would offer a gold mine of data for scammers.

Security researchers have discovered a humongous collection of email addresses and other data that was left sitting on the internet with no protection whatsoever.

Bob Diachenko revealed late last week that he’d found an unsecured MongoDB server with more than 808 million records that “were publicly accessible for anyone with an internet connection”. The server was found to belong to enterprise email validation company Verifications.io, which took the database down soon after being alerted to the security lapse by Diachenko on Friday, March 8. At the time of writing, the entire website of the little-known business is offline.

Before long, cybersecurity company DynaRisk put the number of exposed records even higher. Its investigation found four databases sitting out in the open, rather than ‘just’ one as per Diachenko’s findings. Instead of 150 gigabytes, the collection weighed in at 196 gigabytes and comprised nearly 2.07 billion records.

What’s in it for you?

The records included a smorgasbord of data, primarily some 768 million email addresses. In many cases, the email addresses came together with their owners’ names, social media accounts, phone numbers, dates of birth, ZIP codes, as well as credit score information, mortgage amounts, interest rates, and other data. Also exposed were names, revenues and other business-specific data for a number of companies.

On the bright side, passwords, Social Security numbers and credit card details were not included in the unsecured MongoDB instance.

Diachenko said that he’d checked a sample of the dataset against Troy Hunt’s Have I Been Pwned (HIBP) website, finding that, unlike Collection #1, the records aren’t merely an aggregation of data from previous leaks and breaches.

At any rate, such troves of data are useful not only for marketing campaigns, but also for all manner of scammers, who could leverage such information for social engineering campaigns.

Now that the data exposed by Verifications.io have been added to Hunt’s database, you can go and check for yourself any of your data was also impacted. More than a third of the email addresses are new to the database.

written by Tomas Foltyn, ESET We Live Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s