- Two security researchers have uncovered a database with 763 million email addresses and other data that was left unprotected.
- The database owner was contacted, and security patches have been deployed to resolve the issue.
- Despite the patch, the database was exposed for months and hackers may have already stolen the data for social engineering activity.
Security researchers Bob Diachenko and Vinny Troia uncovered a MongoDB database that contained 150GB of data including plaintext marketing data and 763 million email addresses. The information was made public by the security researchers today in the Security Discovery blog. The emails are owned by an email validation firm Verifications.io which was taken down on the day Diachenko reported it to the marketing company.
Email validators are crucial to marketing companies as they are responsible for ensuring the contact lists are valid, and the only way to check if an address is valid is by sending emails. Marketing firms outsource the work to these companies, so they do not get blacklisted for spam themselves. In addition to the email profiles, the leaked database also had access details and a user list with names and credentials to access FTP server to upload/download email lists which were also hosted on MongoDB.
A total of 809 million records were found in the Verifications.io trove, and it also included phone numbers, addresses, names and in some cases even social media links as well. Sensitive data like social security numbers or credit card numbers were not leaked. However, even though the data is not harmful by default, cybercriminals getting access to the data may lead to social engineering scams.
After being contacted, the email marketing company revealed that they patched the security problems in the database and users should no longer be affected. However, the data was already publicly available. Very little is known about verifications.io, and with the websites being taken down there is no way to track down the operators.