809 Million Records Exposed By Email Marketing Giant. No Bueno.


I'm suffering from Data Breach Fatigue, how about you?

It's a daily event, so only the monster breaches raise eyebrows. Unfortunately, we got one of those -- the discovery of a database which has been described as "perhaps the biggest and most comprehensive email database I have ever reported" by the researcher who uncovered the breach. Charlie Osborne at ZDNet broke the story, here is an extract with a link at the end.

According to Bob Diachenko, alongside security researcher Vinny Troia, the 150GB MongoDB instance in question contained four separate collections of data.

In total, Diachenko and Troia found 808,539,939 records, the largest collection of which was named "mailEmailDatabase," separated into three sections as below:

  • Emailrecords (798,171,891 records)
  • emailWithPhone (4,150,600 records)
  • businessLeads (6,217,358 records)

The information on offer was "more detailed than just the email address and included PII," the researchers say, with information relating to ZIP codes, phone numbers, physical addresses, email addresses, genders, user IP addresses, and dates of birth all available to anyone with an Internet connection.

After cross-referencing the database with records obtained from Troy Hunt's  HaveIBeenPwned database -- a collection of known leaks and exposures which can be used by visitors to find out if they have been involved in a data breach -- Diachenko was able to ascertain that the database was not just a bulk data dump of stolen information, such as in the case of the Collection 1 leak.

"Although not all records contained the detailed profile information about the email owner, a large number of records were very detailed," the researcher added.

The MongoDB instance did provide some clues as to whom the data may belong to -- namely, a company called "Verifications.io."

At the time of writing, the company's website is unavailable, but cached pages show that Verifications.io describes itself as an email marketing firm with a particular specialization in circumventing spam traps and hard bounces.

The researchers reported their findings to Verifications.io, which pulled its website offline in response. The database was also taken down on the same day. ZDNet has the whole ugly story. This is the kind of data that can be used for very high quality spear phishing attacks. No Bueno.


How many emails in your organization are exposed?

eecKnowBe4's Email Exposure Check Pro identifies the at-risk users in your organization by crawling business social media information and scouring hundreds of breach databases, many of them in the Dark Web. This is done in two stages: 

First Stage: Deep web searches find any publicly available organizational data so you can see what your organizational structure looks like to an attacker.

Second Stage: Finds any users that have had their account information exposed in any of several hundred breaches, using Have I Been Pwned. 

Your EEC Pro Reports: We will email you back a summary report PDF of the number of exposed emails, identities and risk levels found. You will also get a link to the full detailed report of actual users found, including breach name and if a password was exposed. 

Get your report now, it will only take a few minutes and is often an eye-opening discovery!

Get Your Free Report 

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Topics: Data Breach

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews