[BreachExchange] Insecure Database Leads to Over 800 Million Records Data Breach

Destry Winant destry at riskbasedsecurity.com
Mon Mar 11 10:12:52 EDT 2019


An unprotected 140+ GB MongoDB database led to the discovery of a huge
collection of 808,539,939 email records, with many of them also
containing detailed personally identifiable information (PII).

The large database discovered by security researcher Bob Diachenko
comprised four separate collections of records, the biggest one being
named mailEmailDatabase organized in three folders:

Emailrecords (count: 798,171,891 records)
emailWithPhone (count: 4,150,600 records)
businessLeads (count: 6,217,358 records)

The Emailrecords folder which included the most records contained the
last name, date of birth, email, phone number, zip code, address,
gender, and IP address for each separate entry.

Diachenko cross-checked a selection of random records from the
database with the  HaveIBeenPwned database of leaked records
maintained by Troy Hunt and reached the conclusion that they were not
part of any previous leak, leading to the conclusion that this was a
new and unique set of data.

During the verification process, the researcher also tried to pinpoint
the owner of the exposed MongoDB instance and, eventually, managed to
discover a possible owner in Verifications IO LLC, a company which
advertised "enterprise email validation" services on its website.

Before finding the firm's website and the services it provided,
Diachenko thought that the database was used to provide targets for
spam campaigns because "The database(s) included email accounts they
use for sending mail as well as hundreds of SMTP servers, email, spam
traps, keywords to avoid, IP addresses to blacklist, and more."

However, it all made sense after pairing up with Vinny Troya, owner of
NightLion Security, for more research and finding out that
Verifications IO LLC validated emails in bulk for companies who wanted
to remove the addresses who weren't active from their newsletter

Following his report, the company took down its website and the leaked
database, and also issued a statement which said that the roughly 800
million records left in the open were "built with public information,
not client data."

According to Diachenko, the company moved very fast to correct their
mistake taking down the exposed data during the same day following his

Besides the hundreds of millions that also contained personally
identifiable information (PII), the unprotected database also
contained "access details and a user list of (130 records), with names
and credentials to access FTP server to upload / download email lists
(hosted on the same IP with MongoDB)."

The number of data breaches saw a 424% increase in 2018

The number of verified data breaches throughout 2018 went up to 12,449
incidents, which translates into a 424% increase when compared to the
previous year.

Also, roughly 47% of all compromised records were exposed in breaches
experienced by organizations from the United States and China.

However, even though the number of breaches saw a strong boost during
the last year, the average breach sized actually decreased to 216,884
records, a value 4.7 times smaller than the one from 2017.

In 2018 the data breach landscape also saw an important 71% hike in
underground activity, with approximately 14.9 billion unprocessed
stolen identity records being circulated among crybercriminals,
although only 3.6 billion of them were authentic and not containing
overlapping info with other records.

More information about the BreachExchange mailing list