[BreachExchange] Email Validation Service Left 2 Billion Records Exposed Online

Destry Winant destry at riskbasedsecurity.com
Wed Mar 13 03:00:38 EDT 2019


Shortly after we reported about the Dalil app data leak, here comes
another similar report. Once again, researchers have found a leaky
MongoDB instance exposing millions of records. The database allegedly
belonged to an email validation service and the exposed records
included a huge number of emails and personally identifiable

Data Leak By Email Validation Service

Recently, Bob Diachenko, who has a history of spotting unsecured
MongoDB instances, has once again come across a leaky server. However,
this time, he found a massive database with explicit records.

As revealed in a blog post, Diachenko came across an unsecured MongoDB
instance of 150GB that had a huge number of emails. As per his

“This database contained four separate collections of data and
combined was an astounding 808,539,939 records.”

Inspecting further, he noticed a section named “mailEmailDatabase”
that had three folders with the records. There he found 798,171,891
email records, 4,150,600 emailWithPhone records, 6,217,358 records of
businessLeads. The data labelled as ‘emailrecords’ actually contained
details personally identifiable information (PII).

Scratching the surface further revealed to him that the database
actually belonged to an email validation service ‘Verifications.io’.

He later also involved Vinny Troia (the individual who uncovered the
Exactis data leak), and then reported the matter to Verifications.io.
The service, while acknowledging his report, replied to him that the
database included ‘public data’ only. Nonetheless, the website is
since offline.

>From Millions to ‘Billions’

Bob Diachenko stated that the data he came across was of 808 million
records. However, a cybersecurity firm DynaRisk later disclosed that
what Diachenko reported represented a fraction of the total leaked
data. According to DynaRisk’s report, the firm actually exposed
2,069,145,043 records belonging to individual users and businesses in
four databases.

“Four databases were leaked, totaling over 196 gigabytes of personal
and professional information suitable for cyber criminals to launch

Like Diachenko, DynaRisk also elaborated how such data leaks could
trigger malicious activities.

“The lists can be used to target the people on it with phishing emails
and scams, telephone push payment fraud, and the data contains enough
information to enable tailored scams aimed at key staff who could be
targeted for CEO fraud or Business Email Compromise.”

Although, the firm’s response to Bob Diachenko confirmed that they had
closed down the leaky database. Nonetheless, considering the
fluctuations in reports, and the drastic increase in the number of
exposed records, one can only hope not to hear any further troubling
developments in this matter.

More information about the BreachExchange mailing list