Security researchers Bob Diachenko and Vinny Troia have decided to go public with their discovery regarding the exposure of 809 Million records by an email marketing company. Unfortunately, these incidents are a recurring issue in the online world.
Email Marketing Company Reveals Trove of a Database
The pair have discovered last week an unsecured and publicly accessible MongoDB database, which contains 150 gigabytes of explicit, plaintext marketing data. The database included information about individual consumers and business intelligence data, more specifically, employee and revenue numbers from various companies. Some of the data included 763 million unique email addresses. Verifications.io took down the database once the news broke.
Validators at email marketing campaigns have a very important role to play in the email marketing industry. They neither send marketing emails on their own behalf nor do they facilitate automated mass email campaigns. Their job is to go through the customer’s mailing list in order to make sure that the email addresses on it are valid. Verifying that an email address works involves sending a message to the address. Then, to make sure it works delivery must be confirmed. This eventually ends up spamming people.
Troia, founder of the firm Night Lion Security says: “Companies have email lists and want to start emailing them, but they’re not sure how valid they are. So, they go to a company that will essentially send out spam.”
According to Troia, the database may be so big and varied because it includes all of Verification.io’s customers’ data. According to Diachenko and Troia, there is no way to know whether anyone discovered and downloaded the Verifications.io data. Tori continued to say: “I have no idea if anyone else accessed this besides us. But, it was definitely out there for anyone to grab.”
Exposed Data: 809 Million Records
The exposed data of 809 million records included information like names, email addresses, phone numbers, physical addresses, gender, date of birth, personal mortgage amount, interest rate, Facebook, LinkedIn, and Instagram accounts associated with email addresses, and characterizations of people’s credit scores.
However, other records in the collection were business related such as company names, annual revenue figures, fax numbers, company websites, and industry identifiers for categorizing companies called “SIC” and “NAIC” codes. The researchers also found Verifications.io’s own internal tools. These included test email accounts, hundreds of SMTP servers, the text of emails, anti-spam evasion infrastructure, keywords to avoid, and IP addresses.
What Wasn’t in the Exposed Records?
The exposed data did not contain Social Security numbers or credit card numbers. As a matter of fact, the only passwords in the database are for Verifications.io’s own infrastructure. Most of the data gathered from various sources are now available to the public. Cybercriminals find it easier to run new social engineering scams or expand their target pool when they have valuable data in their possession.
Tory Hunt’s take on the Incident
Security researcher, Troy Hunt is adding the Verifications.io data to his service HaveIBeenPwned. His service helps people check whether their data has been compromised. Hunt even claims that some of his own information is included in the Verifications.io exposure. This is what he had to say:
“The main takeaway for me is that this is just another case where someone has my data and hundreds of millions of other people’s data. I’ve absolutely no idea how they got it. I’d never heard of the company until now. I certainly can’t ever recall consenting to their use of my data. Of course, it’s entirely possible that buried in some other service’s terms and conditions it says they’re allowed to pass my data around in this fashion. But, that’s not really consistent with my expectations of how my data should be used.”
Verifications.io Data Exposure – Final Words
People’s private information is being shared by Facebook, data is being stolen, and online threats just keep on rising. Do you have any idea who has your data online and what they’re doing with it? No! How would you? You barely have control over how much the internet gets to know about you, and the exposed Verifications.io data just goes to show the degree of chaos in the data industry. Protect your sensitive data online by taking advantage of these privacy tools.