Email validation company exposes over 800 million records
An unprotected MongoDB database belonging to a marketing tech company exposed over 800 million records. The discovery was made by security researchers Bob Diachenko and Vinny Troia. The database, owned by the email validation firm Verifications.io, was taken offline the same day Diachenko reported it and the company website is currently inaccessible. The owner of the company and the legal name of the company are unknown as well as where is based.
According to security experts, the records were set to be a completely unique set of data. It contains data about individual consumers as well as what appears to be “business intelligence data,” like employee and revenue figures from various companies. Diachenko and Troia pointed out that it is impossible for them to find out whether anyone discovered and downloaded the Verifications.io data while it was fully exposed. The researchers validated samples of the data with companies listed as Verifications.io customers. The 150GB in size records include email addresses, phone numbers, business intelligence data, Facebook, Instagram and LinkedIn accounts, physical addresses, zip code, IP addresses, gender, first and last name, date of birth, personal mortgage amount, interest rate, people’s credit scores. The researchers also found Verifications.io’s own internal tools like test email accounts, the text of emails, anti-spam evasion infrastructure, hundreds of SMTP (email sending) servers, keywords to avoid, and IP addresses to a blacklist. All this information was publicly accessible for anyone with an internet connection.
In total, Diachenko and Troia found 808,539,939 records:
- emailrecords (798,171,891 records)
- mailWithPhone (4,150,600 records)
- businessLeads (6,217,358 records)
“As part of the verification process, I cross-checked a random selection of records with Troy Hunt’s HaveIBeenPwned database. Based on the results, I came to the conclusion that this is not just another ‘collection’ of previously leaked sources but a completely unique set of data,” explained Diachenko in a blog post.
The question is how could this ever happen?
Verifications.io is the largest Enterprise Email Validation service provider. They validate the emails for their customers by validation service and send the result back to the customer about the valid and invalid email address. You should know that Validators play a very important role in the email marketing industry. Marketing firms don”t wont to take the risk to be blacklisted by spam filters and lowering their online reputation scores. Customer upload email lists to validation service for marketing and verification purposes. Validation service sends spam to someone as a test which validates the email. If spam is delivered, the email address is valid but if it bounces, the message is put in a bounce list so it can be easily validated later on. These messages have been stored in plaintext and without any form of protective encryption. It seems that Verifications.io retained data it received from customers after reckoning its email address checks.
As mentioned earlier, the Verifications.io company used MongoDB as a database service. Until MongoDB version 2.6.0 was released in 2014, the previous versions were network accessible by default. Most people are in the habit of using default database presets rather than securely configure their installations. Although MongoDB 2.6.0 and above can be accessed only by local connections, they would accept requests from remote connections because users did not set up restrictions. This security issue has led to MongoDB database breaches and the exposure of 445 million records in 2018.
From the above, we can conclude that both companies are responsible for this recent “Efail” incident. Verifications.io for storage of data obtained from customers and non-use of security measures and MongoDB for not making enough effort to resolve the security issue. IBM’s “2018 Cost of a Data Breach Study” reports” the global average cost of a data breach is up from 2017 by more than 6.4 percent, to a total of $3.86 million and the average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year.” Taking these numbers into consideration and the negative impact of a data breach in the loss of customers and brand trust, it is important that companies take immediate action to avoid a data breach altogether.
The severity of the security error in Verifications.io exposure does not seem so serious because the data like passwords, Social Security numbers or credit card numbers were not exposed, but when criminals get their hands on this kind of data collections, it makes it much easier for them to run social engineering attacks, use data in identity theft and expand their target pool.
Our personal information is shared, and sold by big companies and suspicious marketers or stolen from data giants. The truth is there is not a lot you can do to protect yourself when a huge depository of data compiled from both public and private sources leak. Email is unbelievably difficult to secure well. We use it for record keeping, scheduling, correspondence, and conversations. The PGP and S/MIME security protocols are complicated, outdated, and difficult to properly use all the time. We all live in a consumer society and as consumers, we find it very difficult to control who has our data and where it ends up. Currently, all we can do is continue to use strong, unique passwords, monitor our financial statements and be very careful to whom we are giving out Social Security number.
If you are interested to see if your data was in the Verifications.io exposure, check HaveIBeenPwned.
