A massive number of emails of about 808 million with personal information were leaked online when a public MongoDB was kept without a password by an “enterprise email validation service provider” Verifications.io.
Compromised data were Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses of individuals.
The discovery was made by Bob Diachenko of SecurityDiscovery.com on February 25, 2019.
According to HaveIBeenPwned – an online service which detects and reports if your email has been part of a data breach –
In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure process, although an archived copy remains viewable.— HaveIbeenPwned
How does an Enterprise email validation service like that of Verifications.io works?
- Someone uploads a list of email addresses that they want to validate.
- Verifications.io has a list of mail servers and internal email accounts that they use to “validate” an email address.
- They do this by literally sending the people an email. If it does not bounce, the email is validated.
- If it bounces, they put it in a bounce list so they can easily validate later on.
For more information about this data breach, click here for Bob’s blog post.
To check if your email is part of a data breach, go to HaveIBeenPwned website.