The number of records exposed online by an email list-cleaning service in February may be far higher than originally anticipated, according to experts. The number of records available for anyone to download in plaintext from a breach at Verifications.io may have been closer to two billion.
Security researcher Bob Diachenko, who found the exposed data and worked on the breach investigation with research partner Vinny Troia, originally explained that on 25 February 2019, he discovered a 150Gb MongoDB instance online that was not password protected. There were four separate collections in the database. The largest one contained 150Gb of data and 808.5 million records, he said in his blog post on the discovery. This included 798 million records that contained users’ email, date of birth, gender, phone number, address and Zip code, along with their IP address. He then did some due diligence: As part of the verification process I cross-checked a random selection of records with Troy Hunt’s HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another ‘Collection’ of previously leaked sources but a completely unique set of data. Exposed MongoDB instances don’t always clearly indicate who uploaded them, but Diachenko’s research turned up a likely suspect: Verifications.io. This company, which has now taken down its website, offered what it called enterprise email validation services, along with free phone number lookup. The service enabled mass emailers to clean their email lists, removing what it called ‘hard bounces’. This enables those with large email lists to verify which ones are real.