Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 800 Million Emails Leaked Online By Email Verification Service (securitydiscovery.com)

Posted by BeauHD on from the out-in-the-open dept.

Security researchers Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database containing 150GB of detailed, plaintext marketing data -- including hundreds of millions of unique email addresses. An anonymous Slashdot reader shares Diachenko's findings, which were made public today: On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of data was much more detailed than just the email address and included personally identifiable information (PII). This database contained four separate collections of data and combined was an astounding 808,539,939 records. As part of the verification process I cross-checked a random selection of records with Troy Hunt's HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another "Collection" of previously leaked sources but a completely unique set of data. Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records.

In addition to the email databases, this unprotected Mongo instance also uncovered details on the possible owner of the database -- a company named "Verifications.io" -- which offered the services of "Enterprise Email Validation." Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text. Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication.

60 comments

  1. MongoDB security is stupid by Anonymous Coward · · Score: 2, Informative

    the way you go about setting up users is unlike anything I've ever seen before. You also need to use --auth when starting the daemon just to enable authentication.

    *sigh*

    1. Re:MongoDB security is stupid by jellomizer · · Score: 4, Interesting

      There is a lot of stupid things about MongoDB. On the top of the list is actually a lack of an Official Open Source Good quality GUI tool to manage it.
      Sure it sounds silly and not a big deal, as anyone who knows MognoDB can run it from the command line... However the problem is most implementations of software is not from experts of the product, but from people using it for the first time.
      Here is how it goes.
      I have a project, I gather the specs, I find that a NoSQL database engine is a good fit. Now I try to do research on a NoSQL I see that MongoDB is the popular choice, figuring if the product grows, I can then find other resources who have experience in the engine later.
      So then I start the project... I have no prior experience with MongoDB, Now, I am not stupid, I follow the documentation to get it going, and I get it to a point where I can attach my code to it. However I am Naive my lack of experience makes me blind on what is happening, with this new tool. There are features I don't know about, security defaults which may be different from what I am use to, so even as a in general experienced developer, I make a lot of mistakes.

      Now tools like SQL Server Management Studio, pgadmin... gives me options to see what the product is doing, look at the setup and see what else I can be doing.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re: MongoDB security is stupid by Anonymous Coward · · Score: 0

      The art of hacking volume one

    3. Re:MongoDB security is stupid by olsmeister · · Score: 4, Funny

      that sounds oddly specific.

    4. Re: MongoDB security is stupid by Anonymous Coward · · Score: 0

      Treaty yeah, treaty now

    5. Re:MongoDB security is stupid by fluffernutter · · Score: 1

      I've always been able to use relational databases with an ORM layer to accomplish my goals. Am I missing anything by not using this or is this just hipster 'its too hard to learn more' kind of stuff?

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    6. Re:MongoDB security is stupid by Anonymous Coward · · Score: 0

      You scare me and I don't want you to see what else you can be doing.

    7. Re: MongoDB security is stupid by Anonymous Coward · · Score: 0

      Hacking? The summary says they are 'Security Researchers ".

    8. Re: MongoDB security is stupid by Anonymous Coward · · Score: 0

      If your SQL schema is simple nosql does not offer any speed advantages. If it is complex, nosql is not easily apable of handling a changing schema. Ergo never use nosql.

    9. Re: MongoDB security is stupid by Anonymous Coward · · Score: 0

      Yes. So stupid. My introduction to this issue is when I was at a former company I connected to our production MongoDB from home and realized I was not on the VPN...

    10. Re:MongoDB security is stupid by Anonymous Coward · · Score: 0

      "On the top of the list is actually a lack of an Official Open Source Good quality GUI tool to manage it."

      What is stopping you from creating one? Go ahead and build it and then let everyone use it for free instead of complaining. Let me guess, if some enterprising individual (or company) decided to spend the couple thousand hours it might take to actually build one, and then tried to sell you a license for $10 or $20 that you would reject it.

      And that is why there's no good tool.

      The bad tools put people off.

    11. Re:MongoDB security is stupid by Anonymous Coward · · Score: 0

      It's a bit complicated and counterintuitive, but what database isn't? Setting up security correctly can be difficult in any software product.

      And personally I don't think "unlike anything I've ever seen before" is really a valid criticism. Yes, it may be different, but that doesn't mean it's bad. Set up a role, then map a user to a database through that role (all in JSON). After you've done it a few times, it's no big deal.

      And you're wrong about the --auth flag. It is trivially easy to enable authentication via /etc/mongod.conf.

      To me, this sounds like victim blaming. It is not a DB's fault if someone throws an unprotected DB onto AWS with millions of PII records. It's not even the sysadmins "fault" (although there is some culpability there). Obviously the business processes are at fault. People will make mistakes. That's why mature organizations put procedures in place.

    12. Re:MongoDB security is stupid by BringsApples · · Score: 1

      Your "how it goes", didn't go so well.

      --
      Politics; n. : A religion whereby man is god.
    13. Re:MongoDB security is stupid by doconnor · · Score: 1

      Anyone who knows enough to create one, doesn't need it any more.

    14. Re: MongoDB security is stupid by Anonymous Coward · · Score: 0

      You are missing the point. Security should be defaulted to on, not off

    15. Re:MongoDB security is stupid by Anonymous Coward · · Score: 0

      On the top of the list is actually a lack of an Official Open Source Good quality GUI tool to manage it.

      Compromise: https://www.adminer.org/

  2. !if by Anonymous Coward · · Score: 0

    Butt whan

    1. Re: !if by Anonymous Coward · · Score: 0

      Gwamm-r Naretzi

  3. Test Message by Anonymous Coward · · Score: 0

    admin.

    1. Re: Test Message by Anonymous Coward · · Score: 0

      Story Id: 353000
      Time: Feb 14
      Unix Id: 123456789

    2. Re: Test Message by Anonymous Coward · · Score: 0

      I see just like slashdot at mongoDB the left hand and the right hand have no idea what the other is doing

  4. Now arrest the reporter by The_Other_Kelly · · Score: 2

    Cue Corporate PR Release:

    "All of these problems have already been solved!

    Anyone who accesses a computer system without permission is a criminal.
    The poster did not have permission, so should now be arrested and prosecuted.

    As for the business, one cannot expect hard working business owners to be
    aware of every single little incident or problem.

    If there was ever a problem, which cannot be proven with incriminating evidence of intrusion,
    then it was merely a rogue employee failing to uphold the highest levels of data privacy,
    protection and regulation, which the company expects from all employees and agents.

    So nothing to see here, move on, keep quiet, keep smiling, ...
    Enjoy the fish."

    --
    (R)ule in Hell or (S)erve in Heaven [R]?
  5. Know what you are doing. by fluffernutter · · Score: 0

    All these companies have to do is know what they are doing. That's it. Why is that too hard to ask?

    On the other hand, why would any cloud provider not have several fail safes for a customer to go through in order to open a DB directly to the internet?

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:Know what you are doing. by Anonymous Coward · · Score: 3, Informative

      All these companies have to do is know what they are doing. That's it. Why is that too hard to ask?

      Well, why let a little thing like lack of technical competence stand in the way of a perfectly good business model?

      So many 'tech' companies these days seem to have no actual skills in the tech they purport to be experts in, and it really is time to have legal liability for shit like this.

      To me this is yet another example of a company who probably should never have been in the industry in the first place, because clearly putting an unsecured database wide open on the internet is a pretty stupid thing.

      I've pretty much reached the point where I have no choice but to assume that most tech companies are ran by morons, and refuse to trust them. Pretty much any online service has to be presumed to be utterly not secure.

    2. Re:Know what you are doing. by Anonymous Coward · · Score: 1, Informative

      Because they will never, ever, see a courtroom. They'll face no fines while deflecting any and all blame onto others.

      Welcome to unchecked capitalism.

    3. Re: Know what you are doing. by Anonymous Coward · · Score: 0

      Well said.

    4. Re:Know what you are doing. by Anonymous Coward · · Score: 0

      And socialism would fix this how?

    5. Re:Know what you are doing. by fluffernutter · · Score: 1

      Socialism weighs the punishment for the corporation by the true human cost with no regard given to the financial health of said business afterwards.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  6. Email Validator? by kackle · · Score: 2

    What is "email validation" primarily used for; legitimate purposes, or spamming?

    1. Re:Email Validator? by Zocalo · · Score: 5, Informative

      Almost universally, they're bottom feeders in the spam world. They purport to take email lists from customers and filter out the defunct ones, which they basically do by a combination of looking for accepted RCPT TOs when connecting to a mail server, or actually sending an email and seeing which addresses get bounced. This is something that any legit operation with a proper sign up process and using legimate mail service providers should be easily capable of handling automatically because they'd know every email on the list was valid from a confirmed opt-in and could remove any that repeatedly give an SMTP 5xx (hard fail) on delivery attempts (with some wiggle room for misconfigured servers/full mailboxes giving 5xx hard fails instead of 4xx transient fails). It's also a neat email address harvesting method for spammers; set up a verification service, wait for people (mostly other spammers) to send you their mailing lists for list washing, add them to your own lists, and then spam away and/or re-sell them on the dark web to other spammers.

      As an aside, I have quite a number of these services hard-coded to 5xx regardless of the validity of the email they are testing in my mail server config. So far I've not noticed any legit mailing list I've actually signed up to stop working as a result, but I have noticed a fairly significant drop in the amount of spam I'm getting, which seems like a pretty good indication of who their primary customers are as well.

      --
      UNIX? They're not even circumcised! Savages!
    2. Re: Email Validator? by Anonymous Coward · · Score: 0

      Anyone that spells stupid that that more than once does not get much credibility when talking about stupid things.

    3. Re:Email Validator? by kackle · · Score: 1

      Interesting and informative; thank you.

  7. Re: The art of jacking by Anonymous Coward · · Score: 0

    Off

  8. A lot of errors by grumpy-cowboy · · Score: 1

    - Unencrypted sensitive information
    - Opened database port on the internet (I suppose)
    - Probably weak user/password (ex: mongo/mongo)
    - They sent spams to verify email. Unsollicited emails are illegals in many countries (at least in Canada)
    - MongoDB

    --
    Will $CURRENT_YEAR be the year of the Linux Desktop?
  9. Repercussions??? by Poison.Pill · · Score: 1

    Is it just me, or should their be both Civil and Criminal penalties for companies who do crap like this?? Sure, it hurts them in the public eye, but then the public moves on to tornados in the south, drought in the west, or something the orange man did.

  10. "Security Researchers" by Anonymous Coward · · Score: 0

    Is there an accreditation organisation these fellows belong to?

  11. I"m starting to wonder if these are deliberate by TigerPlish · · Score: 2

    Yes, I know, cockup before conspiracy. Yet I can't help but wonder if these leaks are orchestrated by insiders in the company to accomplish some goal.

    1. Scrape data
    2. Put it up for easy discovery
    3. ???
    4. Profit.

    Step 3 is what I can't figure out.

    --
    The "Civilized World" jumped the shark ca. 1973.
    1. Re:I"m starting to wonder if these are deliberate by Ol+Olsoc · · Score: 1

      Yes, I know, cockup before conspiracy. Yet I can't help but wonder if these leaks are orchestrated by insiders in the company to accomplish some goal.

      1. Scrape data 2. Put it up for easy discovery 3. ??? 4. Profit.

      Step 3 is what I can't figure out.

      Aliens?

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:I"m starting to wonder if these are deliberate by Anonymous Coward · · Score: 0

      Step 3 involves downloading the data from outside the company and selling it.

    3. Re:I"m starting to wonder if these are deliberate by TigerPlish · · Score: 1

      Step 3 involves downloading the data from outside the company and selling it.

      Too obvious. Can't have it be tied back to the inside agent. Has to be laundered somehow. Someone is making money on this, guaranteed. Can't figure out how.

      --
      The "Civilized World" jumped the shark ca. 1973.
  12. MongoDB is web scale by ben_kelley · · Score: 2

    C'mon someone had to say it!

    1. Re:MongoDB is web scale by Anonymous Coward · · Score: 0

      If it was good enough for Healthcare.gov, it should be good enough for every single database instance. Who needs triggers, indexes, transactions, rollbacks, and referential integrity? Take that, Oracle!

    2. Re:MongoDB is web scale by Anonymous Coward · · Score: 1

      But /dev/null has even better write benchmarks!

  13. Email Harvester by Anonymous Coward · · Score: 0

    When asking for an email address is not justified, always use throwaway valid fake email addresses like admin or postmaster @<website> and similar and if feeling merciful spam@<website>
    When rarely fails then pick a variation with gmail.com.
    Done.

  14. You think that's bad? Look at Constant Contact by Anonymous Coward · · Score: 0

    So you think this company was stupid for not securing thei mongo db ?

    Take a look at Constant Contact's "security" model.

    First and foremost they "outsource" their API ti Tibco which is already a giveaway of their technical proficiency. They use Tibco Mashery to deploy their API, but instead of implementing a short lived Access Token with Renewal Token Logic, they issue a 10 YEAR Access Token (ATK) through their development portal and there is no electronic way of revoking it !!!

    AFAICT their API has no ACL for the API access itself so if the token is leaked, anyone with the app_key could do any operation on that account, this includes downloading the client lists, creating campaigns and sending mass emails through the hacked account:

    http://developer.constantcontact.com/docs/developer-guides/overview-of-api-endpoints.html

    The only way to revoke the ATK is by sending a request to Constant Contact support, and they've acknowledged this publicly since 2014:

    https://community.constantcontact.com/t5/Authentication-and-Access-ie-401/Regenerate-Access-Token/td-p/225628

    Not to mention that Tibco Mashery DOES provide an API to revoking a token but Constant Contact decided not to implement it:

    https://support.mashery.com/docs/read/mashery_api/20/oauth_supporting_methods/methods/revokeAccessToken

    Bear in mind that projects involving constant contact are usually done by Web Designers (a.k.a. Web "Programmers") who in turn outsource the development in whole or in part to resources in India, China, Russia or wherever, so these tokens travel through unencrypted email and are also stored in file servers and code repositories. Just imagine how many of these tokens are out there in the wild since Constant Contact is one of the more popular options for spamming, or should I say " email campaigning".

    All this is shamefully public, and they just done't seem to care or maybe they don't even understand it! Somewhere in Constant Contact's documentation it says that they moved to OAuth 2 to replace the "old" HTTP Basic Authentication scheme for better security.

    Anyway I've always found that all these "modern" authentication schemes (OAuth, SAML and even JWT) still pale in comparison with "legacy" yet truly secure authentication/authorization protocolos such as the 1993 rfc2617 (the original version that uses MD5) is probably still today WAY more secure than most OAuth 2 implementations in the wild today.

    I mean, seriously?? How does an api_key / ATK pair differ from user/password?? and how does THAT differ from HTTP BASIC AUTH ??

    But that's not the worse part. PC Magazine recently evaluated Constant Contact and even THEY did not pick up on this horrible security flaw:

    https://www.pcmag.com/article2/0,2817,2474133,00.asp

    Honestly we are evermore appalled at the stuff we are finding nowadays. People somehow think that "token" is somehow more secure that "password", and we are generally finding that companies are evermore completely ignorant on very obvious security flaws like these.

  15. Email Validation by Maximus23 · · Score: 1

    From the Article "They do this by literally sending the people an email. If it does not bounce, the email is validated." This is not always accurate. I work for an email security company, and our recommendation for incoming messages, if the email address isn't valid, mail sink the messages, and don't give any notification. Optionally, have a second rule that's applied to business partners to bounce messages to let them know they got the wrong address, and bounce at that point.

    1. Re:Email Validation by Anonymous Coward · · Score: 0

      This is not always accurate. I work for an email security company, and our recommendation for incoming messages, if the email address isn't valid, mail sink the messages,

      I hope you check properly that the email addresses are valid.

      It is a common programming mistake - people try to write a regex to validate if an email address is valid and fail miserably at it.

      I have used outsourced mass email services that reject perfectly valid email addresses that mainstream MTAs (sendmail, postfix, exchange) have no problem with.

  16. Also had to be said: by Toad-san · · Score: 2

    "Mongo only pawn in game of life."

  17. Apply GPDR by Eric.pl · · Score: 2

    If any of these emails come from Europe, apply GPDR. Fine the company (€20 million or 4% of global annual turnover for the preceding financial year) and reduce our taxes accordingly

    1. Re:Apply GPDR by Anonymous Coward · · Score: 0

      For all of the hefty fines the GPDR is reported to have the power to levy, where are the articles documenting all of the incompetent and/or dirty companies that have violated said privacy laws?

      Does the GPDR really do anything other than being responsible for the annoying and totally pointless "We store cookies, OK?" popups?

  18. Who cares? by DatbeDank · · Score: 1

    It's just email addresses. My spam filter works so well, I doubt anyone of them will get through.

    And if one does, I block it. No big deal .

    Not a big deal.

  19. Devs don't know what they're doing by ilsaloving · · Score: 2

    MongoDB is a great example of a product that is popular, not because it's good, but because it's easy for developers to get up and running when they don't have the skills to do anything else.

    And this is bad, because it has enabled developers to do things that they don't even understand, let alone do it properly, and this article (and the many similar articles that have come before it) are the logical conclusion whenever you make a technology available that enables the unskilled.

    And it doesn't stop there. They made MongoDB easy for the the developer, and *only* for the developer. Anyone down the line that may need access to the data is completely screwed unless they a) are also a developer, and b) have the time to write their own app just to interact with the database.

    IMO MongoDB, and similar database systems, and the single worst step backwards that modern technology has ever accomplished. It has bypassed almost 50 years of hard won database knowledge, and developers are sucking it up cause it lets them ignore the management of their entire data layer.

    1. Re:Devs don't know what they're doing by ledow · · Score: 1

      Letting developers bypass normal network management procedure is a real dumb idea.

      The core blame is not that of the product, but of the lack of respect given to its deployment. A developer shouldn't BE ABLE to just create an database instance and expose it to the entire Internet, of anything that you run on a huge service like that.

      Testing should be internal and isolated. Production should go through the normal channels of approval. And a network management team should be making sure they aren't reliant on a MongoDB instance, publicly visible, without a password.

      I don't expect developers to do that side. I don't believe that *they* honestly suspect that system should have gone live like that. Developers aren't there to protect your network, database managers aren't there to configure your firewall, and network managers aren't to patch your code when it doesn't compile.

      The failing here is not in the choice of database, or developer laziness, but a complete, absolute 100% disregard for any kind of data protection, network management, deployment strategy or testing. On what's supposed to be a pay-for service, on a large company, with some kind of integrity and verification services being offered.

      The developer who did that is probably LONG gone. That it wasn't noticed, fixed, caught in testing / deployment, etc. is the problem.

      You can run a major website off SQLite if you like. It barely matters if only you are ever intending to see that, and deal with the consequences of that decision. What you can't do is then just leave the underlying database live on the web for all to see.

    2. Re:Devs don't know what they're doing by Anonymous Coward · · Score: 0

      As you said, it's only an example. Make it so monkies can code, you get monkey code. Doh.

  20. I Pity Inanimate Objects Because They Cannot Move by Anonymous Coward · · Score: 0

    Of course I'd reject paying for it. data wants to be free. it told me itself.

  21. blame the rent-duh-k0d3rz by Anonymous Coward · · Score: 0

    its the rent-duh-k0d3rz putting the shit up there, thats whom to blame. most k0d3rz are incompetent and can't think beyond the next step.