Over 800 Million Emails Leaked Online By Email Verification Service

Security researchers Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database containing 150GB of detailed, plaintext marketing data -- including hundreds of millions of unique email addresses. An anonymous Slashdot reader shares Diachenko's findings, which were made public today: On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of data was much more detailed than just the email address and included personally identifiable information (PII). This database contained four separate collections of data and combined was an astounding 808,539,939 records. As part of the verification process I cross-checked a random selection of records with Troy Hunt's HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another "Collection" of previously leaked sources but a completely unique set of data. Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records.

In addition to the email databases, this unprotected Mongo instance also uncovered details on the possible owner of the database -- a company named "Verifications.io" -- which offered the services of "Enterprise Email Validation." Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text. Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication.

MongoDB security is stupid

the way you go about setting up users is unlike anything I've ever seen before. You also need to use --auth when starting the daemon just to enable authentication.

*sigh*

Re:Know what you are doing.

All these companies have to do is know what they are doing. That's it. Why is that too hard to ask?

Well, why let a little thing like lack of technical competence stand in the way of a perfectly good business model?

So many 'tech' companies these days seem to have no actual skills in the tech they purport to be experts in, and it really is time to have legal liability for shit like this.

To me this is yet another example of a company who probably should never have been in the industry in the first place, because clearly putting an unsecured database wide open on the internet is a pretty stupid thing.

I've pretty much reached the point where I have no choice but to assume that most tech companies are ran by morons, and refuse to trust them. Pretty much any online service has to be presumed to be utterly not secure.

Re:Know what you are doing.

Because they will never, ever, see a courtroom. They'll face no fines while deflecting any and all blame onto others.

Welcome to unchecked capitalism.

Re:Email Validator?

[Zocalo]

Almost universally, they're bottom feeders in the spam world. They purport to take email lists from customers and filter out the defunct ones, which they basically do by a combination of looking for accepted RCPT TOs when connecting to a mail server, or actually sending an email and seeing which addresses get bounced. This is something that any legit operation with a proper sign up process and using legimate mail service providers should be easily capable of handling automatically because they'd know every email on the list was valid from a confirmed opt-in and could remove any that repeatedly give an SMTP 5xx (hard fail) on delivery attempts (with some wiggle room for misconfigured servers/full mailboxes giving 5xx hard fails instead of 4xx transient fails). It's also a neat email address harvesting method for spammers; set up a verification service, wait for people (mostly other spammers) to send you their mailing lists for list washing, add them to your own lists, and then spam away and/or re-sell them on the dark web to other spammers.

As an aside, I have quite a number of these services hard-coded to 5xx regardless of the validity of the email they are testing in my mail server config. So far I've not noticed any legit mailing list I've actually signed up to stop working as a result, but I have noticed a fairly significant drop in the amount of spam I'm getting, which seems like a pretty good indication of who their primary customers are as well.