The repository of email addresses and other
records would offer a gold mine of data for scammers
Security researchers have discovered a
humongous collection of email addresses and other data that was left sitting on
the internet with no protection whatsoever.
Bob Diachenko revealed late last week that he’d found an
unsecured MongoDB server with more than 808 million records that “were publicly
accessible for anyone with an internet connection”. The server was found to
belong to enterprise email validation company Verifications.io, which took the
database down soon after being alerted to the security lapse by Diachenko on
Friday, March 8. At the time of writing, the entire website of the little-known
business is offline.
Before long, cybersecurity company DynaRisk put the number of exposed records even higher. Its
investigation found four databases sitting out in the open, rather than ‘just’
one as per Diachenko’s findings. Instead of 150 gigabytes, the collection
weighed in at 196 gigabytes and comprised nearly 2.07 billion records.
What’s
in it for you?
The records included a smorgasbord of data,
primarily some 768 million email addresses. In many cases, the email addresses
came together with their owners’ names, social media accounts, phone numbers,
dates of birth, ZIP codes, as well as credit score information, mortgage
amounts, interest rates, and other data. Also exposed were names, revenues and
other business-specific data for a number of companies.
On the bright side, passwords, Social
Security numbers and credit card details were not included in the unsecured
MongoDB instance.
Diachenko said that he’d checked a sample of
the dataset against Troy Hunt’s Have I Been Pwned (HIBP) website, finding that,
unlike Collection #1, the records aren’t merely an aggregation
of data from previous leaks and breaches.
At any rate, such troves of data are useful
not only for marketing campaigns, but also for all manner of scammers, who
could leverage such information for social engineering campaigns.
Now that the data exposed by Verifications.io
have been added to Hunt’s database, you can go and check for yourself
any of your data was also impacted. More than a third of the email addresses are new to the database.
https://www.welivesecurity.com/2019/03/11/over-2-billion-records-exposed-marketing-firm/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29