Security researchers have disclosed the discovery of a publicly accessible MongoDB database that contained more than 808 million email addresses and other records in plain text. The database clocked in at 150GB in size, leaving a cache of data, including some personally identifiable information, exposed for anyone to access. The breach was linked back to an email verification service that has since taken its website online.
The discovery was made by Security Discovery’s Bob Diachenko, who teamed up with NightLion Security’s Vinny Troya. According to a report detailing the leak, the database was discovered on February 25. In his post, Diachenko said, “Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection.”
The leak was comprised of 798 million email records, more than 4 million email addresses with phone numbers, and more than 6 million pieces of information identified as “businessLeads.” In total, more than 808 million records were left exposed in the database, which the researchers linked back to a website called Verifications.io.
Some information in those records included things like email, the user’s IP address, date of birth, zip code, address, gender, and phone number. The records were determined to be “a completely unique set of data,” according to the security experts.
The discovery was reported to Verifications.io, which then took its site offline. According to a screenshot of the service, it specialized in “enterprise email validation,” which apparently involved clients uploading lists of email addresses for validation. The company’s support responded to the researchers with confirmation that it had secured the database.
In the email, Verifications.io stated, in part, “After closer inspection, it appears that the database used for appends was briefly exposed. This is our company database built with public information, not client data.”
Diachenko expressed doubt about that claim, however, saying in his post:
…so why close the database and take the site offline if it indeed was “public”? In addition to the email profiles this database also had access details and a user list of (130 records), with names and credentials to access FTP server to upload / download email lists (hosted on the same IP with MongoDB). We can only speculate that this was not meant to be public data.