Verifications.io, an enterprise email validation service provider, recently suffered a data breach that exposed more than 800 million customers’ personal data. The incident came into light after the security researcher Bob Diachenko, who worked with fellow researcher Vinny Troia, identified and reported the data breach. Verifications.io stated that it immediately took the server down after Diachenko informed the data incident.
The researchers stated that they found an unprotected MongoDB server, owned by Verifications.io, containing a total of 150GB of data including approximately 808,539,939 records.
“On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of the data was much more detailed than just the email address and included personally identifiable information (PII),” Bob Diachenko said in a blog post.
The researcher stated the server exposed personal information like, names, email addresses, phone numbers, physical addresses, gender, birthdates, personal mortgage amount, interest rate, Facebook, LinkedIn, and Instagram accounts associated with email addresses. It’s also believed that other information related to sales leads including company names, annual revenue figures, fax numbers, company websites, Standard Industrial Classification and National Association of Insurance Commissioners codes were also exposed. The researchers clarified that no information related to social security or credit card numbers were exposed.
Also in January 2019, Bob Diachenko discovered an unprotected Elasticsearch server that exposed more than 24 million financial and banking documents online. The exposed server contained highly sensitive data of thousands of individuals who took mortgages over the past decade with the U.S. banks and other financial institutions.
The researcher stated that he identified the unprotected server on January 10, 2019, which contained 24,349,524 credit and mortgages reports in 51 GB size. The server was taken offline and the data was secured on January 15, 2019, after Diachenko reported the incident to the server’s vendor.