Verifications.io breach is one of the largest data breaches but the good news is that it does not involve passwords.
Another day, another data breach; this time the email validation service Verifications.io has leaked a humongous database containing personal and sensitive records of more than 2 billion individuals around the world.
Verifications.io breach – What happened
It all began on March 7, 2019, when Security Discovery’s researcher Bob Diachenko published a blog post reporting that he discovered an unsecured 150GB MongoDB database tracked back to Verifications.io containing more than 800 million (808,539,939) records.
Diachenko then teamed up with Troy Hunt of HaveIbeenPwned (HIBP)and after analyzing the database revealed that it contained sensitive details such as names, physical addresses, phone numbers, email addresses, date of birth, gender, employers, geographic location, IP address, and job titles.
Diachenko broke down the data as:
- Emailrecords (count: 798,171,891 records)
- emailWithPhone (count: 4,150,600 records)
- businessLeads (count: 6,217,358 records)
Although the leaked data did not include passwords, Hunt on behalf of HIBP informed millions of victims through emails on March 10th, 2019. Diachenko, on the other hand, informed Verifications.io about the breach and since then Verifications.io domain has been offline.
Leaked data is 2 billion not 800 million
While it was believed that the exposed data contained 800 million records, according to DynaRisk, a UK based cybersecurity company revealed that the actual leaked data is way more than previously anticipated. In fact, the company’s CEO Andrew Martin told SC Media that the MongoDB database actually exposed four databases not one and the actual amount of exposed data is 2 billion (2,069,145,043) not 800 million.
Martin further explained that their security researchers conducted their own investigations revealing that the compromised servers were set up in Miami while the size of the database was 196GB, not 150GB. What’s worse is that the other 3 databases contained additional user data including their characterizations credit scores, interest rate, personal mortgage amount, emails linked to their social media profiles on Facebook, Instagram and LinkedIn.
Furthermore, none of the data was encrypted which means that it could be a treasure trove for state-sponsored hackers and cybercriminals.
Our analysis was conducted over all four databases and extracted over two billion email addresses. The additional three databases were hosted on the same server, which is no longer accessible, Martin told The Register.
If you have received an email notification from HaveIbeenPwned about the involvement of your records on the exposed database you should be worried about it as it can work as a goldmine for hackers, phishers, cybercriminals and those involved in identity theft-related scams.
However, a sigh of relief is that there were no passwords involved in the breach and there is no indication if the exposed databases were accessed by a third-party (at least not yet). Moreover, since Verifications.io was taken offline right after they were informed about the breach chances are that data won’t be accessed by malicious elements unless someone knew about the incident before security researchers.
For people trying to understand how Verificationsio got your data: if you can confidently identify who gave your data to them (ie you use a unique email address for each service) *and* they’re willing to investigate, DM me. I’d like to piece together how data flowed to them.
— Troy Hunt (@troyhunt) March 10, 2019
Not for the first time
This is not the first time when billions of records have surfaced online in a database for anyone to access. Last month German security researchers identified a massive 845GB database (dubbed Collection #2) containing 2.2 billion usernames and passwords.
In January this year, researchers also discovered a database (dubbed Collection #1) containing 773 million ‘unique’ email IDs and 22 million ‘unique’ passwords available on MEGA cloud service for download. Later on, the same data was found posted on a famous hacking forum.
A word of advice
Use HaveIbeenPwned service to see if your email is part of a data breach and inform your bank of the breach to avoid identity theft scam. Also, sign up on a few online services as possible and keep your data private by not sharing it with recruiters or any other third-party. Stay safe online!