A massive email database that includes more than two billion emails and identifiable information was discovered to have been accessible to anyone with its IP address. The database is reported to be owned by an email validation service, and things are not looking good.
According to Bob Diachenko, a tech expert with a reputation of spotting unsecured MongoDB instances, once again come across a leaky and unsecured server that allowed him to access more than 150 GB of emails.
The discovery of a non-password protected database happened on February 25, 2019. According to Diachenko, his discovery “is perhaps the biggest and most comprehensive email database [he] has ever reported.”
In a blog post, he expressed his shock in the number of emails that can be accessed by just anyone with an internet connection. He noted that some of the data are “much more detailed than just email address and included personally identifiable information (PII).”
Diachenko pointed out that there are four separate collections of data and they are massive enough to have a total of 808,539,939 records collectively. “The largest part of it was named ‘mailEmailDatabase’ and includes there folders namely: Emailrecords (count: 798,171,891 records), emailWithPhone (count: 4,150,600 records), and businessLeads (count: 6,217,358 records).”
“Based on the results, I concluded that this, not just another ‘collection’ of previously leaked sources but a completely unique set of data. Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records,” he added.
Diachenko stipulates that the possible owner of the database is a company named ‘Verifications.io,’ which offers services in email validation. He discovered that once the email addresses are uploaded for verification, the data were also stored as plain text.
He added that he had reported the incident to the email verification company and it has responded by taking the site offline and is currently down as of writing. According to him, he did further research about Verifications.io, and by comparing the information that was publicly available in the database, they have concluded on how the ‘verification’ process in the questionable website work.
He detailed that it all starts with someone uploading a list of email addresses that they want to validate. Verifications.io then has a list of mail servers and internal email accounts that they use to ‘validate’ an email address by checking if the given email bounces. They are literally sending the people an email and see if it bounces; if it doesn’t, the email is ‘validated.’ Otherwise, they put it in a bounce list so they can easily validate later on.
He further explains how the leak happened, he wrote:
“’Mr. Threat Actor’ has a list of 1000 companies that he wants to hack into. He has a bunch of potential users and passwords but has no ideas which ones are real. He could try to log in to a service or system using ALL of those accounts, but that type of brute force attack is very noisy and would likely to be identified. Instead, he uploads all of his potential email addresses to services like Verifications.io [to validate the emails].”
“Then the threat actor gets a cleaned, verified, and valid list of users at these companies. Now he knows who works there and who does not, and he can start a more focused phishing or brute forcing campaign,” he added.
Tech experts in the team of Diachenko initially thought that the email addresses were potentially engaged in spam-related activities because the database included email accounts they use for sending mail as well as hundreds of SMTP servers, email, spam traps, keywords to avoid, IP addresses to blacklist and more.
However, it turns out that they are actually sending nonsense and unsolicited emails to the said addresses and the team characterized it as the “worst kind of spam because they send millions of completely worthless ‘hello’ emails that no one can understand.”
After the notification sent by Diachenko to the verifications company, he said that they replied to him saying that the data that he discovered was ‘public’ data. He, however, questions the validity of this response city that if it was indeed public, they shouldn’t have taken the data down.
“Why close the database and take the site offline if it indeed was ‘public’?…We can only speculate that it was not meant to be public data. /apr