An online email verification service has taken itself offline after approximately 809 million of its customers' emails were exposed through an unprotected server.
Researchers discovered a non-password protected MongoDB instance amounting to 150GB of data split across four separate collections last week. They analysed this exposed data, 808,593,939 records in total, and published their findings on Thursday.
The exposed records are owned by an email verifications service named Verifications.io, according to the researchers.
The largest drive, named 'mailEmailDatabase', itself contained three folders; Emailrecords (798,171,891 records exposed), emailWithPhone (4,150,600 records exposed) and businessLeads (6,217,358 records exposed).
Beyond names, email addresses and phone numbers, the exposed records may also have contained additional information such as city, phone number, date of birth, and gender.
Cyber security expert Bob Diachenko, who discovered and analysed the exposed data with NightLion Security's Vinny Troya, then cross-referenced these records with the HaveIBeenPwned database.
They established these were unique records that had never been exposed in any previous 'collections'. Included in this bracket, for example, are the monster Collections #1 to #5 leaks of 2.2 billion unique records exposed earlier this year.
"This is perhaps the biggest and most comprehensive email database I have ever reported," Diachenko wrote in his post.
"Upon verification, I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of data was much more detailed than just the email address and included personally identifiable information (PII)."
Clues within the dataset pointed Diachenko to Verifications.io as the likely owner of the non-password protected MongoDB instance.
The company, which offers 'enterprise email validation' as a service, then took its entire website offline the same day he reported the discovery to its support team.
"We appreciate you reaching out and informing us," Verifications.io's support team told Diachenko via email. "We were able to quickly secure the database. Goes to show, even with 12 years of experience you can't let your guard down.
"After closer inspection, it appears that the database used for appends was briefly exposed. This is our company database built with public information, not client data."
This fact has confused the researchers, however, who in their blog post posed the question "why close the database and take the site offline if it indeed was "public"?"
Verifications.io remains offline at the time of publication.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
The FBI says hackers are using AI voice clones to impersonate US government officialsNews The campaign uses AI voice generation to send messages pretending to be from high-ranking figures
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Hackers are using Zoom’s remote control feature to infect devices with malwareNews Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering techniqueNews State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to knowNews Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.
