An email verification service accidentally leaked more than 800 million email accounts, some including other personal data.
According to a report from Security Discovery, an online news source for cybersecurity, an email verification service leaked more than 800 million private emails. The data that was found in the 150 GB leaked file included private information for users around the world.
The file contained 798,171,891 email records. Additional leaked data included a smaller number of private phone numbers and business leads.
According to the report, the data likely came from a company that went by “Verifications.io,” a now-defunct service that offered “Enterprise Email Validation.”
In addition to the email databases this unprotected Mongo instance it also uncovered details on the possible owner of the database – a company named ‘Verifications.io’ – which offered the services of ‘Enterprise Email Validation’. Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text. Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication.
Email validation services are used by companies to ensure that the addresses on their mailing lists contain active emails. To prove that the email account on the list are still active, validation services will send an email to each account. If the email will not go through, the company will be notified and they can remove that address from their mailing list.
The report also detailed how hackers take advantage of email validation services. By providing these services with a large list of fake emails, they can quickly single out real accounts. This allows hackers to more efficiently target their next victims.
“Mr. Threat Actor” has a list of 1000 companies that he wants to hack into. He has a bunch of potential users and passwords, but has no idea which ones are real. He could try to log in to a service or system using ALL of those accounts, but that type of brute force attack is very noisy and would likely be identified. Instead, he uploads all of his potential email addresses to a service like verifications.io. The email verification service then sends tens of thousands of emails to validate these users (some real, some not). Each one of the users on the list gets their own spam message saying “hi”. Then the threat actor gets a cleaned, verified, and valid list of users at these companies. Now he knows who works there and who does not, and he can start a more focused phishing or brute forcing campaign.
Stay tuned to Breitbart News for more updates on this story.