2-Billion Unencrypted Records Found Hiding in Plain Sight on Publicly-Accessible Database
Last week, Bob Diachenko and Vinny Troia went public with their discovery of a non-password protected, extremely accessible database filled with 150-gigabytes of plaintext data housed by email marketing company verifications.io. This translates to around 800-million unique email addresses, all of which were easily accessed, and included addresses, phone numbers, dates of birth and even mortgage data, snatched from websites like Facebook, Instagram and LinkedIn.
Then, it got even worse. SC Magazine reported that the extent of the damage was actually more than triple what was first anticipated. “A data leak at data validation company verifications.io is three-times larger than originally reported, comprising two-billion leaked records, not 809-million, according to cyber-security company, Dynarisk.”
“Our analysis was conducted over all four databases and extracted over two-billion email addresses. The additional three databases were hosted on the same server, which is no longer accessible.” They said.
Reporting from Wired indicates that “other records in the collection seem related to generating sales leads at businesses, including company names, annual revenue figures, fax numbers, company websites, and industry identifiers for categorising companies called ‘SIC’ and ‘NAIC’ codes.
Bob Diachenko, one of the men responsible for finding the trove of data online, was able to, according to Forbes “track the database back to the Verifications IO enterprise email validation service.”
“This company validates bulk email lists for companies wanting to remove inactive addresses from newsletter mail-outs.”
798,171,891 Email records.
4,150,600 Email with phone records.
6,217,358 Business leads.
CEO and founder of Dynarisk, Andrew Martin, told SC Magazine in an interview that while the company in question claims they are GDPR-compliant, because of the fact the database “wasn’t secure, it’s not DGPR-compliant. This wasn’t an APT, it didn’t keep the data safe. It was on a database on the internet open for anyone- and if we accessed it, it will have been seen by at least 100 others poking around at the data.”
“If the data has been acquired [by criminals], now that the server has been rendered inaccessible, they would still have proprietary breached data, which they could sell on hacker forums in a couple of months to bad guys using it for phishing etc. Just because it’s breached, it might not a reach a wide pool of criminals.” He said.
“Who gets sued? Because of the way the company works, probably no-one,” Andrew Martin said.
“Verifications.io takes marketing lists from several companies, and those corporates will have terms and conditions that will push liability onto this company, to be in breach of its contract. So if a client were a bank and it was sued, it will in turn sue this company. Compared to banks, it’s a smallish company, and if all of the clients sued, it would end up in bankruptcy. They would probably terminate their contracts due to [the] breach anyway.”
The question now looming is, should you be worried? The answer, according to Davey Winder of Forbes, is yes.
“If threat actors have got a hold of this data, then it provides all the ammunition they require in order to appear like a trustworthy organisation in their communications.”
“If the communication really does sound genuine and you are tempted to respond as instructed, don’t. Instead, I always advise folk to take the extra minute to try contacting the sender through another means: if it’s a bank or commercial concert, then google them and browse to their site using that address, and not the message link. Ditto with phone numbers.”
“Remember that banks won’t contact you by email regarding a security matter, nor will they ask for your account details over the phone. Don’t let your security sense slip just because something sounds plausible, especially if a loss of money has been mentioned!” He concluded.