A staggering 808,539,939 email marketing records -- some containing personally identifiable information -- were exposed to anyone with an internet connection, according to security researcher Bob Diachenko.
Diachenko identified the company as verifications.io, an email marketing vendor, and says this is “perhaps the biggest and most comprehensive email database I have ever reported.””
Verifications.io, which allows firms to verify their email lists by simply uploading them on the site, took the site down.
Diachenko discovered the exposure on February 25, and has worked with fellow security researcher Vinny Troya, owner of NightLion Security, to flesh it out.
“As part of the verification process I cross-checked a random selection of records with Troy Hunt’s HaveIBeenPwned database,” Diachenko writes.
He adds: “Based on the results, I came to conclusion that this is not just another ‘Collection’ of previously leaked sources but a completely unique set of data.”
He adds that Verifications.io has a “a list of mail servers and internal email accounts that they use to ‘validate’ an email address.”
The firm does this by sending the people an email. “If it does not bounce, the email is validated,” he adds. “If it bounces, they put it in a bounce list so they can easily validate later on.”
He continues: “Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text.”
Diachenko calls the episode “a non-password protected 150GB-sized MongoDB instance.”