• by Ray Schultz , March 15, 2019

Verifications.io -- the firm identified in the breach of over 809 million email marketing records, including personally identifiable information -- appears to have collapsed, although signs exist that someone is still in charge.  

The firm’s web site went down following discovery of the breach on February 25 by security researcher Bob Diachenko, but a version of the site is now up under the company name, although it's not clear who put it up. 

However, it only provides what appear to be sponsored content links, and the home page says “this domain is for sale.” Clicking through that link reveals that a buyer can have the verifications.io name for $4,988. 

A note at the bottom of the home page states: “The Sponsored Listings display above are served automatically by a third party. Neither the service provider nor the domain owner maintain any relationship with the advertisers. In case of trademark issues please contact the domain owner directly (contact information can be found in whosis).” 

It will be difficult for lawyers to file class-action lawsuits, as they would in the breach of a major brand: There are no deep pockets.

Wired identified the CEO as Vlad Strelkov, but said it was unable to reach him.

News outlets referred to the firm as an “email marketing vendor.”

Meanwhile, email professionals are trying to make sense of the incident.

"Databases like this are used by hackers to identify targets for their phishing emails. It's a database of known-good email addresses, which means they are perfect targets for phishers,” says Seth Blank, director of industry initiatives at Valimail and M3AAWG board member.

He adds: "It's also worth noting that those phishing campaigns frequently make use of spoofed sender identities (bogus domains or exact-domain spoofs), so they could appear to come from anywhere."

Blank continues: "This is yet another sign of the robust and thriving phishing economy and the existence of databases like this is just one more reason that BEC attacks soared nearly 500% last quarter."

He concludes: “it appears that the compromised service itself (Verifications.io) was doing some very shady things and had terrible security.”

To recap, the staggering load of data was exposed to anyone with an internet connection. Diachenko called it “perhaps the biggest and most comprehensive email database I have ever reported.”” 

Verifications.io allowed firms to verify their email lists by simply uploading them on the site.

Diachenko discovered the exposure on February 25, and worked with fellow security researcher Vinny Troya, owner of NightLion Security, to flesh it out. Verifications.io took the site down after hearing from Diachenko, and claimed that the exposed data was public data, not client data.

“As part of the verification process I cross-checked a random selection of records with Troy Hunt’s HaveIBeenPwned database,” Diachenko writes. 

He adds: “Based on the results, I came to conclusion that this is not just another ‘Collection’ of previously leaked sources but a completely unique set of data.”

He adds that Verifications.io has a “a list of mail servers and internal email accounts that they use to ‘validate’ an email address.”

The firm does this by sending the people an email. “If it does not bounce, the email is validated,” he adds. “If it bounces, they put it in a bounce list so they can easily validate later on.”

He continues: “Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text.”

Diachenko calls the episode “a non-password protected 150GB-sized MongoDB instance.”