Another Data Incident Exposes 763 Million Email Addresses
The exposure reveals the data included employee and revenue figures from various companies.
Security researchers discovered an unguarded, publicly accessible database containing 150 GB of marketing data, 809 million total records, including 763 million email addresses, information about individual consumers and business intelligence data.
Security researchers Bob Diachenko and Vinny Troia found the trove and revealed the data included employee and revenue figures from various companies. The MongoDB database, owned by the “email validation” firm Verifications.io, which took the databased offline the same day Diachenko reported it to the company.
The database contains standard information like names, email addresses, phone numbers, and physical addresses. But numerous records also included items like gender, birthdates, personal mortgage amount, interest rate, Facebook, LinkedIn, and Instagram accounts associated with email addresses, and people’s credit scores.
Other records related to sales leads including company names, annual revenue figures, fax numbers, company websites, and industry identifiers, Standard Industrial Classification and National Association of Insurance Commissioners codes. Reportedly the data does not contain Social Security or credit card numbers, and the only passwords only related to Verifications.io’s own structure.
Chris DeRamus, CTO, Arlington, Va.-based DivvyCloud, said. “The data exposed in this leak of nearly 809 million records is unique, and highly exploitable since it includes business intelligence data such as employee and revenue figures from various companies, as well as genders, user IP addresses, email addresses, dates of birth and more. If a bad actor were to discover this massive trove of data, they could easily validate the contact information for the users included to launch a more focused phishing or brute force campaign.”
DeRamus explained while collecting, storing and leveraging data is essential to running just about any type of business, organizations must diligently protect data with proper security controls. “Automated cloud security solutions would have been able to detect the misconfiguration in the MongoDB database containing this information and could either alert the appropriate personnel to correct the issue, or trigger an automated remediation in real-time.” He added, these solutions are essential to enforce policy, reduce risk, provide governance, impose compliance and increase security across large-scale hybrid cloud infrastructure.”
“This is the second major data breach in one week resulting from companies leaving business-critical databases and servers unprotected, which is alarming,” Kevin Gosschalk, CEO, San Francisco-based Arkose Labs, warned. “Cybercriminals are engaging in digital warfare, and the frequency and scale of data breaches are increasing. Companies must take the necessary precautions to protect their digital ecosystems from attacks, because exposing 763 million unique email addresses in a breach, arms cybercriminals with 763 million new opportunities to commit fraud.”
Gosschalk suggested companies need to be actively watching their attack surface and enforce multi-factor authentication before the next attack takes place. “Nine out of 10 login attempts are account takeover attacks using credential stuffing, and cybercriminals will use this exposed data to achieve account takeovers at-scale. All companies need to be prepared to defend against new attacks being executed using this compromised information.”