An email marketing firm accidentally exposed 800 million records, including people's phone numbers, dates of birth, and ZIP codes.
The 150GB database was storing all the information online—in plain text with no password protection, according to the security researchers Bob Diachenko and Vinny Troia. Last month, Diachenko stumbled on the database, and discovered it contained a massive trove of 763 million email addresses.
Each record was also structured to "include zip / phone / address / gender / email / user IP / DOB," Diachenko wrote in a Thursday blog post. "Although not all records contained the detailed profile information about the email owner, a large amount of records were very detailed," he said. "We are still talking about millions of records."
Many of the records also contain other details such as Facebook, LinkedIn, and Instagram accounts linked to each email address, in addition to people's credit scores and personal mortgage amounts, according to Wired, which first reported the news.
So who created the database? Diachenko traced it back to a mysterious company called Verifications.io, which specializes in helping companies validate customer email records to keep them up to date. "We remove invalid emails and spam traps from your email list, as well as duplicate emails, litigators, and consumers prone to complain about commercial email," says an archived webpage for the service, which was led by a CEO named Vlad Strelkov.
It explains why the database held so many records. "Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text," Diachenko said. "Once I reported my discovery to Verifications.io, the site was taken offline and is currently down at the time of this publication."
Verifications.io hasn't responded to a request for comment about the data leak. However, in a message back to Diachenko, the service said: "We were able to quickly secure the database… The exposure of PII (Personally Identifiable Information) to criminals is our primary concern and we take it seriously."
Strangely, the service also told him that the exposed data was built with "public information, not client data." Diachenko finds that claim suspicious: "Why close the database and take the site offline if it indeed was 'public'?" he wrote in his blog post.
Whether anyone else stumbled on the exposed database isn't clear. But the information would've made it easier for any hacker to find victims to target for email phishing attacks or to craft identity theft schemes.
According to Diachenko, evidence in the database shows that Verification.io was likely validating customer email lists by engaging in what amounted to spam. "They do this by literally sending the people an email. If it does not bounce, the email is validated," he said.
The news highlights the shady world of digital marketing. Companies and marketing firms are often collecting data based on your digital footprint in order to serve you ads or contact you over email about new products. Unfortunately, not all that information is safely stored. Last June, Diachenko's colleague Vinny Troia uncovered that another little-known marketing firm called Exactis had also leaked the personal details on 340 million through an exposed database.