A security researcher Bob Diachenko shared his discovery of an unprotected 150GB-sized MongoDB instance. He said that there were a huge number of emails that were publicly accessible for anyone with an internet connection. “Some of the data was much more detailed than just the email address and included personally identifiable information (PII)”
The discovered database contained four separate collections of data and combined was 808,539,939 records. The huge part of this database was named ‘mailEmailDatabase’ with three folders
- Emailrecords (798,171,891 records)
- emailWithPhone (4,150,600 records)
- businessLeads (6,217,358 records)
He cross-checked some random election of records with Troy Hunt’s HaveIBeenPwned database. The researcher states, “I started to analyze the content in an attempt to identify the owner and responsibly disclose it – even despite the fact that this started to look very much like a spam organization dataset.”
In addition to the email databases the Mongo instance also uncovered details on the possible owner of the database-–a company named ‘Verifications.io’-–which offered the services of ‘Enterprise Email Validation’. Once emails were uploaded for verification they were also stored in plain text. “Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication. Here is the archived version”, the researcher said.
According to Diachenko,
- Someone uploads a list of email addresses that they want to validate.
- Verifications.io has a list of mail servers and internal email accounts that they use to “validate” an email address.
- They do this by literally sending the people an email. If it does not bounce, the email is validated.
- If it bounces, they put it in a bounce list so they can easily validate later on.
Diachenko said, “‘Mr. Threat Actor’ has a list of 1000 companies that he wants to hack into. He has a bunch of potential users and passwords but has no idea which ones are real. He could try to log in to a service or system using ALL of those accounts, but that type of brute force attack is very noisy and would likely be identified.”
The threat actor instead uploaded all of his potential email addresses to a service like verifications.io. The email verification service then sent tens of thousands of emails to validate these users (some real, some not). Each one of the users on the list received their own spam message saying “hi”. Further, the threat actor received a cleaned, verified, and valid list of users at these companies. This, in turn, helped him to know who works there and who does not, using which he could possibly start a more focused phishing or brute forcing campaign.
According to Wired, “The data doesn’t contain Social Security numbers or credit card numbers, and the only passwords in the database are for Verifications.io’s own infrastructure. Overall, most of the data is publicly available from various sources, but when criminals can get their hands on troves of aggregated data, it makes it much easier for them to run new social engineering scams, or expand their target pool.”
Security researcher Troy Hunt is adding the Verifications.io data to his service HaveIBeenPwned, which helps people check whether their data has been compromised in data exposures and breaches. He says that 35 percent of the trove’s 763 million email addresses are new to the HaveIBeenPwned database.
The Verifications.io data dump is also the second-largest ever added to HaveIBeenPwned in terms of a number of email addresses, after the 773 million in the repository known as Collection 1, which was added earlier this year. Hunt says some of his own information is included in the Verifications.io exposure.
To know more about this news in detail, read Bob Diachenko’s post.