Shortly after we reported about the Dalil app data leak, here comes another similar report. Once again, researchers have found a leaky MongoDB instance exposing millions of records. The database allegedly belonged to an email validation service and the exposed records included a huge number of emails and personally identifiable information.
Data Leak By Email Validation Service
Recently, Bob Diachenko, who has a history of spotting unsecured MongoDB instances, has once again come across a leaky server. However, this time, he found a massive database with explicit records.
As revealed in a blog post, Diachenko came across an unsecured MongoDB instance of 150GB that had a huge number of emails. As per his findings,
“This database contained four separate collections of data and combined was an astounding 808,539,939 records.”
Inspecting further, he noticed a section named “mailEmailDatabase” that had three folders with the records. There he found 798,171,891 email records, 4,150,600 emailWithPhone records, 6,217,358 records of businessLeads. The data labelled as ‘emailrecords’ actually contained details personally identifiable information (PII).
Scratching the surface further revealed to him that the database actually belonged to an email validation service ‘Verifications.io’.
He later also involved Vinny Troia (the individual who uncovered the Exactis data leak), and then reported the matter to Verifications.io. The service, while acknowledging his report, replied to him that the database included ‘public data’ only. Nonetheless, the website is since offline.
From Millions to ‘Billions’
Bob Diachenko stated that the data he came across was of 808 million records. However, a cybersecurity firm DynaRisk later disclosed that what Diachenko reported represented a fraction of the total leaked data. According to DynaRisk’s report, the firm actually exposed 2,069,145,043 records belonging to individual users and businesses in four databases.
“Four databases were leaked, totaling over 196 gigabytes of personal and professional information suitable for cyber criminals to launch attacks.”
Like Diachenko, DynaRisk also elaborated how such data leaks could trigger malicious activities.
“The lists can be used to target the people on it with phishing emails and scams, telephone push payment fraud, and the data contains enough information to enable tailored scams aimed at key staff who could be targeted for CEO fraud or Business Email Compromise.”
Although, the firm’s response to Bob Diachenko confirmed that they had closed down the leaky database. Nonetheless, considering the fluctuations in reports, and the drastic increase in the number of exposed records, one can only hope not to hear any further troubling developments in this matter.
Let us know your thoughts in the comments section below.