A security researcher has discovered a massive leak of email addresses – in fact more than *800 million* email addresses. The massive exposure is due to lax security at an email address verification service called Verifications.io. Never used Verifications.io? It doesn’t matter, the odds are very good that your email address is in there.
Says Bob Diachenko, Cyber Threat Intelligence Director over at SecurityDiscovery, “This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of data was much more detailed than just the email address and included personally identifiable information (PII).”
After doing some digging, Diachenko discovered that it was the database of email addresses (and more) belonging to Verifications.io. (The site is now down – talk about closing the barn door after the email addresses got out!)
So just what is (was) Verifications.io? Verifications.io launched just about exactly one year ago. According to their now defunct website, they provided the following services:
Email Validation: Remove syntax errors, departmental emails, spamtraps, litigators, duplicates, complainers, botclickers, and misspellings.
The Internet Patrol is completely free, and we don't subject you to ads or annoying video pop-ups. But it does cost us out of our pocket to keep the site going (going on 20 years now!) So your tips via CashApp, Venmo, or Paypal are VERY appreciated! Receipts will come from ISIPP.
Email Verification: Remove hard bounces from your list and check for social media and ecommerce profiles. Identify responsive data in your lists.
Spamtrap Removal: Remove spamtraps, botclickers, litigators. and potentially dangerous emails from your lists. Stop losing servers and IP addresses.
Spam traps are email addresses either set up for the sole purpose of sacrificing them in order to catch spammers, or old, disused email addresses repurposed to the same end.
So basically, here is how the Verifications.io service worked:
A company would upload their database of email addresses to Verifications.io, and Verifications.io. would send an email to every single address on the list. If the email didn’t bounce, they would consider it verified. If it did bounce, they would note that, and probably added it to their own internally-maintained list of invalid email addresses. They also, presumable, maintained a list of spamtrap addresses, given that they claimed to scrub spamtraps, although we don’t know how they compiled that list.
And, of course, they maintained a massive database of all of the email addresses that were uploaded by all of the places that wanted their email lists scrubbed. In fact, Verifications.io boasted that they had, and we quote, the “Largest database in the industry”.
And, now, the largest database in the industry to be publicly exposed.
It’s worth noting here that while Diachenko’s expose says that the number of email addresses exposed is more than 800million, Wired is saying that it’s 763 million unique email addresses, with 809 million records in total. Those records include some names, telephone numbers, addresses, gender identities, dates of birth, personal mortgage amounts, interest rates, levels of credit score (average, above average, etc.), and company names and annual revenue amounts.
After Diachenko determined that the database belonged to Verifications.io, he dutifully reached out to inform them. He sent them an email with the subject “Verifications.io emails database exposed to public”, and received the following response from Verifications.io:
Thank you for reporting the issue. We appreciate you reaching out and informing us. We were able to quickly secure the database. Goes to show even with 12 years of experience you can’t let your guard down.
After closer inspection, it appears that the database used for appends was briefly exposed. This is our company database built with public information, not client data.
As you pointed out, data breaches and ransom one (sic) of the largest threats our industry and businesses face. We maintain full backups (both offline and in a different geographic location) so the destruction of data or ransom is not a concern for us. The exposure of PII to criminals is our primary concern and we take it seriously. We have taken appropriate measures to correct this.
Once again, thanks for reaching out.
Now, a couple of things about this response: first, they say that the 800million database is their “append database”, not their client data. If (and it’s a big if, as why would they not be using client data to inform their append database?) this is true, this suggests that they have this massive database of email addresses already matched up with PII like addresses, telephone number, etc., because “appending” is industry-speak for “I give you one bit of PII on my target, and you match it up with their email address, telephone number, what-have-you.”
Second, it’s interesting to note that they thought the concern was that the exposed data could be used against them, not against the, you know, millions of individuals exposed in the database.
And even though they are saying that it was a database amassed from publicly available information, and while that may be true, having it all tied up with a bow in one place is a bonanza for any scammer who wants to send out emails like the one below:
Real scam sent by real scammer to one of our staff this week
If you want to find out whether your own email address has been compromised in this or any other data leak, you can look your email address up here: HaveIBeenPwned.com.
The Internet Patrol is completely free, and we don't subject you to ads or annoying video pop-ups. But it does cost us out of our pocket to keep the site going (going on 20 years now!) So your tips via CashApp, Venmo, or Paypal are appreciated!
Receipts will come from ISIPP.