Email addresses of almost a BILLION people are leaked in one of the biggest data breaches ever- and hackers could now have access to your name, date of birth and even where you LIVE
- ‘Email validation’ firm was taken offline when the enormous breach was reported
- Personal information like names, address and employer were also exposed
- Verifications.io is a company offering ‘enterprise email validation’ as a service
- Validators ensure that the email addresses in a list are valid and won’t bounce
Hundreds of millions of people’s personal data has been breached online by a marketing company who have since taken their website down.
Email addresses from 982 million people were listed in what researchers are calling one of the ‘biggest and most comprehensive email database’ breaches ever recorded.
Personal information including names, gender, date of birth, address, employer and details of social media accounts were also listed.
The data breach puts the millions of people involved at a higher risk of being exposed to hack attacks, fraud, nuisance calls and emails.
Security researchers uncovered the breach in an unsecured online database created by Verifications.io, a company offering ‘enterprise email validation’.
Marketing companies used the service to send out mass emails to work out if the addresses they have collected listed are genuine.
The unprotected and publicly accessible MongoDB database contained 150 gigabytes of marketing data, according to the researcher’s blog post.
Hundreds of millions of people’s personal data has been breached online by a marketing company who have since taken their website down. Pictured here, a screen grab of the website when it was active
The website went offline after Cyber security expert Bob Diachenko, one of the researchers who found the breach, notified its support team.
It was unclear whether the exposed data was accessed by others. Passwords and payment card details were not leaked.
Other records in the collection appeared to be ‘business intelligence data’, related to generating sales leads at businesses.
This included company names, annual revenue figures, company websites, and industry identifiers.
Cyber security expert Bob Diachenko, one of the researchers who found the breach
His team said that Verifications.io offered a service to marketers where it would ‘verify’ lists of email addresses by sending emails to see if they bounced.
If they do bounce they simply put them in a ‘bounce list’ so they can easily validate it later on.
The company, with an Estonia address, sends out tens of thousands of emails to validate these users.
Each one of the users on the list gets their own spam message saying ‘hi’.
Then the company sends a verified, and valid list of users to these companies so they can start a more focused phishing campaign, according to Mr Diachenko.
They said that marketing companies hide behind services like this so that they are not blacklisted for spamming.
Mr Diachenko , along with NightLion Security’s Vinny Troya, cross-referenced the datasets with the HaveIBeenPwned database.
A screengrab of the website today. It was taken down after security researchers uncovered the breach left in an unsecured online database by the company, which sends out tens of thousands of emails to validate these users
They were then able to establish that these were unique records that had never been exposed in any previous ‘collections’.
‘This is perhaps the biggest and most comprehensive email database I have ever reported,’ Mr Diachenko wrote in his post.
‘Upon verification, I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection.
‘Some of data was much more detailed than just the email address and included personally identifiable information (PII).’