An Internet connection was all you needed to access the records database.
Data infringement is now so prevalent that your eyes may gloss over the news about yet another public exposure of PII and customer records.
In a world like this, however, sometimes a case that still plays a major role in the public domain is-such as discovering a database described by the researcher “perhaps the biggest and most complete e-mail database I have ever reported.
“According to Bob Diachenko, the 150 GB MongoDB instance in question, together with security investigator Vinny Troia, included four separate data collections.
In total, Diachenko and Troia have found 808,539,939 records whose largest collection, called the mail E mail data basket, was divided into three sections, which are:
E-mail records (798,171,891 records), e-mail with Phone (4,150,600 records) business leaders (6,217,358 records).
After cross referring the database to records from the HaveIBeenPwned database in Troy Hunt, Diachenko was in a position to determine that the database was not only a huge data dump of stolen information, such as a Collection 1 leak.
It was a collection of known leakage and exposures to find out if they had been involved in a data breach. “While not all of the records contained detailed information on the email owner, many documents were very detailed,” added the researcher.
The MongoDB example gave some clues as to who the information may belong to — a company called “Verifications.io.” The company’s website is not available at the time of writing, but cached pages show that Verifications.io describes itself as e-mail marketing with specialist knowledge in circumventing spam traps and hard bounces. One of the services offered by the enterprise is “Enterprise Email Validation,” allowing customers to upload email lists for marketing and verification purposes.
An e-mail is sent simply to someone as an e-mail validation test, but if it bounces the message is added to a bounce list for later testing. These messages appear to be stored in plaintext and without any form of protective encryption after the service is uploaded.
While a list of email addresses and a certain PII may not look very much like, Diachenko has created a potential attack vector in which threat groups can find an invaluable database.
If a hacker compiled a list of companies they wanted to compromise and also obtained a list of potentially usable credentials, each one of them could download its email addresses to a service like Verifications.io. This enables the threat actor to save time and reduce the chance of exposure while, simultaneously, validating its e-mail cache to pursue the real goals and proving the PII that could be used for identity theft or social engineering attacks.
The researchers reported their findings to Verifications.io, which reacted to their website offline. On the same day, the database was also removed.
“In the answer they found that what I found was public data rather than customer data, so why close down the database and take the site offline if it was” public, “Diachenko notes.
“Apart from the email profiles, the database has access details and a list (130 records) of users with names and access credentials for the FTP server, which are used to upload / download email lists, hosted on the same MongoDB IP.