By this point, you’ve hopefully gotten the message personal data might take it up carefully in all sorts of unexpected Internet backwaters. But increased knowledge does not reduce the problem. In fact, it’s only grown—and more confusing.
Last week, security researchers Bob Diachenko and Vinny Troia discovered a vulnerable, publicly available MongoDB database containing 150 gigabytes of detailed, contextual marketing data—including 763 million unique email addresses. . The shoes go public with their findings this week. The trove is not only extensive but also unusual; it contains data about individual customers and what appears to be “business intelligence data,” such as employee and revenue numbers from various companies. This diversity can be from the source of the information. The database, owned by “email verification” company Verifications.io, was taken offline the same day Diachenko reported it to the company.
While you may never have heard of them, signers play an important role in the email marketing industry. They do not send marketing emails for themselves or facilitate automated mass email campaigns. Instead, they check a customer mailing list to make sure the email addresses on it are valid and won’t bounce back. Some email marketing companies offer this mechanism in the house. But fully verifying that an email address is working involves sending a message to the address and confirming that it was delivered — especially spamming people. That means avoiding the protections of Internet service providers and platforms like Gmail. (There are less lethal ways to validate email addresses, but they have the trade-off of false positives.) Major email marketing companies often outsource this work rather than take the risk of having their infrastructure listed. blacked out by spam filters or dropping their online reputation numbers.
“Companies have email lists and they want to start emailing them, but they’re not sure how useful they are,” says Troia, who co-founded Night Lion Security. “So they go to a company that will send spam specifically.” Troia speculates, but if not confirmed, that the database can be large and diverse because it contains all of Verification.io’s customer data. WIRED was unable for several days to contact the company or CEO Vlad Strelkov. On Monday, the entire Verifications.io website went offline and has not been restored since.
Overall, a total of 809 million records in the Verifications.io trove include standard information such as names, email addresses, phone numbers, and physical addresses. But many also include things like gender, date of birth, personal mortgage amount, interest rate, Facebook, LinkedIn, and Instagram accounts associated with email addresses, and characteristics of people’s credit scores ( such as average, net average, etc.). Meanwhile, other records in the collection seem to be related to generating sales leads in businesses, including company names, annual revenue numbers, fax numbers, company websites, and company identifiers for classifying companies called “SIC” and “NAIC” codes.
The data does not contain Social Security numbers or credit card numbers, and only passwords are in the database for Verifications.io’s infrastructure. Overall, most of the data is publicly available from different sources, but when criminals can get their hands on troves of aggregated data, it makes it much easier for them to run new social engineering scams or expand the pool of data. – target them.
In the exposed database, the researchers also found some things that seem to be internal tools of Verifications.io like test email accounts, hundreds of SMTP (email sending) servers, text of the emails, spam elimination infrastructure, topics to avoid, and IP addresses to blacklist. Diachenko suggests that, in the Verifications.io workflow, customers will upload an Excel spreadsheet that lists email addresses to be validated and then Verifications.io will run their tests and return lists of clean addresses and those it bounced back. It’s possible—given the nature of the data and evidence that it was imported from multiple Excel files—that Verifications.io also returns some or all of the data it receives from customers after completing its email address checks. .
Researchers validate samples of data with companies listed as Verifications.io clients. Troia says that his personal information appears in the database. WIRED spoke to the owner of an email marketing company who confirmed the usefulness of a portion of the data. WIRED also checked for four people but did not find them listed. Diachenko and Troia also note that they have no way of knowing whether anyone discovered and downloaded Verifications.io data while it was public and fully visible.
“I have no idea if anyone else got into this other than us,” Troia said. “But it’s definitely there for anyone to take.”
“You can’t let your guard down”
Most of us are unaware of the database and Verifications.io, because the company is difficult to track. When researchers first contacted the company through a messaging portal on its site to reveal the database, someone responded with an unsigned note. “Thank you for reporting the issue. We appreciate you reaching out and informing us, the response said. “This is our company database made with public information, not customer data. We are able to secure the database quickly. Goes to show, even with 12 years of experience, you can’t let your guard down.”
Much of the data in the database is publicly available, although it is not clear that all is available. When investigators asked at the door for the company’s owner’s name and the company’s legal name, someone wrote back and refused to answer.
It is also unclear where Verifications.io is based. Most of its applications list Boca Raton, Fla., but some of the web properties are registered in California and Delaware. The website Verifications.io lists addresses in Estonia, but some of them match what looks like a museum and a government building.
Security researcher Troy Hunt is adding Verifications.io data to his work Is Pwned, which helps people check if their data has been compromised in data disclosures and breaches. It says 35 percent of the 763 million email addresses trove are new to the HaveIBeenPwned database. The Verifications.io data dump is also the second largest ever added to HaveIBeenPwned in terms of the number of email addresses, after 773 million in the repository known as Acceptance 1, which was added earlier this year. Hunt said some of his own information was included in the Verifications.io report.
“Another Day on the Internet”
“The first takeaway for me is that this is another case where someone has my data and hundreds of millions of other people’s data, and I have no idea how they got it,” Hunt said. “I have not heard of the company until now, and of course I can not remember agreeing to their use of my data. Of course, it is entirely possible that, buried in other terms and conditions of employment, he says they are. allowed to pass my data in this way, but that does not meet my expectations of how my data should be used. “
As with recent data disclosures from financial data aggregator Apollo and Exactis marketing company, there isn’t much you can do to protect yourself individually when large repositories of data gathered from public and private sources are leaked. Check HaveIBeenPwned to see if your data is in the Verifications.io report, and continue your general vigilance by using strong, unique passwords, monitoring your financial information, and providing your Social Security number as often as possible. But also realize that none of those measures provide a complete solution to this social-scale problem.
The fragmented nature of the Verifications.io data revealed speaks to the chaotic state of the data industry as a whole. People’s personal information is shared by big companies like Facebook, bought and sold by shady marketers, or stolen from data giants and destroyed to be spread freely in the purgatory of criminal forums. Churn makes it difficult for consumers to control who has their data and where it ends up. As Hunt said, “Sadly, it’s just another day on the Internet.”
This first story appears on wired.com.