Charlie Osborne at ZDNet has revealed a data breach of epic proportions. Bob Diachenko and Vinny Troia discovered over 809 million records in MongoDB. The information offered included varying degrees of private information including email addresses, zip codes, phone numbers, physical addresses and dates of birth. “Although not all records contained the detailed profile information about the email owner,” says Diachenko, “a large number of records were very detailed.” And anyone with an internet connection could access the data and compile some very effective spear phishing attacks.
Researchers cross-referenced the database with Troy Hunt’s HaveIBeenPwned data and confirmed that the MongoDB incident was not just a bulk data dump of stolen information. The breach apparently comes from a company called Verifications.io – an email marketing firm that specializes in circumventing spam traps and hard bounces. Their service allows customers to upload email lists for marketing and verification purposes. Unfortunately, the lists upload in plaintext without any form of encryption, which makes this data a veritable gold mine for anyone looking to compromise large scale companies in a short amount of time.
The company immediately pulled its website offline upon notification of the breach and the database was removed the same day.