Security researchers have discovered an unprotected 150 GB sized MongoDB database containing 809 million records publicly accessible to anyone.
The database contains plain text marketing data including 763 million unique email addresses.
The database was discovered by security researcher Bob Diachenko and Vinny Troia and belongs to email validation company verifications.io.
“On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported.”
The large database consists of four separate collections of data and combining a total of 808,539,939 records were found.
The biggest one was named ‘mailEmailDatabase’ and contained three folders
- Emailrecords (count: 798,171,891 records)
- emailWithPhone (count: 4,150,600 records)
- businessLeads (count: 6,217,358 records)
The email records contain details such as last name, date of birth, email, phone number, zip code, address, gender, and IP address.
Diachenko cross-checked a random selection of records with the help of with Troy Hunt’s HaveIBeenPwned database and discovered that this is not part of any previous data leak but a completely unique set of data.
According to researchers, the four databases were hosted in the same server and some of them included detailed personally identifiable information (PII) also.
In the exposed database researchers also discovered some Verifications.io’s own internal tools such as test email accounts, hundreds of SMTP (email sending) servers,anti-spam evasion infrastructure, keywords to avoid, and IP addresses to a blacklist.
Researchers notified the company about the database and they immediately took down the website and leaked database.
The company also issued a statement saying the database was built with public data, not client data.
You may be interested in reading:New Zero-day flaw in Google Chrome Discovered Actively Exploited in the Wild