Email firm left 809 million records exposed online

Security researchers announced at RSAC today announced they have discovered a trove of 809 million personal records exposed on the internet. This time more than just emails and passwords were exposed — data also includes physical addresses, personal mortgage details, social media accounts, and credit score analysis.

The database was owned by "email validation" firm Verifications.io, and has been taken offline by the company.

From WIRED News:

Last week, security researchers Bob Diachenko and Vinny Troia discovered an unprotected, publicly accessible MongoDB database containing 150 gigabytes-worth of detailed, plaintext marketing data—including 763 million unique email addresses. The pair are going public with their findings today. The trove is not only massive but also unusual; it contains data about individual consumers as well as what appears to be "business intelligence data," like employee and revenue figures from various companies. This diversity may stem from the information's source. The database, owned by the "email validation" firm Verifications.io, was taken offline the same day Diachenko reported it to the company.

While you've likely never heard of them, validators play a crucial role in the email marketing industry. They don't send out out marketing emails on their own behalf, or facilitate automated mass email campaigns. Instead, they vet a customer's mailing list to ensure that the email addresses in it are valid and won't bounce back. Some email marketing firms offer this mechanism in-house. But fully verifying that an email address works involves sending a message to the address and confirming that it was delivered—essentially spamming people. That means evading protections of internet service providers and platforms like Gmail. (There are less invasive ways to validate email addresses, but they have a tradeoff of false positives.) Mainstream email marketing firms often outsource this work rather than take on the risk of having their infrastructure blacklisted by spam filters, or lowering their online reputation scores.

Here's a link to the report by security researchers Bob Diachenko and Vinny Troia.