A security researcher claims to have discovered a non-password protected MongoDB instance at Verifications IO, marking what Security Discovery called the biggest and most detailed email database it has reported on. Verifications IO is an email marketing company. The exposed number of records is around 809 million.
According to the report, upon verifying the 150GB sized file that wasn’t password protected, researcher Bob Diachenko wrote it was massive, with tons of emails available to the public and accessible to anyone who was online. Some of the data also included personally identifiable information, noted the report.
In the post the researcher said the data had 808,539,939 records with the biggest portion named “mailEmailDatabase.” The other portions were named Emailrecords, which has 798,171,891 records, emailWithPhone which had 4,150,600 records and businessLeads which 6,217,358 records, noted the report. The records also included email addresses, phone numbers, and addresses. Identifying data such as gender, date of birth, personal mortgage amount, interest rate, social media accounts, and credit score data was also exposed.
“As part of the verification process I cross-checked a random selection of records with Troy Hunt’s HaveIBeenPwned database,” wrote the researcher in the report. “Based on the results, I came to the conclusion that this is not just another ‘Collection’ of previously leaked sources but a completely unique set of data. Although, not all records contained the detailed profile information about the email owner, a large number of records were very detailed.”
The researcher noted in the report that the database was taken down as soon as he sent a notification to the support at the company. “In addition to the email profiles, this database also had access details and a user list of (130 records), with names and credentials to access FTP server to upload / download email lists (hosted on the same IP with MongoDB). We can only speculate that this was not meant to be public data,” Diachenko wrote in the blog.