In late February, two cybersecurity researchers happened upon one of the largest non-password protected email databases on the web.
Bob Diachenko and Vinny Troia of the website SecurityDiscovery.com, found the online database of email addresses and personal information with more than 150GB of data, totaling over 800 million records with limited-to-no security. Their astounding find rooted back to the email validation service company Verifications.io.
In the database, Verifications.io had three folders titled “businessLeads,” “Emailrecords,” and “emailWithPhone,” with each making up millions of records. “Emailrecords” had nearly 800 million alone, while the other two folders had more than 4 million and 6 million, respectively. In addition to email addresses, “Emailrecords” also contained zip codes, phone numbers, addresses, gender, and date of birth information.
Diachenko alerted Verifications.io of the breach via a ticket on the company’s website, which prompted the removal of the database from the web and a response from the company stating no personally identifiable information had been included in the records.
Verifications.io is an email validation service for marketing companies, which works by keeping records of deliverable emails and vetting addresses against a company’s email list. The service will send an email to an address to see if it will be delivered or bounce back, then keep a record of active addresses for companies to utilize with marketing email campaigns. These services keep marketing companies from being flagged as spam by sending multiple emails in a short timeframe.
Protecting your email address is as simple as routinely changing the account password with a strong credential, using a secure email service, and selecting obscure (or false) information about yourself for security questions.
If you have concerns around business email security, contact Archetype SC’s security team to set up a consultation for SRVA, our security assessment tool that can scan your network for vulnerabilities that could be exploited by cybercriminals.