MongoDB Security Error Leaks 808m Records

Written by

Security researchers have discovered a massive trove of over 808 million records, including email addresses, phone numbers and other personal information (PII) left exposed on a MongoDB instance.

Bob Diachenko claimed to have found the non-password protected, 150GB MongoDB instance at the end of February.

A “mailEmailDatabase” contained three folders: with over 798 million email records in one; around 4.2 million email-plus-phone records in another; and 6.2 million “business leads” records in a third including gender, date of birth, mortgage details, corporate information, social media accounts and more.

“As part of the verification process I cross-checked a random selection of records with Troy Hunt’s HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another ‘collection’ of previously leaked sources but a completely unique set of data,” explained Diachenko in a blog post.

“Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records.”

The researcher at first believed the plain text trove belonged to a professional spammer, but soon found out that the database owner was actually an “email validation” firm, Verifications.io — which tries email lists on behalf of its clients to see if they are still working accounts.

“The database(s) included email accounts they use for sending mail as well as hundreds of SMTP servers, email, spam traps, keywords to avoid, IP addresses to blacklist, and more. This is why I initially thought they were potentially engaged in spam-related activities,” he explained.

“It turns out that technically they actually are sending unwanted and unsolicited emails. This is the worst kind of spam because they send millions of completely worthless ‘hello’ emails that no one can understand.”

In fact, the service could even be used by cyber-criminals as a quick, easy and quiet way of validating their own email lists to improve the success rates of phishing/brute forcing campaigns, he suggested.

Verifications.io took the list down as soon as it was notified by Diachenko and co-researcher Vinny Troya, but claimed in an email to him that it was public and not client data. The entire site is now down.

What’s hot on Infosecurity Magazine?