3/11/2019 In February 2019, a publicly accessible mongo database with no password for verifications.io was discovered. It is legal to download any and everything on that public database. DA: 26 PA: 41 MOZ Rank: 30.
What data was leaked?
The security researcher who made the discovery, Bob Diachenko, says that 'although not all records contained the detailed profile information about the email owner, a large amount of records were very detailed.' That detail included commonplace breach data such as email addresses and phone numbers, but went far beyond the basics as well. Information such as dates of birth, mortgages amounts and interest rates and social media accounts related to the emails in question. But it doesn't stop there, you can also throw in basic credit scoring data, company names and revenue figures as well.
Should you be worried?
Yes, of course you should. This was, after all, a massive leak of the kind of personal information that would be a goldmine for the phishers and spammers of this world. However, that concern can be diluted by a number of factors. Not least there's the small matter that nobody has found any compelling evidence that the data has actually been used for any criminal purpose as of yet. Although the databases were accessible for some time, as soon as the problem was disclosed to Verifications IO the service was taken offline and remains so. Which means that bad guys alerted by this news won't be able to exploit it. What's just as important as what was in the breach is what wasn't. So, there were no social security numbers, no credit card numbers, no passwords. And, importantly, this was a leak not a hack: white hat researchers found the data was accessible rather than black hats looking to exploit it.
Can you mitigate your risk?
Yes, if you apply the basics of good cybersecurity hygiene. Which means being alert to the phishing risk, applying more skepticism than usual to unexpected emails, text messages, social media communications and even snail mail that want you to check a link out, open an attachment and so on. If threat actors have got hold of this data then it provides all the ammunition they require in order to appear like a trustworthy organization in their communications. If the communication really does sound genuine and you are tempted to respond as instructed, don't. Instead, I always advise folk to take the extra minute to try contacting the sender through another means: if it's a bank or commercial concern then google them and browse to their site using that address and not the message link, ditto with phone numbers. Remember that banks won't contact you by email regarding a security matter, nor will they ask for your account details over the phone. Don't let your security sense slip just because something sounds plausible, especially if a loss of money has been mentioned!
Update
Following publication of this story I have had conversations with Vinny Troia, founder of NightLion Security and one of the researchers who discovered the leak, as well as Andrew Martin, the founder and CEO at DynaRisk whose researchers came up with the two billion records figure. After Troia got in touch to dispute the bigger figure, I had an email conversation with Martin. 'I think the confusion has arisen because of different ways of interpreting the results' Martin stated, continuing 'the original analysis done by the other researchers is correct. They appear to have analyzed the 'mainEmailDatabase' and found 808m records.' Martin then explained that DynaRisk analyzed the other three databases, namely 'EmailScrub, PyEmail, VerifiedEmails' which were to be found on the same server. 'These three additional databases have 1.278 billion records, adding them together we got over two billion records.' Having now had a chance to parse the records from the other three databases for email addresses, Martin says that there are an additional 191 million bringing the total of email addresses alone to 999 million.
However, during an online chat session, Troia disputes those numbers. 'We parsed and checked all of those' Troia insists, continuing 'a lot are garbage email addresses and duplicates; after we de-duped we came to 800 million.' Troia also tells me that has double-checked the data with both Bob Diachenko and Troy Hunt and 'our numbers are all the sameā¦' I went back to Martin with this information and he told me that 'their original research just discusses the records found in mailEmailDatabase and counts those records.'
While there is a sense of stalemate concerning the actual numbers here, I think I can leave the last word with Troia who points out that even at 800 million records this is still a pretty massive leak. 'From the sound of it a lot of other people were able to access this data before we did' Troia admits, concluding 'I know of at least two others so there's a fairly good chance some bad guys got hold of somethingā¦'
Keyword | CPC | PCC | Volume | Score | Length of keyword |
---|---|---|---|---|---|
verifications | 0.41 | 0.3 | 5831 | 17 | 13 |
Keyword Research: People who searched verifications also searched
Keyword | CPC | PCC | Volume | Score |
---|---|---|---|---|
verifications.io | 1.45 | 0.1 | 6667 | 26 |
verifications.com | 1.56 | 0.6 | 1099 | 100 |
verifications | 1.41 | 0.4 | 8044 | 7 |
verifications.io breach | 1.49 | 0.6 | 2385 | 66 |
verifications thomas-and-company.com | 0.36 | 0.3 | 7689 | 62 |
verifications.io data breach | 0.95 | 0.6 | 6672 | 99 |
verifications inc | 1.81 | 0.6 | 7727 | 100 |
verifications of employment | 1.53 | 0.5 | 2272 | 61 |
verifications specialist | 0.87 | 0.2 | 7751 | 16 |
verifications weatherbyhealthcare | 0.62 | 0.7 | 380 | 24 |
verifications thomas and company | 1.23 | 0.9 | 1988 | 22 |
verifications efcmg | 1.37 | 0.9 | 8414 | 66 |
verifications breach | 1.02 | 0.5 | 6058 | 39 |
verifications canada | 0.06 | 0.2 | 3378 | 43 |
verifications synonym | 1.2 | 0.9 | 3479 | 95 |
verifications meaning | 1.04 | 0.3 | 7459 | 6 |
verifications incorporated | 0.82 | 0.3 | 7271 | 66 |
verifications at google | 0.56 | 0.3 | 9908 | 34 |
verifications services inc | 1.1 | 0.7 | 2704 | 4 |
verifications proper california | 1.37 | 0.6 | 8691 | 34 |
verifications means | 0.2 | 0.8 | 3311 | 84 |
verifications jobs | 1.04 | 0.4 | 2136 | 40 |
verifications vers | 0.89 | 0.3 | 6327 | 41 |
verifications ccei | 1.72 | 0.5 | 6106 | 47 |
verifications civil | 1.06 | 0.3 | 1603 | 18 |
verifications.io site | 1.05 | 0.8 | 4967 | 9 |
verifications.io what is | 0.11 | 0.4 | 634 | 41 |
verifications.io breach recommendations | 1.06 | 0.7 | 8719 | 71 |
verifications.io breached data | 0.64 | 0.3 | 5781 | 24 |
verifications.io db | 0.79 | 0.7 | 9639 | 38 |
verifications.io hack | 0.54 | 1 | 4992 | 42 |
verifications.io logo | 0.23 | 0.8 | 963 | 88 |