A shady email marketing company left 800 million email address exposed online, then disappeared off the internet

Facepalm: Security researchers discovered a 150GB publicly accessible database containing more than 800 million entries. The database was managed by an email marketing company that specialized in verifying whether or not email addresses were valid. The company has since disappeared from the internet.

When companies want to send out marketing material to a large email list, the first thing they do is validate the list to make sure the addresses on it are real. This is difficult to do because it usually involves sending a real email to everyone on the list and checking to see if any messages bounce. Because of this difficulty and spam filters, marketing campaigns usually outsource this type of verification to third parties.

Verifications.io was one of these such companies and their massive database was just discovered online. Security researchers Bob Diachenko and Vinny Troia found the MongoDB instance and were surprised at both its size and contents. In addition to email addresses, it also contained large amounts of personally identifiable information (PII), business analytics data, credit ratings, social media accounts, and more.

Most of the data in this list is generally publicly available, but aggregating a collection of it together can be used for many nefarious purposes. For example, if an attacker wants to break into a company, he can use the list to search for likely password matches or gain other information useful social engineering.

The researchers were interviewed by Wired for an in-depth article on the issue. They aren't sure if the list was accessed by anyone else, but it was certainly available to anyone on the internet. The data has been added to the HaveIBeenPwned database which can be used to see if your data was affected. It's always a good idea to check this service periodically and change any passwords associated with accounts that come up as pwned in the database.

Not much is known about Verifications.io since these companies often employ shady spam tactics to verify their email lists. After the database was discovered, their website had been taken down and they were unavailable for comment.