809 million email addresses for the Verifications.io service leak due to publicly open MongoDB
Translator's note - the reason for translating the article was to receive a notification Have I Been Pwned that my data were in this leak.
Last week, security researchers Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database containing 150 gigabytes of marketing information in clear text, including 763 million unique email addresses. The find is not only huge, but also unusual. It contains data about individual customers, as well as "business information", such as data on employees and incomes of various companies. This diversity can be explained by the source of information: a database owned by Verification.io for “checking” email addresses. The base was turned off on the same day when the researcher reported this to the company.
')
Although you have probably never heard of them, such companies play a crucial role in the email marketing industry. They do not send marketing emails on their own behalf and do not conduct automated newsletters. Instead, they check the customer list to make sure that the email addresses in it are valid and do not return with an error. But a full check that the email address is working includes sending a message to this address and confirming that it was delivered - essentially sending spam to people. This means avoiding blocking Internet providers and platforms such as Gmail. (There are less blatant ways to check email addresses, but they have a compromise of false positives.) The main email providers often outsource this work, rather than taking the risk of blacklisting their infrastructure.
“Companies have email lists and want to start sending out to them, but they’re not sure how reliable they are,” says Troia, founder of Night Lion Security. "Therefore, they go to a company that essentially sends spam." Troia suggests that the database can be so large and diverse, because it contains all the data from Verification.io customers. WIRED could not contact the company or the CEO Vlad Strelkov for several days. On Monday, the Verification.io website disconnected and has not been restored since. ( copy in the Internet archive approx. transl. )
In all, 809 million entries in Verification.io include standard information such as names, email addresses, phone numbers and physical addresses. But many also include information such as gender, date of birth, mortgage amount, interest rate, Facebook, LinkedIn and Instagram accounts associated with email addresses, as well as characteristics of people's credit rating (for example, average, above average and others). .d.) Meanwhile, other records in the database appear to be related to B2B sales, including company names, annual revenue numbers, fax numbers, company websites and industry identifiers for classifying companies ("SIC" and "NAIC" codes).
The data does not contain social security numbers or credit card numbers, and the only passwords in the database are for Verifying.io’s own infrastructure. In general, most of the data is publicly available from various sources, but when criminals can get a lot of aggregated data in their hands, it will be much easier for them to launch new fraud schemes or expand the target base.
In an open database, researchers also found some of the internal Verification.io tools, such as test email accounts, hundreds of SMTP servers (sending email), email text, spam prevention infrastructure, keywords to avoid, and IP addresses for the blacklist. Diachenko assumes that Verification.io clients download an Excel spreadsheet containing email addresses for verification, and then Verification.io runs its tests and returns lists of work addresses and those that responded with an error. It is possible, given the fragmentation of the data and evidence that they were imported from many different Excel files, that Verification.io also retained some or all of the data received from customers after the verification of email addresses was completed.
Researchers checked sample data with companies listed as Verification.io customers. Troia says its own information has appeared in the database. WIRED talked with the owner of the company that deals with email marketing. He confirmed the accuracy of the data. WIRED also checked four people, but did not find them on the list. Diachenko and Troia also point out that they have no way to find out if someone found Verification.io data when it was publicly available. “I have no idea if anyone else got access to this other than us,” says Troia. "But it was definitely available for everyone to download."
Security researcher Troy Hunt added Verification.io data to its HaveIBeenPwned service, which helps people verify if their data was compromised by leaks. He said that 35% of the 763 million email addresses are new to the HaveIBeenPwned database. Verification.io dump is also the second largest ever added to HaveIBeenPwned by the number of email addresses after 773 million, known as Collection # 1, which were added earlier this year. Hunt says that some of his own information is included in the Verification.io database.
“The main conclusion for me is that this is just another case where someone has my data and hundreds of millions of other people’s data, and I absolutely don’t know how they got it,” says Hunt. “I have never heard of the company so far, and I certainly cannot remember whether they have agreed to use my data. Of course, it is possible that some of the terms and conditions of service say that they can use my data like this, but this does not quite correspond to my expectations as to how my data should be used. ”
The fragmented nature of the data presented Verification.io talks about the chaotic state of the data industry as a whole. The personal information of people is transmitted to huge corporations, such as Facebook, bought and sold by dubious marketers, or stolen from data giants and doomed to spread endlessly in purgatory of criminal forums. It becomes more difficult for users to control who has their data and where they are. As Hunt says: "Unfortunately, this is just another day on the Internet."
Translator's note is my first translation on Habré, please report any errors or inaccuracies in private messages.
Last week, security researchers Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database containing 150 gigabytes of marketing information in clear text, including 763 million unique email addresses. The find is not only huge, but also unusual. It contains data about individual customers, as well as "business information", such as data on employees and incomes of various companies. This diversity can be explained by the source of information: a database owned by Verification.io for “checking” email addresses. The base was turned off on the same day when the researcher reported this to the company.
')
Although you have probably never heard of them, such companies play a crucial role in the email marketing industry. They do not send marketing emails on their own behalf and do not conduct automated newsletters. Instead, they check the customer list to make sure that the email addresses in it are valid and do not return with an error. But a full check that the email address is working includes sending a message to this address and confirming that it was delivered - essentially sending spam to people. This means avoiding blocking Internet providers and platforms such as Gmail. (There are less blatant ways to check email addresses, but they have a compromise of false positives.) The main email providers often outsource this work, rather than taking the risk of blacklisting their infrastructure.
“Companies have email lists and want to start sending out to them, but they’re not sure how reliable they are,” says Troia, founder of Night Lion Security. "Therefore, they go to a company that essentially sends spam." Troia suggests that the database can be so large and diverse, because it contains all the data from Verification.io customers. WIRED could not contact the company or the CEO Vlad Strelkov for several days. On Monday, the Verification.io website disconnected and has not been restored since. ( copy in the Internet archive approx. transl. )
In all, 809 million entries in Verification.io include standard information such as names, email addresses, phone numbers and physical addresses. But many also include information such as gender, date of birth, mortgage amount, interest rate, Facebook, LinkedIn and Instagram accounts associated with email addresses, as well as characteristics of people's credit rating (for example, average, above average and others). .d.) Meanwhile, other records in the database appear to be related to B2B sales, including company names, annual revenue numbers, fax numbers, company websites and industry identifiers for classifying companies ("SIC" and "NAIC" codes).
The data does not contain social security numbers or credit card numbers, and the only passwords in the database are for Verifying.io’s own infrastructure. In general, most of the data is publicly available from various sources, but when criminals can get a lot of aggregated data in their hands, it will be much easier for them to launch new fraud schemes or expand the target base.
In an open database, researchers also found some of the internal Verification.io tools, such as test email accounts, hundreds of SMTP servers (sending email), email text, spam prevention infrastructure, keywords to avoid, and IP addresses for the blacklist. Diachenko assumes that Verification.io clients download an Excel spreadsheet containing email addresses for verification, and then Verification.io runs its tests and returns lists of work addresses and those that responded with an error. It is possible, given the fragmentation of the data and evidence that they were imported from many different Excel files, that Verification.io also retained some or all of the data received from customers after the verification of email addresses was completed.
Researchers checked sample data with companies listed as Verification.io customers. Troia says its own information has appeared in the database. WIRED talked with the owner of the company that deals with email marketing. He confirmed the accuracy of the data. WIRED also checked four people, but did not find them on the list. Diachenko and Troia also point out that they have no way to find out if someone found Verification.io data when it was publicly available. “I have no idea if anyone else got access to this other than us,” says Troia. "But it was definitely available for everyone to download."
Security researcher Troy Hunt added Verification.io data to its HaveIBeenPwned service, which helps people verify if their data was compromised by leaks. He said that 35% of the 763 million email addresses are new to the HaveIBeenPwned database. Verification.io dump is also the second largest ever added to HaveIBeenPwned by the number of email addresses after 773 million, known as Collection # 1, which were added earlier this year. Hunt says that some of his own information is included in the Verification.io database.
“The main conclusion for me is that this is just another case where someone has my data and hundreds of millions of other people’s data, and I absolutely don’t know how they got it,” says Hunt. “I have never heard of the company so far, and I certainly cannot remember whether they have agreed to use my data. Of course, it is possible that some of the terms and conditions of service say that they can use my data like this, but this does not quite correspond to my expectations as to how my data should be used. ”
The fragmented nature of the data presented Verification.io talks about the chaotic state of the data industry as a whole. The personal information of people is transmitted to huge corporations, such as Facebook, bought and sold by dubious marketers, or stolen from data giants and doomed to spread endlessly in purgatory of criminal forums. It becomes more difficult for users to control who has their data and where they are. As Hunt says: "Unfortunately, this is just another day on the Internet."
Translator's note is my first translation on Habré, please report any errors or inaccuracies in private messages.
Source: https://habr.com/ru/post/443122/
All Articles