798 million e-mail addresses leaked through MongoDB database

Security researchers Bob Diachenko and Vinny Troia have discovered a publicly accessible database owned by an email validation company. The MongoDB database contained nearly 800 million email addresses, as well as other data, which were visible to everyone.

Diachenko and Troia discovered the database on February 25th, but are only now announcing it. The data was in an incorrectly configured MongoDB database, reports Silicon Angle. The database is owned by a company called Verifications.io, which offers services to companies that want to check mailing lists for valid email addresses.

The database contained 150 GB of data, including 798 million e-mail addresses. More than 4 million e-mail addresses also contain telephone numbers. More than 6 million pieces of information have been identified as business leads containing personal information. The total amount of data involved is almost 809 million.

High risk

The database was taken offline by Verifications.io after being informed by the security researchers that it was publicly available. The company now seems to be offline in its entirety. It is not clear whether cybercriminals or others were in the database before it was taken offline. However, it implies that it was a serious risk.

According to Chris DeRamus, CTO at DivvyCloud, the data leaked is “unique and easy to abuse”. “If a criminal were to discover this huge source of data, they could easily validate and misuse users’ contact information to launch a more targeted phishing or brute-force campaign.

Automated security solutions could also have detected the misconfiguration in the MongoDB database, says DeRamus. These solutions could have been notified to the staff in order to resolve the error, or triggered an automated solution in real time. “These solutions are essential to enforce policy, reduce risk and improve security in large hybrid cloud infrastructures,” said the CTO.