Data security researchers Bob Diachenko and Vinny Troia disclosed the existence of a 150-gigabyte exposed database earlier this week. The database was hosted by an email marketing company called Verifications.io. True to its name, the firm’s core business is in verifying email addresses on its clients’ mailing lists.
The agency’s process involves sending out dummy emails to determine if a listed address is active or not. That way, its clients can run more effective marketing campaigns because they have verified leads.
The Nature of the Exposed Data
Verifications.io’s insecure drive contained a combination of personal and corporate information.
The largest segment of the company’s database largely consisted of 763 million records indexed by unique email addresses. Those records also included addresses, phone numbers, birth date, ZIP Code, and gender data. Troia even came across his own personally identifiable information (PII). The exposed dataset also contained more than 6.2 million records on various companies in a file dubbed “business leads.”
Diachenko and Troia first confirmed the database had real PII. Then they sent a notification email to Verifications.io. The pair received an email response thanking them for detecting the exposure and noting the drive was no longer publicly accessible. As of this writing, the company’s website appears to be down.
How Hackers Could Use the Exposed Data
The email marketing company also claimed the exposed database only featured public information. How Verifications.io came to acquire 809 million records is unknown. In addition, it is also unclear if the exposed parties consented to have their information used for marketing purposes.
One thing that is clear, though, is that maintaining an open database of nearly half a billion personal records is a big problem.
Troia said he couldn’t tell if anyone else had accessed the database. However, he did learn 35 percent of the addresses listed were not on Have I Been Pwned. So, 267 million people may have had their PII accessed by malicious actors for the first time thanks to this breach.
Diachenko also laid out a disturbing scenario involving mass email verification. The data security expert explained hackers could use a service like Verifications.io to validate illicitly acquired email addresses. A fraudster could use the clean email list to conduct far more efficient phishing and brute force attacks after that.
How do we Address the Data Breach Problem?
The increasing prevalence of data breaches is terrifying. Sadly, in the digital age, there seems to be no way to stop the trend. Every time people use their email or social media credentials to sign up for a new product or service, they put their personal information at risk.
Similarly, consumers can find their PII used for unsavory things because they agreed to abide by voluminous terms of service agreements without reading them.
While the tech sector seems unable to properly address the issue, the government is stepping up to the plate. Senator Elizabeth Warren noted that she wants to restrict access to user data in her recent bombshell policy proposal. Moreover, a Senate subcommittee recently called for new federal cybersecurity laws after investigating the Equifax data breach.
Though the problem of mass data insecurity began in the private sector, perhaps a federal intervention is the solution.