Verifications.io is a defunct email-focused technology firm whose primary practice was to validate email addresses for email marketing platforms. The company's platform allowed for email marketing firms to submit lists to the company, which would verify the lists for valid email addresses.
Company type | Private |
---|---|
Industry | Email marketing |
Defunct | March 25, 2019 |
Fate | Data breach |
Headquarters | Tallinn, Estonia (listed) Boca Raton, Florida (alleged) |
Area served | Worldwide |
The verifications.io data leak was reported by several news sources as being the largest data leak of U.S. citizens PII data in recorded history.[1]
The total records within the company's largest single data release was 809 million records, 763 million of which were unique, though the total number of records which were exposed in three additional database leaks from the company would total to over 2 billion records breached.[2]
In 2019, security researchers Vinny Troia and Bob Diachenko discovered the data from Verifications.io on a public MongoDB server which was setup without authentication.[3]
Operations and company history
editVerifications.io offered its clients services which could verify if emails were bounced, or were otherwise inactive, thereby helping email marketers send emails to actual users rather than random email addresses. The firm achieves its verifications by internal servers, which are matched with client records uploaded to the service for their verification. The firm verifies each email by sending a message to each address; if the message does not bounce, the firm considers it verified. Bounced emails are stored on a list which the firm can refer to in the event the same email is presented again.[4]
Verifications.io officially claims to be an Estonian company based out of Tallinn, though many press filings released from and about the company suggested that it was based out of Boca Raton, Florida.[5]
Data leak
editThe verifications.io data breach was discovered by security researchers Vinny Troia and Bob Diachenko in 2019.
The first Verifications.io data breach ultimately led to 763 million unique records being exposed to the web, with the vast majority of records containing PII and marketing data on U.S. citizens. [6]
The breakdown of the records was 798,171,891 email records; 4,150,600 phone records, and 6,217,358 business lead records with each record including, at a minimum, zip code, a physical address, IP address, name, date of birth, gender and other marketing information.
The data leak was attributed to an unsecured MongoDB server that was left unprotected, allowing anybody to access the information with the correct link.[4]
Troy Hunt, the founder of Have I Been Pwned?, has predicted that approximately 35 percent of all records is new to the Have I Been Pwned? database; as of the leak, the Verifications.io breach is the second largest breach added to Have I Been Pwned? after Hunt's own Collection No. 1.[7][8] Many cybersecurity companies showed immediate concern that the data released in the breach could be used for social engineering attacks. Daniel Markuson, the blog editor for the online privacy firm NordVPN, raised concerns that 1 in 9 people in the world could be the targets of a social engineering campaign.[9] McAfee additionally highlighted the databases' possibility to foster social engineering attacks against those whose information was exposed in the database.[7]
The UK security firm DynaRisk however stated that Verifications.io was also linked to three other MongoDB data breaches. All four data breaches combined would total the number of records exposed to over 2 billion. DynaRisk further stated that the three other data breaches contained much more sensitive information, such as interest rates, mortgage amounts, Instagram and LinkedIn profiles linked to leaked emails, and credit scores.[10][11] Cybersecurity professional Bob Diachenko stated that while not every single record contained all the mentioned types of information, a large number of them were "very detailed".[12]
Response from the company
editDiachenko emailed the company about the data breach, which responded by stating it was taking "appropriate measures" to correct the breach. By March 4, 2019, the website for the company was taken down.[5] By March 15, MediaPost reported that Verifications.io was out of business.[13]
References
edit- ^ Hay Newman, Lily. "An Email Marketing Company Left 809 Million Records Exposed Online". Wired. ISSN 1059-1028. Retrieved 2023-09-07.
- ^ "Verifications.io breach: Database with 2 billion records leaked". 2019-03-11. Retrieved 2023-09-07.
- ^ "2 Billion Unencrypted Records Leaked In Marketing Data Breach". Forbes.com. Forbes. Retrieved 11 March 2024.
- ^ a b Diachenko, Bob (2019-03-07). "800+ Million Emails Leaked Online by Email Verification Service". securitydiscovery.com. Retrieved 2023-09-07.
- ^ a b Schwartz, Mathew J. (March 11, 2019). "Breach of 'Verifications.io' Exposes 763 Million Records". www.bankinfosecurity.com. Retrieved 2023-09-07.
- ^ Hay Newman, Lily. "An Email Marketing Company Left 809 Million Records Exposed Online". Wired. ISSN 1059-1028. Retrieved 2023-09-07.
- ^ a b McAfee (2019-03-08). "809 Million Records Left Exposed: How Users Can Protect Their Data". McAfee Blog. Retrieved 2023-09-07.
- ^ Newman, Lily Hay. "An Email Marketing Company Left 809 Million Records Exposed Online". Wired. ISSN 1059-1028. Retrieved 2023-09-07.
- ^ Markuson, Daniel (2019-03-08). "What you need to know: 1 out of 9 people just got breached". nordvpn.com. Retrieved 2023-09-07.
- ^ "Verifications.io breach: Database with 2 billion records leaked". 2019-03-11. Retrieved 2023-09-07.
- ^ Winder, Davey. "(Updated) 2 Billion Unencrypted Records Leaked In Marketing Data Breach --What To Do Next". Forbes. Retrieved 2023-09-07.
- ^ Huskerson, Tom (2019-04-10). "Breach Brief - Verifications.IO Exposes 2B Records!". On Tech Street. Retrieved 2023-09-07.
- ^ "Email Vendor Verifications.io Seems To Be Out Of Business Following Breach". www.mediapost.com. Retrieved 2023-09-07.
External links
editOfficial website, archived on February 17, 2019, from the original