Security Experts:

Unprotected MongoDB Instance Exposes 800 Million Emails

An unprotected MongoDB database was recently found exposing over 800 million records, including email addresses and phone numbers. 

Discovered on February 25 by security researcher Bob Diachenko, the MongoDB instance weighed in at 150 gigabytes and allowed anyone with an Internet connection to access the information within. 

While most of the 808,539,939 records in the database’s four separate collections of data were email addresses, others were found to contain far more details, including personally identifiable information (PII).

An Emailrecords section, which included 798,171,891 records, “was structured to include zip / phone / address / gender / email / user IP / DOB,” the researcher says. He also identified an emailWithPhone section containing 4,150,600 records and a businessLeads section that included 6,217,358 records.

“Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records,” the researcher points out. 

Diachenko says he checked some of the records against Troy Hunt’s HaveIBeenPwned database and discovered that this MongoDB instance was not part of a collection of data gathered from various breaches and leaks, but a completely unique set of data. 

The unprotected Mongo instance was found to belong to a company named Verifications.io, which claims to offer the services of ‘Enterprise Email Validation’, but which would store emails submitted for verification in plain text. 

The researcher reported the discovery to Verifications.io, which acknowledged that the database belonged to them, claiming that it was only briefly exposed and that it contained public information, not client data.  The company’s site was taken offline soon after and remains down. 

Such services, the researcher notes, could be abused for malicious purposes, given the manner in which it works. It allows users to upload a list of email addresses they want to validate, then sends a “hello” message to these addresses, and validates them if the message doesn’t bounce back, or puts them in a bounce list for later validation. 

This would allow an actor to submit thousands of emails and learn which ones are real. Armed with “a cleaned, verified, and valid list of users,” the actor can then start more focused phishing, or even brute forcing attacks, if they also have passwords associated with the emails. 

“The database(s) included email accounts they use for sending mail as well as hundreds of SMTP servers, email, spam traps, keywords to avoid, IP addresses to blacklist, and more. This is why I initially thought they were potentially engaged in spam related activities. It turns out that technically they actually are sending unwanted and unsolicited emails,” Diachenko explains.

The researcher also underlines that the company inexplicably took down both its site and the database, although it claimed that the data there was public. 

In addition to email profiles and said PII, the database also exposed a user list (of 130 records), “with names and credentials to access FTP server to upload / download email lists (hosted on the same IP with MongoDB),” which was likely not intended to be public, Diachenko notes. 

“The data exposed in this leak of nearly 809 million records is unique, and highly exploitable since it includes business intelligence data such as employee and revenue figures from various companies, as well as genders, user IP addresses, email addresses, dates of birth and more. If a bad actor were to discover this massive trove of data, they could easily validate the contact information for the users included to launch a more focused phishing or brute force campaign,” Chris DeRamus, CTO, DivvyCloud, told SecurityWeek in an emailed comment.

“We live in a world where data is king—collecting, storing and leveraging data is essential to running just about any type of business you can think of. All the more reason organizations must be diligent in ensuring data is protected with proper security controls,” DeRamus added. 

Related: Dow Jones Watchlist Found Exposed to Open Internet

Related: Robocalling Firm Exposes U.S. Voter Records

view counter