Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Unprotected MongoDB Instance Exposes 800 Million Emails

An unprotected MongoDB database was recently found exposing over 800 million records, including email addresses and phone numbers. 

Discovered on February 25 by security researcher Bob Diachenko, the MongoDB instance weighed in at 150 gigabytes and allowed anyone with an Internet connection to access the information within. 

An unprotected MongoDB database was recently found exposing over 800 million records, including email addresses and phone numbers. 

Discovered on February 25 by security researcher Bob Diachenko, the MongoDB instance weighed in at 150 gigabytes and allowed anyone with an Internet connection to access the information within. 

While most of the 808,539,939 records in the database’s four separate collections of data were email addresses, others were found to contain far more details, including personally identifiable information (PII).

An Emailrecords section, which included 798,171,891 records, “was structured to include zip / phone / address / gender / email / user IP / DOB,” the researcher says. He also identified an emailWithPhone section containing 4,150,600 records and a businessLeads section that included 6,217,358 records.

“Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records,” the researcher points out. 

Diachenko says he checked some of the records against Troy Hunt’s HaveIBeenPwned database and discovered that this MongoDB instance was not part of a collection of data gathered from various breaches and leaks, but a completely unique set of data. 

The unprotected Mongo instance was found to belong to a company named Verifications.io, which claims to offer the services of ‘Enterprise Email Validation’, but which would store emails submitted for verification in plain text. 

The researcher reported the discovery to Verifications.io, which acknowledged that the database belonged to them, claiming that it was only briefly exposed and that it contained public information, not client data.  The company’s site was taken offline soon after and remains down. 

Advertisement. Scroll to continue reading.

Such services, the researcher notes, could be abused for malicious purposes, given the manner in which it works. It allows users to upload a list of email addresses they want to validate, then sends a “hello” message to these addresses, and validates them if the message doesn’t bounce back, or puts them in a bounce list for later validation. 

This would allow an actor to submit thousands of emails and learn which ones are real. Armed with “a cleaned, verified, and valid list of users,” the actor can then start more focused phishing, or even brute forcing attacks, if they also have passwords associated with the emails. 

“The database(s) included email accounts they use for sending mail as well as hundreds of SMTP servers, email, spam traps, keywords to avoid, IP addresses to blacklist, and more. This is why I initially thought they were potentially engaged in spam related activities. It turns out that technically they actually are sending unwanted and unsolicited emails,” Diachenko explains.

The researcher also underlines that the company inexplicably took down both its site and the database, although it claimed that the data there was public. 

In addition to email profiles and said PII, the database also exposed a user list (of 130 records), “with names and credentials to access FTP server to upload / download email lists (hosted on the same IP with MongoDB),” which was likely not intended to be public, Diachenko notes. 

“The data exposed in this leak of nearly 809 million records is unique, and highly exploitable since it includes business intelligence data such as employee and revenue figures from various companies, as well as genders, user IP addresses, email addresses, dates of birth and more. If a bad actor were to discover this massive trove of data, they could easily validate the contact information for the users included to launch a more focused phishing or brute force campaign,” Chris DeRamus, CTO, DivvyCloud, told SecurityWeek in an emailed comment.

“We live in a world where data is king—collecting, storing and leveraging data is essential to running just about any type of business you can think of. All the more reason organizations must be diligent in ensuring data is protected with proper security controls,” DeRamus added. 

Related: Dow Jones Watchlist Found Exposed to Open Internet

Related: Robocalling Firm Exposes U.S. Voter Records

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...