Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

An email marketing company left 809 million records exposed online

From: InfoSec News <alerts () infosecnews org>
Date: Tue, 12 Mar 2019 07:47:37 +0000 (UTC)
https://arstechnica.com/information-technology/2019/03/an-email-marketing-company-left-809-million-records-exposed-online/

By Lily Hay Newman
Wired.com
3/9/2019
By this point, you've hopefully gotten the message that your personal data can end up exposed in all sorts of unexpected Internet backwaters. But increased awareness hasn't slowed the problem. In fact, it's only grown bigger—and more confounding.
Last week, security researchers Bob Diachenko and Vinny Troia discovered an unprotected, publicly accessible MongoDB database containing 150 gigabytes of detailed, plaintext marketing data—including 763 million unique email addresses. The pair went public with their findings this week. The trove is not only massive but also unusual; it contains data about individual consumers as well as what appears to be "business intelligence data," like employee and revenue figures from various companies. This diversity may stem from the information's source. The database, owned by the "email validation" firm Verifications.io, was taken offline the same day Diachenko reported it to the company.
While you've likely never heard of them, validators play a crucial role in the email marketing industry. They don't send out marketing emails on their own behalf or facilitate automated mass email campaigns. Instead, they vet a customer's mailing list to ensure that the email addresses in it are valid and won't bounce back. Some email marketing firms offer this mechanism in-house. But fully verifying that an email address works involves sending a message to the address and confirming that it was delivered—essentially spamming people. That means evading protections of Internet service providers and platforms like Gmail. (There are less invasive ways to validate email addresses, but they have a tradeoff of false positives.) Mainstream email marketing firms often outsource this work rather than take on the risk of having their infrastructure blacklisted by spam filters or lowering their online reputation scores.
"Companies have email lists and want to start emailing them, but they're not sure how valid they are," says Troia, who founded the firm Night Lion Security. "So they go to a company that will essentially send out spam." Troia speculates, but has not confirmed, that the database may be so large and varied because it comprises all of Verification.io's customers' data. WIRED was unable over the course of several days to contact the company or CEO Vlad Strelkov. On Monday, the entire Verifications.io website went offline and has not been restored since. 

[...]


--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
Previous By Date Next
Previous By Thread Next

Current thread: