Email addresses of almost a BILLION people are leaked in one of the biggest data breaches ever- and hackers could now have access to your name, date of birth and even where you LIVE
- ‘Email validation’ firm was taken offline when the enormous breach was reported
- Personal information like names, address and employer were also exposed
- Verifications.io is a company offering ‘enterprise email validation’ as a service
- Validators ensure that the email addresses in a list are valid and won’t bounce
Almost one billion people’s personal data has been breached online by a shadowy marketing company that has since disappeared without a trace.
Email addresses from 982 million people were listed in what researchers are calling one of the ‘biggest and most comprehensive email database’ breaches ever.
Personal information including names, gender, date of birth, employer, details of social media accounts and even home addresses were listed.
Security researchers uncovered the breach in an online database created by Verifications.io that had no privacy protections in place.
The firm offered an ‘enterprise email validation’ service that let other marketing firms check whether lists of email addresses they have harvested are real.
Verifications.io took down their website after the leak was uncovered and they have refused requests for a comment on the situation.
Little is known about the people behind the business with its backers maintaining their anonymity due to the dubious tactics it employs.
Scroll down for video
Hundreds of millions of people’s personal data has been breached online by a marketing company who have since taken their website down. Pictured here, a screen grab of the website when it was active
HOW EMAIL VERIFICATION COMPANIES WORK
1. Companies or individuals upload a list of email addresses that they want to validate.
2. The verification service has a list of mail servers and internal email accounts that they use to ‘validate’ an email address.
3. They do this by literally sending each address on the list an email.
4. If it does not bounce, the email is validated. If it bounces, they put it in a separate list so it can be blacklisted
The website went offline after Cyber security expert Bob Diachenko, one of the researchers who found the breach, notified its support team.
It was unclear whether the exposed data was accessed by others, but hackers are often quick to strike when leaks occur.
Passwords and payment card details were not leaked but other records in the collection included company names, annual revenue figures, company websites, and even personal addresses.
Mr Diachenko , along with NightLion Security’s Vinny Troya, cross-referenced the datasets with the HaveIBeenPwned database, a list of all public data breaches.
They were then able to establish that the Verifications.io leak contained unique records that had never been exposed in any previous breach ‘collections’.
‘This is perhaps the biggest and most comprehensive email database I have ever reported,’ Mr Diachenko wrote in his post.
‘Upon verification, I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection.
‘Some of data was much more detailed than just the email address and included personally identifiable information (PII).’
A screengrab of the website today. It was taken down after security researchers uncovered the breach left in an unsecured online database by the company, which sends out tens of thousands of emails to validate these users
HOW TO CHECK IF YOUR EMAIL ADDRESS IS COMPROMISED
Have I Been Pwned?
Cybersecurity expert and Microsoft regional director Tory Hunt runs ‘Have I Been Pwned’.
The website lets you check whether your email has been compromised as part of any of the data breaches that have happened.
If your email address pops up you should change your password.
To check if your password may have been exposed in a previous data breach, go to the site’s homepage and enter your email address.
The search tool will check it against the details of historical data breaches that made this information publicly visible.
If your password does pop up, you’re likely at a greater risk of being exposed to hack attacks, fraud and other cybercrimes.
Mr Hunt built the site to help people check whether or not the password they’d like to use was on a list of known breached passwords.
The site does not store your password next to any personally identifiable data and every password is encrypted
Other Safety Tips
Hunt provides three easy-to-follow steps for better online security. First, he recommends using a password manager, such as 1Password, to create and save unique passwords for each service you use.
Next, enable two-factor authentication. Lastly, keep abreast of any breaches
The researchers said that Verifications.io offered a service to marketers where it would ‘verify’ lists of email addresses.
Marketing companies often employ third party verification companies to do this, due to tedious effort of doing this manually as well as the increased effectiveness of spam filters.
Cyber security expert Bob Diachenko, one of the researchers who found the breach
Marketing companies use these services to send out mass emails to a large email list they need to ‘validate’ to confirm whether the addresses are real or still active.
This usually involves sending an email to everyone on the list and checking to see if any messages bounce.
If they do bounce they simply put them in a ‘bounce list’ so they can easily validate it later on.
The company, with an Estonia address, sends out tens of thousands of emails to validate these users.
Data breaches like this put the people involved at a much higher risk of being exposed to not only nuisance calls and emails but also hack attacks and fraud.
Each one of the users on the list gets their own spam message saying ‘hi’.
Then the company sends a verified, and valid list of users to these companies so they can start a more focused phishing campaign, according to Mr Diachenko.
They said that marketing companies hide behind services like this so that they are not blacklisted for spamming.