Verifications.io

Last updated
Verifications.io
Company type Private
IndustryEmail marketing
DefunctMarch 25, 2019 (2019-03-25)
Fate Data breach
Headquarters Tallinn, Estonia (listed)
Boca Raton, Florida (alleged)
Area served
Worldwide

Verifications.io is a defunct email-focused technology firm whose primary practice was to validate email addresses for email marketing platforms. The company's platform allowed for email marketing firms to submit lists to the company, which would verify the lists for valid email addresses.

Contents

The verifications.io data leak was reported by several news sources as being the largest data leak of U.S. citizens PII data in recorded history. [1]

The total records within the company's largest single data release was 809 million records, 763 million of which were unique, though the total number of records which were exposed in three additional database leaks from the company would total to over 2 billion records breached. [2]

In 2019, security researchers Vinny Troia and Bob Diachenko discovered the data from Verifications.io on a public MongoDB server which was setup without authentication. [3]

Operations and company history

Verifications.io offered its clients services which could verify if emails were bounced, or were otherwise inactive, thereby helping email marketers send emails to actual users rather than random email addresses. The firm achieves its verifications by internal servers, which are matched with client records uploaded to the service for their verification. The firm verifies each email by sending a message to each address; if the message does not bounce, the firm considers it verified. Bounced emails are stored on a list which the firm can refer to in the event the same email is presented again. [4]

Verifications.io officially claims to be an Estonian company based out of Tallinn, though many press filings released from and about the company suggested that it was based out of Boca Raton, Florida. [5]

Data leak

The verifications.io data breach was discovered by security researchers Vinny Troia and Bob Diachenko in 2019.

The first Verifications.io data breach ultimately led to 763 million unique records being exposed to the web, with the vast majority of records containing PII and marketing data on U.S. citizens. [6]

The breakdown of the records was 798,171,891 email records; 4,150,600 phone records, and 6,217,358 business lead records with each record including, at a minimum, zip code, a physical address, IP address, name, date of birth, gender and other marketing information.

The data leak was attributed to an unsecured MongoDB server that was left unprotected, allowing anybody to access the information with the correct link. [4]

Troy Hunt, the founder of Have I Been Pwned?, has predicted that approximately 35 percent of all records is new to the Have I Been Pwned? database; as of the leak, the Verifications.io breach is the second largest breach added to Have I Been Pwned? after Hunt's own Collection No. 1. [7] [8] Many cybersecurity companies showed immediate concern that the data released in the breach could be used for social engineering attacks. Daniel Markuson, the blog editor for the online privacy firm NordVPN, raised concerns that 1 in 9 people in the world could be the targets of a social engineering campaign. [9] McAfee additionally highlighted the databases' possibility to foster social engineering attacks against those whose information was exposed in the database. [7]

The UK security firm DynaRisk however stated that Verifications.io was also linked to three other MongoDB data breaches. All four data breaches combined would total the number of records exposed to over 2 billion. DynaRisk further stated that the three other data breaches contained much more sensitive information, such as interest rates, mortgage amounts, Instagram and LinkedIn profiles linked to leaked emails, and credit scores. [10] [11] Cybersecurity professional Bob Diachenko stated that while not every single record contained all the mentioned types of information, a large number of them were "very detailed". [12]

Response from the company

Diachenko emailed the company about the data breach, which responded by stating it was taking "appropriate measures" to correct the breach. By March 4, 2019, the website for the company was taken down. [5] By March 15, MediaPost reported that Verifications.io was out of business. [13]

Related Research Articles

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

Bread Financial Holdings, Inc. is an American publicly-traded provider of loyalty and marketing services, such as private label credit cards, coalition loyalty programs, and direct marketing, derived from the capture and analysis of transaction-rich data.

Trello is a web-based, kanban-style, list-making application and is developed by Trello Enterprise, a subsidiary of Atlassian. Created in 2011 by Fog Creek Software, it was spun out to form the basis of a separate company in New York City in 2014 and sold to Atlassian in January 2017.

Mailchimp is a marketing automation and email marketing platform. "Mailchimp" is the trade name of its operator, Rocket Science Group, an American company founded in 2001 by Ben Chestnut and Mark Armstrong, with Dan Kurzius joining at a later date.

<span class="mw-page-title-main">Yatra (company)</span> Online travel agency

Yatra.com is an Indian online travel agency and travel search engine. It is based in Delhi NCR. It was founded by Dhruv Shringi, Manish Amin and Sabina Chopra in August 2006.

PlayerScale, Inc. is a Belmont-based gaming infrastructure provider. As of 23 May 2013 it operates as a subsidiary of Yahoo!, but it is still functioning as a stand-alone business unit.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

<span class="mw-page-title-main">Troy Hunt</span> Australian web security expert

Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

Collection #1 is the name of a set of email addresses and passwords that appeared on the dark web around January 2019. The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs. The list, reviewed by computer security experts, contains exposed addresses and passwords from over 2000 previous data breaches as well as an estimated 140 million new email addresses and 10 million new passwords from previously unknown sources, and collectively makes it the largest data breach on the Internet.

<span class="mw-page-title-main">2018 Google data breach</span> 2018 data breach affecting the social network Google+

The 2018 Google data breach was a major data privacy scandal in which the Google+ API exposed the private data of over five hundred thousand users.

Firefox Monitor is an online service developed by Mozilla, announced in June 2018, and launched on September 25 of that year. It informs users if their email address and passwords used have been leaked in data breaches, using the database provided by Have I Been Pwned? (HIBP). Mozilla is also working with HIBP's creator, Troy Hunt. Despite the name, this service is not limited to Mozilla Firefox alone, but can be accessed as a website from all common browsers.

Nulled is an online cracking forum.

This is a list of the top data breaches involving the loss, compromise, or unauthorized access or disclosure of personally identifiable information (PII) of United States citizens. The data is compiled from various sources, including press reports, government news releases, and mainstream news articles. This list includes information on data breaches or security incidents involving the theft or compromise of 50 million or more U.S. persons.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country. This was reported stealing over 500 Million credit cards.

ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

<span class="mw-page-title-main">2021 Epik data breach</span> 2021 cybersecurity incident

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.

OpenSea is an American non-fungible token (NFT) marketplace headquartered in New York City. The company was founded by Devin Finzer and Alex Atallah in 2017.

<span class="mw-page-title-main">Vinny Troia</span> American ethical hacker and cybersecurity researcher

Vincenzo Troia is an American ethical hacker and cybersecurity researcher who is known for reporting and identifying The Dark Overlord and hacker pompompurin, who was the owner-operator of the website BreachForums and was also involved in the 2021 FBI email hacking. He is also known for disclosing the Shanghai police database leak in 2022.

References

  1. Hay Newman, Lily. "An Email Marketing Company Left 809 Million Records Exposed Online". Wired. ISSN   1059-1028 . Retrieved 2023-09-07.
  2. "Verifications.io breach: Database with 2 billion records leaked". 2019-03-11. Retrieved 2023-09-07.
  3. "2 Billion Unencrypted Records Leaked In Marketing Data Breach". Forbes.com. Forbes. Retrieved 11 March 2024.
  4. 1 2 Diachenko, Bob (2019-03-07). "800+ Million Emails Leaked Online by Email Verification Service". securitydiscovery.com. Retrieved 2023-09-07.
  5. 1 2 Schwartz, Mathew J. (March 11, 2019). "Breach of 'Verifications.io' Exposes 763 Million Records". www.bankinfosecurity.com. Retrieved 2023-09-07.
  6. Hay Newman, Lily. "An Email Marketing Company Left 809 Million Records Exposed Online". Wired. ISSN   1059-1028 . Retrieved 2023-09-07.
  7. 1 2 McAfee (2019-03-08). "809 Million Records Left Exposed: How Users Can Protect Their Data". McAfee Blog. Retrieved 2023-09-07.
  8. Newman, Lily Hay. "An Email Marketing Company Left 809 Million Records Exposed Online". Wired. ISSN   1059-1028 . Retrieved 2023-09-07.
  9. Markuson, Daniel (2019-03-08). "What you need to know: 1 out of 9 people just got breached". nordvpn.com. Retrieved 2023-09-07.
  10. "Verifications.io breach: Database with 2 billion records leaked". 2019-03-11. Retrieved 2023-09-07.
  11. Winder, Davey. "(Updated) 2 Billion Unencrypted Records Leaked In Marketing Data Breach --What To Do Next". Forbes. Retrieved 2023-09-07.
  12. Huskerson, Tom (2019-04-10). "Breach Brief - Verifications.IO Exposes 2B Records!". On Tech Street. Retrieved 2023-09-07.
  13. "Email Vendor Verifications.io Seems To Be Out Of Business Following Breach". www.mediapost.com. Retrieved 2023-09-07.

Official website, archived on February 17, 2019, from the original

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.