More than two billion people were part of a massive data breach in late February that it is being called one of the biggest data breaches in history.
Verifications.io, a data validation company, unknowingly leaked the records of 2,069,145,043 people, which included verified emails, phone numbers, addresses, dates of birth, Facebook, LinkedIn and Instagram account details, credit scoring and even mortgage data such as amount owed and interest rates, HackRead reported.
Originally, just 808 million records were discovered in the breached database, but after a closer review in March, the number surged to more than two billion across four databases.
The colossal breach was discovered by security researcher Bob Diachenko and fellow researcher Vinny Troia, who were able to link the unsecured database with to the Verifications IO enterprise email validation service.
Bob Diachenko wrote in his blog, “On Feb. 25, I discovered a non-password protected 150 GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification, I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of data was much more detailed than just the email address and included personally identifiable information.”
Troy Hunt of “HaveIBeenPwned” said the leak is the second largest in history, but the largest data breach that comes from one single source. The previous record-breaking data breach was known as “Collection #1 and exposed in January.
Emails of nearly 1 billion people leaked in massive data breach https://t.co/njHxDUVhBR pic.twitter.com/qIUnh83y1S
— Fixie NEWS (@Fixienewsonline) March 30, 2019
Diachenko said he cross-checked a random sample of the records in the latest breach with Troy Hunt’s HaveIBeenPwned database and determined that many of the latest records were unique. Not all records contained all user details, however, many did, according to Forbes.
Diachenko informed Verifications.io to the exposed MongoDB instance and received an email back that thanked him for reporting the issue and that they were quickly able to secure the database.
“The database(s) included email accounts they use for sending mail as well as hundreds of SMTP servers, email, spam traps, keywords to avoid, IP addresses to blacklist and more,” Diachenko said. “This is why I initially thought they were potentially engaged in spam-related activities. It turns out that technically they actually are sending unwanted and unsolicited emails. This is the worst kind of spam because they send millions of completely worthless ‘hello’ emails that no one can understand.”
Verifications.io’s website went down on March 4 and no one from the company has been available for comment.