Spam-support site leaves 800 million email addresses – and more – out in the open

A huge treasure chest of email addresses and other personal data has been discovered sitting online, unprotected, and unencrypted by a security researcher.

The good news is that the list has since been removed. The bad news is that the list also contained an array of other private information such as emails with phone numbers, emails with business contacts, and credit ratings. Even worse news is that the source of this information was a suspect “email authentication” outfit that helped build and verify the email lists used to fill your inbox with various spam offerings.

This trove of data was discovered by Bob Diachenko, data breach analyst at SecurityDiscovery.  The database contained four separate collections of data, topping off at 808,539,939 different records. “I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection,” he explained on his blog.

After uncovering the list, he worked with Troy Hunter, another notable data breach hunter, to double check that this was indeed a new list, find out more about where the list came from and its intended purpose. They discovered that the list came from a company called Verifications.io which provided “Enterprise Email Validation.”

Smells like spam to me

Email validation has both its light and dark side. On the more legal side, companies want to verify that the lists of email addresses they are building are, in fact, made up of functional email addresses. And, if they text out these lists themselves, they run the real risk of being blacklisted as spammers.

Verifications.io’s market niche was to take over that testing task, sending out emails to confirm that the addresses were functioning, then building a verified good list and a not-so-good list of bounced addresses for additional testing.

On the dark side, Diachenko pointed out that Verifications.io would also be a perfect service for hackers to use for pitch-perfect finetuning of their lists ahead of a spearphishing attack.

You gave your OK for this email address, right?

Since Verifications.io has since gone dark and pulled the plug on their website, it’s not exactly clear where this data originally came from: Did it come from legit clients, were they scraping out the data to make their own composite email lists, or even if those hundreds of millions of individuals with personal data in the lists gave their personal OK – or even their GDPR approval — to this information being processed.

Where are you in the data food chain?

Unlike many of the monster data breaches at Target or Marriott, Verifications.io was not the firm directly collecting data from people. They were at least one step removed from the initial data collection – maybe more. But, they still had lots of private information – which says quite a bit about the current state of data insecurity that we live in.

So what can you do now?

  1. Two-factor is better than one – Use two-factor authentication wherever possible to make your accounts more protected against hacking.
  2. Transition to the secure. Make the reasonable assumption that your account details have already leaked somewhere in the data chain and start the transition to more secure passwords with a password manager.
  3. Stay informed. Get alerts and news about breaches impacting your accounts with the premium Avira Password Pro.
As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.