SecurityDiscovery. The database contained four separate collections of data, topping off at 808,539,939 different records. “I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection,” he explained on his blog.
After uncovering the list, he worked with Troy Hunter, another notable data breach hunter, to double check that this was indeed a new list, find out more about where the list came from and its intended purpose. They discovered that the list came from a company called Verifications.io which provided “Enterprise Email Validation.”
Email validation has both its light and dark side. On the more legal side, companies want to verify that the lists of email addresses they are building are, in fact, made up of functional email addresses. And, if they text out these lists themselves, they run the real risk of being blacklisted as spammers.
Verifications.io’s market niche was to take over that testing task, sending out emails to confirm that the addresses were functioning, then building a verified good list and a not-so-good list of bounced addresses for additional testing.
On the dark side, Diachenko pointed out that Verifications.io would also be a perfect service for hackers to use for pitch-perfect finetuning of their lists ahead of a spearphishing attack.
Since Verifications.io has since gone dark and pulled the plug on their website, it’s not exactly clear where this data originally came from: Did it come from legit clients, were they scraping out the data to make their own composite email lists, or even if those hundreds of millions of individuals with personal data in the lists gave their personal OK – or even their GDPR approval — to this information being processed.
Unlike many of the monster data breaches at Target or Marriott, Verifications.io was not the firm directly collecting data from people. They were at least one step removed from the initial data collection – maybe more. But, they still had lots of private information – which says quite a bit about the current state of data insecurity that we live in.