The size and scope of data breaches continues to grow. The new world record has been set by email marketing service Verifications.io, thanks to some unsecured public-facing databases containing what appears to be just about all of their customer information. Passwords were not exposed in the email data breach, but quite a bit of personal information useful for identity theft and scamming was.
Initial reporting indicated that about 763 million records were exposed, but that estimate has since climbed to a little over two billion records as security researchers have found that at least four of the company’s databases were open to anyone who cared to walk in the door.
Who is Verifications.io, and what was exposed in the email data breach?
Verifications.io is an “email verification platform” used by marketers, one of the largest of its kind. The company appears to have collated public contact information and some private financial indicators (like mortgage amounts and credit score estimates) into customer profiles. Marketers send Verifications.io lists of email addresses to screen and validate as part of their preparation for email marketing campaigns.
The company seems to have been scraping up an unusual amount of personal information, however. While no passwords or social security numbers were in the email data breach, all of the following were found by a security researcher:
Email addresses connected to social media profiles
Date of birth
Mortgage amounts and interest rates
Estimates of credit scores
Profiles of millions of businesses were also found in the email data breach. These records appear to mostly be made up of publicly available data including contact information and annual revenue.
Who had access?
The databases in question were all running MongoDB and located in Miami. Independent researcher Bob Diachenko of Security Discovery happened across the first of these in late February, and after tracking it back to Verifications.io notified the company before going public in early March. Verifications.io took their databases offline the same day they were notified of the email data breach by Diachenko.
Anyone potentially could have had access to these records during the exposure window, the length of which is unknown. Verifications.io claims that the databases were only exposed for a short time and that there is no evidence of illicit third-party access.
What’s the fallout?
Though it technically set a record in terms of data point count, this email data breach is relatively benign compared to other recent data leaks of a similar size. It is worrying that this information was sitting out in the open available to anyone with an internet connection, but it may well have been for a limited time and it is possible that it was not obtained by any potential threat actors.
The information is also mostly available to the public. The profiles kept on individuals do sometimes contain items that may not have been public, such as home addresses and financial indicators. However, the collection of information appears to have been very patchy – many records appear to be little more than an email address and name. For example, only about four million of the records had a phone number connected to an email address. It is likely that the contact information came from whatever the company could scrape from public social media profiles and directory listings.
This hardly means that anyone should breathe easy about the matter, however. This email data breach is yet another reminder that personal data is only as secure as each company that is in possession of it. As Colin Bastable, CEO of Lucy Security observes: “It is hard to be astounded, or even mildly surprised, at the scale of insecurity that exists online. In such an interconnected world, where businesses and governments routinely forget to protect data, consumers should assume that their data is compromised.”
While not enough on its own to be much of a threat, the Verifications.io email data breach could be combined with information from other sources (such as dark web hacking forums) to aid in identity theft and confidence schemes. A brute force password cracker might also find it helpful in limiting the list of email addresses they want to try at a particular company when using a technique called “credential stuffing.”
The importance of database security
This is hardly the first time MongoDB has been associated with a major data breach. Other recent examples include the CloudPets toys, Android keyboard theme developer Ai.Type, and a subsidiary of Coupons.com called SaverSpy for just a few examples. MongoDB databases are very popular among cybercriminals, who usually prefer to encrypt and ransom them.
MongoDB databases are popular targets because they are not properly secured out of the box. They can be properly secured, and the MongoDB website even offers a checklist of security configurations and encryption options, but companies sometimes put them online without taking these important steps. Older versions (prior to 2.6.0) also default to a specific port and do not require remote authentication.
The main fault here lies with Verifications.io’s data storage policies. Not only was the database open to the public, but everything was stored in plaintext. The company’s initial response to Diachenko indicates that they felt that since the information in the email data breach was “publicly accessible” anyway (i.e. scraped from sources open to the public), it didn’t need to be properly secured. It’s unclear where Verifications.io is based as the company is unusually secretive about its ownership and contact details, but the databases were in the United States. That attitude may be technically legal there at the moment, but laws in the EU and a number of other nations would have subject the company to heavy fines.
“All applications, including such cloud-based email verification services, should store personal identifiable information (PII) encrypted, never in clear. With the growing number of regulations on data privacy of individuals, such as the EU GDPR (General Data Protection Regulation), HIPAA, PCI, and California Consumer Privacy Act of 2018, exposing such PII data opens the organization to breaches, reputational damage as well as stiff penalties.
“This approach should include all of your on-premise applications, SaaS applications, and IaaS-based applications. Data-security centric strategies take this to the next level, that is to say, DRM and end-to-end encryption of PII in both on-premise and clouds should protect the enterprise.
“Recognize that it is more common to find cyberthieves attacking cloud applications via account takeovers and APIs – these are the new skirmish lines for cyberattacks, especially in the cloud where you are most vulnerable. Security tools that automatically protect your data such as data loss prevention (DLP) and digital rights management (DRM) help secure your sensitive information. In the event that an important cloud vendor doesn’t have the right data protection, you can wrap their applications with a cloud security broker to provide the necessary cloud security and protection for your data. Ultimately, find vendors that support end-to-end data protection for your on-premises and cloud applications.”
The Verifications.io breach is a case in which encryption alone would have reduced the potential harm to near zero. Leaving exposed data up for grabs in this way is never acceptable, but had there been a policy of encrypting all personally identifiable information then intruders would have walked away with nothing usable.
There is nothing wrong with using MongoDB, but companies need to be aware that some services require extra security steps to protect from public data breaches and exposed records. And with any cloud provider, it is best to not rely solely on their encryption. Ideally, files should be encrypted locally before they even make it to the cloud. As Kothari mentions, a cloud security broker may make sense for companies using a diverse array of cloud services. The security broker sits between your company and the cloud, ensuring that company security policies are extended to the cloud services and monitoring for unauthorized access and leaked data.