I can verify that you and 763,117,241 emails are fucked
-
https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/
800+ Million Emails Leaked Online by Email Verification Service | Security Discovery
Our Biggest Data Breach Discovery of 2019 a massive 800 million emails leaked online. This data breach uncovered how an email verification service uses spam
On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance.
[table] ‘Emailrecords’ was structured to include zip / phone / address / gender / email / user IP / DOB:
I started to analyze the content in an attempt to identify the owner and responsibly disclose it – even despite the fact that this started to look very much like a spam organization dataset. (emph mine)
a company named ‘Verifications.io’ – which offered the services of ‘Enterprise Email Validation’. Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text.
[The company responded to disclose with taking site offline and saying "don't worry, no client information was there, just public stuff"]
In the response they identified that what I had discovered was public data and not client data, so why close the database and take the site offline if it indeed was “public”? In addition to the email profiles this database also had access details and a user list of (130 records), with names and credentials to access FTP server to upload / download email lists (hosted on the same IP with MongoDB). We can only speculate that this was not meant to be public data.
Awesome. Let's unpack.
So this shitbag company "Verifications.io" does email verification. Not, as I first thought, a service that sends out "Verify your email" links. Nope. Instead they (presumably charge) companies for this awesome, amazing hightech service. Those companies upload lists of email addresses they want verified...
sidebar wtf1 This is an email verification service, but the exposed records have email PLUS a whole bunch of PII like address, IP, etc. Why do you need any of that for email verification?!?
... and the verification service "verifies them" by-- ready for this-- sending an email to that email address. If it bounces, the email is not verified.
sidebar wtf2 If you are a legit business, and legit trying to weed out dead/bad email addresses from your mailing list dataset-- then just send the goddamn mail yourself. Next time you have a mail to put on the list, ptu it on-- and then just record the bounces and drop those addresses.
... So yes, this means that in order to "verify" your address, this shitbag company spams you a "hello /ping" email. The article goes into more depth on why this is an extremely bad and very exploitable service.
Somehow, despite having "lol 12 years experience", the company accidentally did an "oopsies"; they kept this database with 800M records of PII on a PUBLIC FACING SERVER (ie: their company's home page). The DB was not in a DMZ or on a separate database machine. Nope, right there sitting it's ass on port 80. They also didn't password protect or encrypt this database. They also didn't obscure, obfiscate or encrypt the data AT. ALL. So if you are "lorne kates, lkates@gmail.com, dob 10/28/1978"-- then your entire email address, name and date of birth are visible to anyone who strolls along to take.
So anytime you see a site claiming "We'll only share your data with trusted third parties"-- this is the sort of third party, and this is their trusted methods of handling your data.
-
@Lorne-Kates said in I can verify that you and 763,117,241 emails are fucked:
dob 10/28/1978
Youngster.
-
@Lorne-Kates said in I can verify that you and 763,117,241 emails are fucked:
So anytime you see a site claiming "We'll only share your data with trusted third parties"-- this is the sort of third party, and this is their trusted methods of handling your data.
Anyone who works in IT and that has not realized this within the first few weeks of work is in dire need of a cluebatting.
-
@dkf said in I can verify that you and 763,117,241 emails are fucked:
@Lorne-Kates said in I can verify that you and 763,117,241 emails are fucked:
dob 10/28/1978
Youngster.
Fuck you, buy me presents.
-
Yeah, I had an email from HaveIBeenPwned yesterday
You're one of 763,117,241 people pwned in the Verifications.io data breach
Wooo, I won the shithead lottery. Yay!
the breach was due to the data being stored in a MongoDB instance
What a fucking shock! Give me a second whilst I pick myself up off the floor.
-
@Lorne-Kates said in I can verify that you and 763,117,241 emails are fucked:
sidebar wtf1 This is an email verification service, but the exposed records have email PLUS a whole bunch of PII like address, IP, etc. Why do you need any of that for email verification?!?
Because you can aggregate PII from multiple sources and sell it for more $$$? Why would you pass up such a simple way to make $$$? It's not like you will face any repercussions for it…
Do we need an Official Big Omniscient Brother Thread for all the data leaks?
Fun fact: Facebook hoovers up all your information it can get, including some purchases you make outside Facebook. Google reads your GMail and, among other things, parses purchase information. Every fucking online service wants to know all it can about you, from your home address to the way youholdmassage the mouse before clicking a link. Because some day they might be able to use some sliver of that information to show you more accurate ads, or sell that info to someone else.
I got that email from Have I Been Pwned too. I'm now curious if I can use GDPR to make verification.io's life more miserable.
-
@DCoder said in I can verify that you and 763,117,241 emails are fucked:
I'm now curious if I can use GDPR to make verification.io's life more miserable.
+1, you're doing god's work, my son!
-
@DCoder said in I can verify that you and 763,117,241 emails are fucked:
Because you can aggregate PII from multiple sources and sell it for more $$$?
-
@DCoder said in I can verify that you and 763,117,241 emails are fucked:
I'm now curious if I can use GDPR to make verification.io's life more miserable.
For that matter-- how DO you file a GDPR "forget me" request? Is it like the DMCA where you just email someone and magic happens? Is there a form?
-
@DoctorJones said in I can verify that you and 763,117,241 emails are fucked:
Give me a second whilst I pick myself up off the floor.
No, stay there, I'll send you a bitch to cheer you up!
-
@Tsaukpaetra said in I can verify that you and 763,117,241 emails are fucked:
@DoctorJones said in I can verify that you and 763,117,241 emails are fucked:
Give me a second whilst I pick myself up off the floor.
No, stay there, I'll send you a bitch to cheer you up!
-
@Lorne-Kates said in I can verify that you and 763,117,241 emails are fucked:
For that matter-- how DO you file a GDPR "forget me" request? Is it like the DMCA where you just email someone and magic happens? Is there a form?
You have to send a request/demand to the people holding your data.
Sample letter for erasure requests as per Art. 17 GDPR (“right to be forgotten”) · datarequests.org
Thanks to the GDPR, you have the right to have your personal data deleted if a controller no longer needs it for its original purpose. We offer you a sample letter with which you can exercise such a right.
How do I exercise this right?
The GDPR does not impose any requirements on how you make your request. This means that you could in principle simply write an informal letter and send it to the controller. In theory, even a phone call would do.The people holding your data are then required to erase it ASAP if it meets one or more of certain criteria.
-
@Lorne-Kates said in I can verify that you and 763,117,241 emails are fucked:
sidebar wtf2 If you are a legit business, and legit trying to weed out dead/bad email addresses from your mailing list dataset-- then just send the goddamn mail yourself.
According to one of the articles I read about this, the whole purpose of "Verifications.io" is they spam people so that you don't have to (and so your "legit" company doesn't get put on a spam blacklist).
-
@Lorne-Kates said in I can verify that you and 763,117,241 emails are fucked:
So if you are "lorne kates, lkates@gmail.com, dob 10/28/1978"-
How did you know the details I fill in on spam websites?!
-
@loopback0 Maybe he was the hackers all along
-
@loopback0 what, you don't own something like
notspam@horsefucker.org?
-
@pie_flavor said in I can verify that you and 763,117,241 emails are fucked:
@loopback0 what, you don't own something like
notspam@horsefucker.org?But then the spam would go to me...
-
@loopback0 ... and you would ignore it since you don't check that email.
-
@loopback0 said in I can verify that you and 763,117,241 emails are fucked:
@Lorne-Kates said in I can verify that you and 763,117,241 emails are fucked:
So if you are "lorne kates, lkates@gmail.com, dob 10/28/1978"-
How did you know the details I fill in on spam websites?!
Loooooooooooooooooots of weird porn.
-
@Lorne-Kates This could be read as 'lots' or 'loots'.
-
-
@pie_flavor said in I can verify that you and 763,117,241 emails are fucked:
@Lorne-Kates This could be read as 'lots' or 'loots'.
looooooooooooooooooots of loooooooooooooooooooot
-
@Lorne-Kates said in I can verify that you and 763,117,241 emails are fucked:
@pie_flavor said in I can verify that you and 763,117,241 emails are fucked:
@Lorne-Kates This could be read as 'lots' or 'loots'.
looooooooooooooooooots of loooooooooooooooooooot
And now I think of Lancelot....
