Instead, he uploads all of his potential email addresses to a service like verifications.io. He could try to log in to a service or system using ALL of those accounts, but that type of brute force attack is very noisy and would likely be identified. He has a bunch of potential users and passwords, but has no idea which ones are real. Threat Actor” has a list of 1000 companies that he wants to hack into. If it bounces, they put it in a bounce list so they can easily validate later on.If it does not bounce, the email is validated. They do this by literally sending the people an email.Verifications.io has a list of mail servers and internal email accounts that they use to “validate” an email address.Someone uploads a list of email addresses that they want to validate.I also sent a data breach notification email to the company’s support (yes, I decided it is a right thing to do).Īfter researching more about Verifications.io online and comparing the information that was publicly available in the database we have come to the following conclusions. Here is the archived versionĪt this point I teamed up with Vinny Troia, owner of NightLion Security with whom I worked on other projects previously and who had a similar experience with finding the Exactis database.
Hacked mailist Offline#
Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication.
Hacked mailist verification#
Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text. In addition to the email databases this unprotected Mongo instance it also uncovered details on the possible owner of the database – a company named ‘Verifications.io’ – which offered the services of ‘Enterprise Email Validation’. I started to analyze the content in an attempt to identify the owner and responsibly disclose it – even despite the fact that this started to look very much like a spam organization dataset. We are still talking about millions of records. Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. Based on the results, I came to conclusion that this is not just another ‘Collection’ of previously leaked sources but a completely unique set of data.
Hacked mailist zip#
‘Emailrecords’ was structured to include zip / phone / address / gender / email / user IP / DOB:Īs part of the verification process I cross-checked a random selection of records with Troy Hunt’s HaveIBeenPwned database. businessLeads (count: 6,217,358 records).emailWithPhone (count: 4,150,600 records).The largest part of it was named ‘mailEmailDatabase’ – and inside it contained three folders: This database contained four separate collections of data and combined was an astounding 808,539,939 records. Some of data was much more detailed than just the email address and included personally identifiable information (PII).
Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. This is perhaps the biggest and most comprehensive email database I have ever reported.
On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance.
0 kommentar(er)
