Two billion records exposed by unsecured database

It is still unknown how long the information remained exposed

Network security and ethical hacking specialists from the International Institute of Cyber Security reported a massive data leaking from multiple online platforms; according to the first reports, in total have been found 2,069,145,043 records, all without some kind of encryption.

Network security specialist Bob Diachenko discovered a MongoDB database that lacked basic security measures. After making a cross-reference of the information he found, leaning on the database of Have I Been Pwned, the expert concluded that this massive leaking has exposed completely new information, foreign to other incidents of data leaking or theft.

The database was tracked to the email validation service business Verification IO. This company validates massive email lists for companies that must remove inactive addresses from newsletter services.

The compromised database consists of three sections:

  • Email records
  • Email address with phone
  • Sales Leads

However, subsequent research by network security experts concluded that, in total, the leaking was composed of four exposed databases, not just one.

According to Diachenko, the compromised databases do not contain great personal details of the owners of the accounts involved, although there are really detailed records. The more detailed profiles include data such as email address, phone numbers, mortgage amounts and interest rates and social network accounts related to emails, among other details.

This is a massive leak of personal information, threat actors like phishing attacks or spam could easily access the information committed to deploy their attacks. Although it is unknown how long the information has been exposed, experts say there is still no evidence that any malicious actor has accessed the databases.

Just discovered the incident, Verifications IO was notified and access to the databases was closed.

Experts recommend users concerned about the security of their data to be alert to any attempt to phishing or send spam, SMS messages or social networks of strangers. It is important to note that banks do not establish communications with their clients via email, so they should ignore any messages allegedly sent by banking institutions.