Updated An unprotected MongoDB database belonging to a marketing tech company exposed up to 809 million email addresses, phone numbers, business leads, and bits of personal information to the public internet, it emerged yesterday.
Today, however, it appears the scope of that security snafu may have been underestimated.
According to cyber security biz Dynarisk, there were four databases exposed to the internet – rather than just the one previously reported – bringing the total to potentially more than two billion records weighing in at 196GB rather than 150GB.
Anyone knowing where to look on the ‘net would have been able to spot and siphon off all that data, without any authentication.
“There was one server that was exposed to the web,” Andrew Martin, CEO and founder of DynaRisk, told The Register on Friday. “On this server were four databases. The original discovery analysed records from mainEmailDatabase. The additional three databases were hosted on the same server, which is no longer accessible.
“Our analysis was conducted over all four databases and extracted over two billion email addresses which is more than the 809 million first discussed.”
The databases were operated by Verifications.io, which provides enterprise email validation – a way for marketers to check that email addresses on their mailing lists are valid and active before firing off pitches. The Verifications.io website is currently inaccessible.
The database first reported included the following data fields, some of which, such as date of birth, qualify as personal information under various data laws:
Email Records (emailrecords): a JSON object with the keys id, zip, visit_date, phone, city, site_url, state, gender, email, user_ip, dob, firstname, lastname, done, and email_lower_sha265.
Email With Phone (emailWithPhone): No example provided but presumably a JSON object with the two named attributes.
Business Leads (businessLeads): a JSON object with the keys id, email, sic_code, naics_code, company_name, title, address, city, state, country, phone, fax, company_website, revenue, employees, industry, desc, sic_code_description, firstname, lastname, and email_lower_sha256.