I woke up this morning to discover, yet again, that I was one of a stupidly large number of people whose personal data had been leaked in the latest mega breach. Troy Hunt’s ‘have i been pwned?’ service informed me that 763,117,241 people have had their records leaked by Verifications IO: including verified emails, phone numbers, addresses, dates of birth, Facebook, LinkedIn and Instagram account details, credit scoring and even mortgage data such as amount owing and interest rates being charged. Which wasn’t the best news to receive first thing on a Sunday morning. But then things got even worse, a lot worse. SC Media UK reports that Andrew Martin, CEO & founder of cybersecurity company DynaRisk, has revealed the true number of leaked records is much higher. How much higher? How does a total of 2,069,145,043 unencrypted records grab you?
So, what actually happened?
According to Bleeping Computer an unprotected MongoDB database was discovered by security researcher Bob Diachenko. Having cross-referenced the data, sitting there in plain text, with the have i been pwned site, Diachenko was able to conclude this was fresh to the market new information and not just a dump of previously breached data as has been seen with the recent Collection 1 leak. After doing some more investigative work, Diachenko was able to track the database back to the Verifications IO enterprise email validation service. This company validates bulk email lists for companies wanting to remove inactive addresses from newsletter mailouts. Diachenko reported, working alongside researcher Vinny Troia, that a total of 808,539,939 records had been leaked. The ‘mailEmailDatabase’ contained three sections: Emailrecords, emailWithPhone and businessLeads containing that data. However, Dynarisk CEO, Andrew Martin, also analyzed the data and came to the conclusion that on the one server exposed to the web there were actually four databases not just the one. He told The Register “Our analysis was conducted over all four databases and extracted over two billion email addresses. The additional three databases were hosted on the same server, which is no longer accessible.”
What data was leaked?
The security researcher who made the discovery, Bob Diachenko, says that “although not all records contained the detailed profile information about the email owner, a large amount of records were very detailed.” That detail included commonplace breach data such as email addresses and phone numbers, but went far beyond the basics as well. Information such as dates of birth, mortgages amounts and interest rates and social media accounts related to the emails in question. But it doesn’t stop there, you can also throw in basic credit scoring data, company names and revenue figures as well.
Should you be worried?
Yes, of course you should. This was, after all, a massive leak of the kind of personal information that would be a goldmine for the phishers and spammers of this world. However, that concern can be diluted by a number of factors. Not least there’s the small matter that nobody has found any compelling evidence that the data has actually been used for any criminal purpose as of yet. Although the databases were accessible for some time, as soon as the problem was disclosed to Verifications IO the service was taken offline and remains so. Which means that bad guys alerted by this news won’t be able to exploit it. What’s just as important as what was in the breach is what wasn’t. So, there were no social security numbers, no credit card numbers, no passwords. And, importantly, this was a leak not a hack: white hat researchers found the data was accessible rather than black hats looking to exploit it.
Can you mitigate your risk?
Yes, if you apply the basics of good cybersecurity hygiene. Which means being alert to the phishing risk, applying more skepticism than usual to unexpected emails, text messages, social media communications and even snail mail that want you to check a link out, open an attachment and so on. If threat actors have got hold of this data then it provides all the ammunition they require in order to appear like a trustworthy organization in their communications. If the communication really does sound genuine and you are tempted to respond as instructed, don’t. Instead, I always advise folk to take the extra minute to try contacting the sender through another means: if it’s a bank or commercial concern then google them and browse to their site using that address and not the message link, ditto with phone numbers. Remember that banks won’t contact you by email regarding a security matter, nor will they ask for your account details over the phone. Don’t let your security sense slip just because something sounds plausible, especially if a loss of money has been mentioned!