In what some experts call one of the most largest and comprehensive email breaches of all time, nearly one billion emails have been exposed by a little-known marketing company called Verifications.io.
Security researchers Bob Diachenko and Vinny Troia discovered the exposure in late February. The database possessed no authentication protocols whatsoever; in fact, anyone with an internet connection could access the email records. Moreover, the email records also contained other personal identifying information such as names, genders, IP addresses, and much more. The researchers contacted Verifications.io immediately; the company confirmed the exposure and claimed to close it the same day.
Verifications.io labeled itself as an enterprise email verification service, allowing businesses to confirm harvested emails. However, Diachenko noted that threat actors could have used the service to refine their phishing attacks. The site went offline in early March; additionally, company representatives remain largely unresponsive to questions by the press, prompting more questions about the company.
When the researchers first announced the breach, the records exposed appeared to only number around 700 million. However, in subsequent weeks, the number of discovered records exposed rose.
What One Billion Emails Exposed Means
We asked a few cybersecurity experts to weigh in on the implications of Verifications.io and the exposure of nearly one billion email records. Here’s what they had to say:
Franklyn Jones, CMO, Cequence Security:
“We’re getting to the point where breaches of this magnitude barely illicit a yawn. And after a week, our attention will be diverted once again to the next major breach. Meanwhile, what often gets ignored is that these 982 million records will find their way on the dark web, where they will be acquired for secondary attacks – usually involving automating bots – that result in account takeover, business logic abuse, financial fraud, and more.”
Byron Rashed, VP of Marketing, Centripetal Networks:
“Businesses and consumers should always verify and deal with trusted businesses. In today’s digital environment, giving electronic information out about one’s self is exposing the individual to a variety of cyber crimes. Credentials can be leveraged by a threat actor for identity theft on a personal level and corporate network infiltration and data exfiltration for businesses.
Enterprises should enable blocking of such malicious sources, which is key to preventing network infiltration and reducing and mitigating the risk of data exfiltration. Corporate policy should govern and prevent the use of their corporate credentials on non-work related sites as well. Education of employees is always the best first line of defense, since most breaches are caused by human error.”
Latest posts by Ben Canner (see all)
- What Can Authentication and Continuous Authentication Protect Against? - June 2, 2020
- Thycotic Announces Acquisition of Onion ID - June 2, 2020
- By the Numbers: Enterprise Identity Security 2020 - May 29, 2020