
800M Email Addresses Leaked Online by Email Verification Service - tlrobinson
https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/
======
alxmdev
_> Some of data was much more detailed than just the email address and
included personally identifiable information (PII) ... ‘Emailrecords’ was
structured to include zip / phone / address / gender / email / user IP / DOB_

How messed up is it that random 3rd parties collect and assemble all this
information to begin with, leaks aside? Sounds to me like all this data fell
into unscrupulous hands way before any hackers may have found it on the public
internet.

~~~
satya71
I've seen a demo where given my email address they could pull up my name,
address, profession, age, and I forget what else. Yes, it's already in
unscrupulous hands.

~~~
tiimbz
I've seen that too. This API for example [0] called "email enrichment" where I
got my full name back, based on email address.

Edit: Added main company link providing this API [1]

[0] [https://app.livestorm.co/api/v1/utils/email-
enrichment/?emai...](https://app.livestorm.co/api/v1/utils/email-
enrichment/?email=emailaddresshere)

[1] [https://docs.enrich.email/](https://docs.enrich.email/)

~~~
FinestFine
I checked mine and it has only my full name. But "indexedAt" gives the current
date and time, interesting :)

~~~
megous
Mine has information harvested (provided by?) from about.me. (I had a page
there about my dancing activities) So this API tells anyone where and when
they can meet me for a dance. (9 years ago, that is) :D

------
aboutruby
For fun:

\- I see 67,569 mongodb results on shodan

\- I searched for shodan API keys on a shady website known as "Github", found
one that works, queried for all the mongodb databases

\- Tried connecting on the first one, it works...

\- What next?

edit: I guess it's a choose your own adventure game:

1) Delete all the data

2) Look up domains from IPs, find owner's emails and email them

3) Make nice stats about all the data

4) Sell the data on the black market

5) Find user's emails, and tell them they are using a service that just
doesn't care

6) Just make every ~third integer off by 1

7) Mine bitcoins on them

... So many ideas, so little time

~~~
opportune
As much of a game as it may seem, a lot of these could put you in prison.

~~~
Sendotsh
Depending on your country, just loading that first one up to see if it worked
could put you in prison.

~~~
cabaalis
As well it should.

Comparable activity: let's ride around the neighborhood and see who hides a
key under a rock. Then let ourselves in and look around.

~~~
dsfyu404ed
Physical analogies for security like the one you just made are useless because
they don't reflect how the computers and the internet work. You can't just
ping a rock and ask it if it's got a key. The rock isn't expected to exist in
a world where some script kiddie in China is going to ask it if is has a key
every 5min. The analogy simply falls flat on its face once you try to use it
to reason about anything because existing as an internet connected device is
far different than existing on private (but easily accessible) property.

~~~
cabaalis
If you'll refer to what I was replying to, I wasn't talking about physical
security being analagous to digital security. I was saying it is illegal to
attempt to open and access property that you do not own.

------
albertgoeswoof
I strongly believe that we should be keeping our email addresses as secure as
our passwords. It’s a really important attack vector as it’s often the
starting point for any targeted attack, and although it’s not usually
considered as a factor, it is the 2nd factor required for most logins (email
and password). Triggering important security processes (eg reset password,
social engineering attacks) are trivial once you know someone’s email address.

It’s clear from this hack that the owners of the hacked site didn’t see emails
as something worth securing (stored in plain text on a wide open mongo server)

If you want to keep your email address private (you should), generate a new,
random email address whenever you give yours out (the same way you use a
password manager). If you have your own domain you can use a catch
all/wildcard address, eg. *@mydomain.com, if you use gmail you can use their
plus support, e.g. John+uniqueidentifier@gmail.com, if you use neither or want
more security I’ve recently launched [https://idbloc.co](https://idbloc.co)
which aims to help deal with this.

~~~
x2f10
> _John+uniqueidentifier@gmail.com_

Isn't it elementary for a bad agent to scrub those? Your actual e-mail address
(john@gmail.com) is too visible.

~~~
NightlyDev
Sure, but from a security/authentication standpoint that won't be an issue.

Even if you have my John+ajf@example.com address it still won't help you with
login in on other sites as the address used on another site is still unknown.

------
smallgovt
The linked article is down. Here is a Wired article discussing the same leak:
[https://www.wired.com/story/email-marketing-
company-809-mill...](https://www.wired.com/story/email-marketing-
company-809-million-records-exposed-online/)

------
odorousrex
Unsecured MongoDB in the default configuration.

Why am I not surprised...

~~~
ams6110
> in the default configuration

MongoDB shares some of the blame here. Software needs be secure by default.

~~~
achillean
MongoDB listens to localhost by default and provides a few warnings on startup
if you don't have authentication enabled. See:

[https://blog.shodan.io/its-still-the-data-
stupid/](https://blog.shodan.io/its-still-the-data-stupid/)

I believe more of the blame should be put onto markets that provide images
with insecure settings as MongoDB doesn't bind to the public interface by
default and hasn't done so for years.

~~~
beatgammit
Which is true for most popular systems, which I appreciate. I need to
consciously decide to put something on an externally accessible port, which
reminds me that it's time to make sure everything is secure (TLS,
authentication, user privileges, etc).

------
mortehu
For other confused readers: no emails were leaked, only email addresses.

------
Ellipsis753
Here's a cached version as it's down at the moment.
[https://web.archive.org/web/20190307231618/https://securityd...](https://web.archive.org/web/20190307231618/https://securitydiscovery.com/800-million-
emails-leaked-online-by-email-verification-service/)

------
upofadown
>They do this by literally sending the people an email. If it does not bounce,
the email is validated.

That's a pretty dumb way to validate an email address. You can just end the
connection after a successful RCPT TO and no one needs to be the wiser. The
method causes a false validation in the case of an intermediate mail relay
that accepts everything but that is such a bad idea that no one does that.

~~~
samrohn
catch-all domains cannot be validated this way. The only way(wrong) to verify
them is to send a real mail and see if it bounces.

~~~
chaosprophet
Actually a lot of email addresses cannot be validated this way since most ESPs
including gmail have adopted an 'accept-all' approach to incoming email. So
getting the email accepted by the server is no indication that the address
exists, or that the email will actually be delivered to that address even if
it exists.

~~~
upofadown
>... including gmail ...

    
    
      #> swaks  --quit-after RCPT --TO kdskr3j2@gmail.com                
      === Trying gmail-smtp-in.l.google.com:25...
      === Connected to gmail-smtp-in.l.google.com.
      <-  220 mx.google.com ESMTP a199si3828494itd.133 - gsmtp
       -> EHLO example.com
      <-  250-mx.google.com at your service, [xx.xx.xx.xx]
      <-  250-SIZE 157286400
      <-  250-8BITMIME
      <-  250-STARTTLS
      <-  250-ENHANCEDSTATUSCODES
      <-  250-PIPELINING
      <-  250-CHUNKING
      <-  250 SMTPUTF8
       -> MAIL FROM:<bob@example.com>
      <-  250 2.1.0 OK a199si3828494itd.133 - gsmtp
       -> RCPT TO:<kdskr3j2@gmail.com>
      <** 550-5.1.1 The email account that you tried to reach does not exist. Please try
      <** 550-5.1.1 double-checking the recipient's email address for typos or
      <** 550-5.1.1 unnecessary spaces. Learn more at
      <** 550 5.1.1  https://support.google.com/mail/?p=NoSuchUser a199si3828494itd.133 - gsmtp
       -> QUIT
      <-  221 2.0.0 closing connection a199si3828494itd.133 - gsmtp
      === Connection closed with remote host.

------
eli
Mirror
[https://web.archive.org/web/20190307231618/https://securityd...](https://web.archive.org/web/20190307231618/https://securitydiscovery.com/800-million-
emails-leaked-online-by-email-verification-service/)

------
maherbeg
I wish Google would build an OAuth flow that would provide an obfuscated and
unique email address to services that need an email address for logins or any
communication at all.

~~~
zaidf
I’d just be happy if Google made it harder for third parties implementing
“login with google” to not get access to your entire org’s user list (when the
org uses gsuite.)

~~~
tgsovlerkhgsel
Can you elaborate? I thought "login with Google" meant a pretty useless token
(granting access to that user's basic profile info).

Can additional OAuth scopes be requested and do the third parties request the
contacts permission, then harvest the organizations' contacts, and is there no
setting in the admin menu to prevent either the OAuth grant or the contact
access?

~~~
zaidf
Lots of SaaS companies have a “sign up with google” button which gives them
access to the employee directory assuming your org uses google suite. It’s
unfortunate yesteryear’s shit growth hack for consumer apps is reappearing in
a worse way.

------
aaronharnly
[WAS: If I'm reading the Wired article[1] correctly, the haveibeenpwned.com
database of email addresses has itself been leaked?]

EDIT: Replies have corrected my misunderstanding, thanks! Troy was saying that
his own personal email was also in the dataset.

Hunt says some of his own information is included in the Verifications.io
exposure. "The main takeaway for me is that this is just another case where
someone has my data, and hundreds of millions of other people’s data, and I’ve
absolutely no idea how they got it," Hunt says. "I’d never heard of the
company until now and I certainly can’t ever recall consenting to their use of
my data. Of course, it’s entirely possible that buried in some other service’s
terms and conditions it says they’re allowed to pass my data around in this
fashion, but that’s not really consistent with my expectations of how my data
should be used.""

[1] [https://www.wired.com/story/email-marketing-
company-809-mill...](https://www.wired.com/story/email-marketing-
company-809-million-records-exposed-online/)

~~~
ineedasername
No, he's saying the leaked database has an entry for him. Not that his own
database of leaks has been breached.

~~~
aaronharnly
Ah, got it. Like, Troy is a real person who has his own email address too :)

------
sfopdxnonstop
I do what others have said - I have domains and use pre-defined (DreamHost, no
catch all) addresses different for most sites. I also define a bunch of
generic ones I cam reach for on the go. I have about 150 now.

Is it worth it?

I don't know. It's part of the patchwork of steps I take, better than many
people but by no means failsafe.

~~~
Dahoon
Why do you not use catch all? I do and if someone somehow should get the main
mail address I'd just change it.

------
mattbeckman
Company I work for was using an email verification service for the first time.
We have a lot of brands, so I was being my white hat self and checking it out
before we risked importing our largest subscriber brands.

It took me all of 10 minutes to find a convenient JSON endpoint with
incrementing IDs that didn't disallow cross-account pulls. It wasn't a public
MongoDB endpoint like the above, but we did get a pretty sweet discount rate
for reporting it to them and, you know, not abusing some other customer lists
with 300M+ emails.

~~~
lixtra
So you still went with them after exposing their incompetence?

~~~
tpetry
„They fixed the bug and promised the data would be secure now.“ /s

------
hendersoon
This is why I sign up with a different email address for every site. You need
your own domain to do that properly, but Gmail users can use (for example)
"email+hackernews@gmail.com" to end up with a unique address. Of course it
would be simple to get your real address out of that, but I doubt anyone but a
spear phisher would bother.

------
bhhaskin
The fact that the company shutdown their website is a little bit sketchy.... I
wonder if it was a legit operation.

------
auslander
> .. Troy Hunt is adding the Verifications.io data to his service.

Now my data is in another database. Sigh.

------
Fzzr
Time to advise your friends to be extra cautious against phishing attempts.

------
skilled
I honestly don't see how this could have went in a positive direction, even if
it was stated somewhere deep in the TOS that they might use the data.

An interesting situation nonetheless.

------
SunnyS
Unsecured MongoDB as the default configuration. No wonder it was leaked.

------
NightShade112
Here is the original article: [https://www.wired.com/story/email-marketing-
company-809-mill...](https://www.wired.com/story/email-marketing-
company-809-million-records-exposed-online/)

------
NightShade112
Original story here: [https://www.wired.com/story/email-marketing-
company-809-mill...](https://www.wired.com/story/email-marketing-
company-809-million-records-exposed-online/)

------
jaunkst
I have more than that in my spam folder

------
FuckOffNeemo
HN, Hug of Death?

------
diek00
There needs to be a wall of shame

~~~
Sohcahtoa82
Here's two of them:

[https://haveibeenpwned.com/PwnedWebsites](https://haveibeenpwned.com/PwnedWebsites)

[http://plaintextoffenders.com/](http://plaintextoffenders.com/)

~~~
beatgammit
Fair warning on the second link: it's Tumblr and redirects https -> http
(probably intentionally, given the content), and I didn't see an obvious way
to search.

The first is an awesome resource, and they publish password leaks as well, and
they have a secure way to check if your password has been in a leak (my
password manager, Bitwarden, integrates with them).

