Verifications.io data breach (2019) — what was exposed and what to do

What happened

According to public breach records, the Verifications.io data breach on February 25, 2019 is reported to have exposed the personal information of 763,117,241 accounts.

In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure process, although an archived copy remains viewable.

On February 25, 2019, security researcher Bob Diachenko discovered a non-password-protected, internet-facing 150 GB MongoDB database belonging to the email-validation service Verifications.io, which he analyzed with fellow researcher Vinny Troia. The exposed database held roughly 763 million unique email addresses alongside attributes such as names, phone numbers, dates of birth, genders, IP addresses, employers, job titles, and physical addresses; no passwords were included. The exposure was notable both for its scale (one of the largest single email datasets ever disclosed) and because the data came from a service that aggregated and verified contact records rather than from credentials stolen via a targeted attack; the company took the database down the same day it was notified and its website went offline shortly afterward. ["Treat your email address and phone number as known to spammers and scammers: be skeptical of unsolicited messages, and never act on a link or attachment in an unexpected email or text.", "Watch for targeted phishing that uses your real name, employer, or job title to appear legitimate, since those details were part of this exposure.", "Enable two-factor authentication on accounts tied to this email so an exposed address alone cannot be used to take them over.", "Consider using email aliases or filtering for high-spam senders, as this address has likely been circulated in marketing and scam lists."]

What data was exposed

The following types of personal data were compromised:

• Dates of birth
• Email addresses
• Employers
• Genders
• Geographic locations
• IP addresses
• Job titles
• Names
• Phone numbers
• Physical addresses

Breach details

This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.

We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Verifications.io; it reflects a publicly reported security incident.

What to do now

Based on the data exposed in this breach, here are the steps you should take:

• Treat your email address and phone number as known to spammers and scammers: be skeptical of unsolicited messages, and never act on a link or attachment in an unexpected email or text.
• Watch for targeted phishing that uses your real name, employer, or job title to appear legitimate, since those details were part of this exposure.
• Enable two-factor authentication on accounts tied to this email so an exposed address alone cannot be used to take over the account.
• Consider using email aliases or aggressive spam filtering, since this address has likely been circulated in marketing and scam lists.

Check your exposure

Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.

Sources

• Breach of 'Verifications.io' Exposes 763 Million Records
• Have I Been Pwned: Verifications.io Data Breach