Update 3/29/2019: News about this breach is making the rounds on the internet again. Although there are no significant updates to the scope and number of affected accounts, it’s significant to note that the entire website and domain of Verifications IO have been taken down and are completely unavailable right after news of the breach broke out on Feb. 25.
Another massive data breach has just been discovered, and unlike the other Collections, it doesn’t look like these records have been part of any previous leaks. What’s worse, there’s quite a bit of personal information attached.
Even though this one wasn’t the result of hackers, your data could still be at risk, just the same.
So let’s take a look at what happened, and the next steps you can take.
A database for anyone to see
Hackers are always on the hunt for your unprotected data, and any chance they can get to exploit your info for their own gain. Luckily for us, security researchers are also looking for exposed data to make sure it gets secured before cybercrooks find it. That’s what happened in this case.
Security researcher Bob Diachenko found an unprotected database full of email records. It was broken down into four separate collections of records, but it included a lot of more than just email addresses. They also contained data like your last name, dates of birth, addresses, phone numbers, social media account details, credit score, gender info and more. Diachenko cross-referenced some of the data with HaveIBeenPwned’s huge database of previously exposed records, and found this info was brand new, and not part of any previous breach.
At first, Bleeping Computer reported that more than 800,000,000 million email records were in the unprotected database. If only it was such a small number. According to SC Media UK, cybersecurity company DynaRisk says it was actually more than 2 billion unencrypted records.
So who do we have to thank for this latest exposure? Diachenko tracked the database back to Verifications IO LLC, a service for enterprise email validation. They apparently validate bulk email for companies that want to get rid of inactive addresses used for their newsletter distribution.
The silver lining
If there’s any good news relating to a breach of this scale, it’s that the company acted quickly once it was notified by Diachenko. He said it removed the exposed records the same day.
To add to that, so far there’s no indication that any of these records have been taken advantage of by criminals. So right now it appears no one else knew about it.
Finally, even if the records were seen by crooks, other detailed info like Social Security numbers, credit card numbers and passwords were not included. Verifications IO said in a statement that the open records were built with public information, not client data.
Make sure your data is secure
Even though it looks like your data in this case is safe and secure now, never assume that it is. With it seemingly becoming more commonplace as millions or even billions of records get exposed, chances are some of your personal data is out there from a past breach.
That’s why it’s always a good rule of thumb to review your online accounts and login information. Find out if your email address or passwords have been seen at HaveIbeenPwned, or through Hasso Plattner Institute’s credential checker tool.
Create a strong password, and make sure they’re different for every online account. If you use the same password for a number of accounts and those credentials get stolen once, it puts your others at risk. We’ve got tips on how to create a secure password or passphrase here.
If any of your accounts offers two-factor authentication, or 2FA, activate the feature as an extra layer of security. Also try to find and close any accounts you no longer use. Here’s a handy online tool that can help.
Keep an eye on your bank account and credit cards for any suspicious activity, and of course watch out for phishing scams.