Verifications.io

Verifications.io is a defunct email-focused technology firm whose primary practice was to validate email addresses for email marketing platforms. The company's platform allowed for email marketing firms to submit lists to the company, which would verify the lists for valid email addresses.

The verifications.io data leak was reported by several news sources as being the largest data leak of U.S. citizens PII data in recorded history.

The total records within the company's largest single data release was 809 million records, 763 million of which were unique, though the total number of records which were exposed in three additional database leaks from the company would total to over 2 billion records breached.

In 2019, security researchers Vinny Troia and Bob Diachenko discovered the data from Verifications.io on a public MongoDB server which was setup without authentication.

Operations and company history
Verifications.io offered its clients services which could verify if emails were bounced, or were otherwise inactive, thereby helping email marketers send emails to actual users rather than random email addresses. The firm achieves its verifications by internal servers, which are matched with client records uploaded to the service for their verification. The firm verifies each email by sending a message to each address; if the message does not bounce, the firm considers it verified. Bounced emails are stored on a list which the firm can refer to in the event the same email is presented again.

Verifications.io officially claims to be an Estonian company based out of Tallinn, though many press filings released from and about the company suggested that it was based out of Boca Raton, Florida.

Data leak
The verifications.io data breach was discovered by security researchers Vinny Troia and Bob Diachenko in 2019.

The first Verifications.io data breach ultimately led to 763 million unique records being exposed to the web, with the vast majority of records containing PII and marketing data on U.S. citizens.

The breakdown of the records was 798,171,891 email records; 4,150,600 phone records, and 6,217,358 business lead records with each record including, at a minimum, zip code, a physical address, IP address, name, date of birth, gender and other marketing information.

The data leak was attributed to an unsecured MongoDB server that was left unprotected, allowing anybody to access the information with the correct link.

Troy Hunt, the founder of Have I Been Pwned?, has predicted that approximately 35 percent of all records is new to the Have I Been Pwned? database; as of the leak, the Verifications.io breach is the second largest breach added to Have I Been Pwned? after Hunt's own Collection No. 1. Many cybersecurity companies showed immediate concern that the data released in the breach could be used for social engineering attacks. Daniel Markuson, the blog editor for the online privacy firm NordVPN, raised concerns that 1 in 9 people in the world could be the targets of a social engineering campaign. McAfee additionally highlighted the databases' possibility to foster social engineering attacks against those whose information was exposed in the database.

The UK security firm DynaRisk however stated that Verifications.io was also linked to three other MongoDB data breaches. All four data breaches combined would total the number of records exposed to over 2 billion. DynaRisk further stated that the three other data breaches contained much more sensitive information, such as interest rates, mortgage amounts, Instagram and LinkedIn profiles linked to leaked emails, and credit scores. Cybersecurity professional Bob Diachenko stated that while not every single record contained all the mentioned types of information, a large number of them were "very detailed".

Response from the company
Diachenko emailed the company about the data breach, which responded by stating it was taking "appropriate measures" to correct the breach. By March 4, 2019, the website for the company was taken down. By March 15, MediaPost reported that Verifications.io was out of business.