At least 982 million users’ personal information was exposed during the tech firm Verifications.io’s massive privacy breach late last month, according to Unilad.co.uk.
The leaked data included names, birthdays and addresses along with details about users’ social media accounts and places of employment, the British outlet reported.
It put millions of users at risk of being hacked, spammed and taken advantage of by fraudsters.
An independent cybersecurity consultant, Bob Diachenko, was first to discover the problem in late February while tracking an unsecured 150GB database back to the company’s website.
“This is perhaps the biggest and most comprehensive email database I have ever reported,” he wrote on his blog. “Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection.”
A total of 2 billion records were leaked during the incident, according to the tech news site HackRead.com.
Diachenko broke down the data as:
- Emailrecords (count: 798,171,891 records)
- emailWithPhone (count: 4,150,600 records)
- businessLeads (count: 6,217,358 records)
Although the leaked data did not include passwords, Hunt on behalf of HIBP informed millions of victims through emails on March 10th, 2019. Diachenko, on the other hand, informed Verifications.io about the breach and since then Verifications.io domain has been offline.
The biggest challenge for users is social engineering attacks which include spear-phishing. Using these techniques, malicious users can craft extremely compelling email messages.
The sheer size of this database makes this data especially useful. The nature of the emails – also makes it likely that the users in this database are of high value.
Business users could be at serious risk as e-mail addresses of colleagues can easily be spoofed – making incoming messages even more compelling to interact with.
A very bad cybersecurity situation has just gotten explosively worse.
Every Business must take actions to protect itself. The U.S. Department of Homeland Security explicitly tells us that we are NOT prepared for today’s attacks.
Organizations can choose to be low-hanging fruit, making it easy for hackers to focus on them or do things properly to fend off attackers.
Prevention is crucial. Every company must take these steps:
- Cybersecurity training must be done regularly.
- Auditing and documentation must be performed regularly to ensure systems are secure.
- Anomaly detection should be running constantly to detect threats as they emerge.
- Penetration testing shows if systems can easily be reached from the outside. Here is a case where this test might have saved two company’s’ reputations from being destroyed.
- Network forensics for when a breach eventually occurs. The bad guys always seem to get in eventually.
- An action plan to follow when a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched it’s response in what is being called a PR catastrophe.
- Use phishing simulation which tests employees by sending safe phishing emails. Employees who click are quickly trained on what to avoid.
Protect your organization – even if you have internal IT, hire an experienced MSP or MSSP.
If you do get infected, be sure to hire an MSP with forensic experience who can handle the problem and get you back and running as soon as possible.