How about a change?
Can we have a list of the sites that haven't been breached?
Oh, wait. There probably aren't any. We just haven't heard about them yet.
An unprotected MongoDB database belonging to a marketing tech company exposed up to 809 million email addresses, phone numbers, business leads, and bits of personal information to the public internet, it emerged yesterday. Today, however, it appears the scope of that security snafu may have been underestimated. According to …
Safe storage of what though, spam? If they weren't really storing anything crucial besides what spammers have, wtf is the point of using them at all... just for companies to say "we use the cloud for that"?
Maybe for too many "cloud" == "irresponsible".
P.S. maybe they aren't really a cloud, but it's not hard to imagine they were sold that way to beancounters.
If it uses Flat files, XML, JSON, YAML, Redis, Mongo, SQL Server, MySQL, MariaDB, C#, PHP, Perl, Ruby, Cobol, Visual Basic, BrainFuck or MSX Basic, and it runs on ARM, AMD or Intel Hardware, under Suse, RedHat, FreeBSD, RiscOS, AmigaOS, ReactOS or Qnix, on Laptops, Raspberry PI's, Atari ST's, Blades, Dell Power Edges or Sinclair calculators, hosted behind Dynamic DNS at home or co-located, then it qualifies as being Cloud, Enterprise and AI.
At least according to some of the marketing types I've had to work with.
The UK Govt should nab a copy, delete the data but keep the database structures.
Then fill it with the appropriate data on the 65m, and rising, citizens/subjects, with plenty of spare capacity for the aliases many people use.
Got to be easier, quicker and much cheaper than the numerous failed IT projects we ( eg Capita ) keep failing on.
I am guessing Verification.io business will be titsup within 6 months, not that I would be saddened in anyway by that. Why pay for their service now when you can download their entire db for free and do your own checks? Plus no doubt when the sh1t load of spam starts to hit these email addresses a lot will become abandoned by the owners and will therefore we worthless.
I checked our corporate email listings on https://haveibeenpwned.com/ and the vast majority of addresses in the databases are nonexistent and always have been, there's a nice industry out there creating fake email addresses to pad out the lists they are selling. But it's a very useful source of addresses for the mail-server honeypots - if I get an email to a honeypot address I blacklist the address that sent it for a few hours.
Yeah I'd agree - our company domain listing from HIBP has an awful lot of never-existed aliases and some that are blatantly never going to exist and aren't even a good effort.
It is interesting though that some are either guesses at possible aliases for staff that really do work for the company even though we've never set those aliases up and have no intention of doing so. Presumably someone once guessed at addresses, then got breached and those not-actually-true addresses got added to the growing list of nonsense.
@Vince It is always interesting to have a look: Creating fake addresses and trying them has long been a thing. I remember some very bizarre prefixes before the @ that would never be real addresses in a million years, when, for a bit of an investigation* I (briefly) disabled auto bounce of unknown addresses.
* To trick malicious senders into thinking they had a few legit addresses due to non bounce, and then I could carefully investigate subsequent emails sent to those addresses (perm disabled bounce for them) for hints of potential attacks to be aware of
I'm a client but I never knew I signed up for it. My email is legit, the only thing that I got was a letter from pwned say my data was breached almost a week later. It worried me to think that my info that I keep.under lock n key like phone numbers address name pics and letters may have been or were exposed. Now I'm trying to figure out if any of my other emails have been exposed. It's bad enough that the government has info on me and tracks everyone now I get this.
Grrr....So frustrating to me especially since I don't recall ever signing up for verification.io.
Sdy
Who the hell is verifications.io? I have never heard of this company until I received an email from haveibeenpwned, but apparently they had 3 email addresses from a personal domain.
So what information did they have on me besides just my email address. How were they "verified"?
Sus as shit!
Edit: even Hunt says. "I’d never heard of the company until now and I certainly can’t ever recall consenting to their use of my data. Of course, it’s entirely possible that buried in some other service’s terms and conditions it says they’re allowed to pass my data around in this fashion, but that’s not really consistent with my expectations of how my data should be used." - from a wired article about this story.
According to the email I just got from HIBP...
> Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses
WTF of the highest proportions. Who are these people? This seems to me like a violation of all seven principles of the GDPR.
“it’s entirely possible that buried in some other service’s terms and conditions it says they’re allowed to pass my data around in this fashion
I know for a fact that one of the email addresses flagged to my domain does not exist and has never existed and I can therefore guarantee consent was never supplied to anyone for it to be stored or transferred.
I know MongoDB is Webscale, but what benefit does it provide here? The data types don't change much and are easily normalised. Please someone fill me in!