back to article That marketing email database that exposed 809 million contact records? Maybe make that two-BILLION-plus?

An unprotected MongoDB database belonging to a marketing tech company exposed up to 809 million email addresses, phone numbers, business leads, and bits of personal information to the public internet, it emerged yesterday. Today, however, it appears the scope of that security snafu may have been underestimated. According to …

  1. Will Godfrey Silver badge

    How about a change?

    Can we have a list of the sites that haven't been breached?

    Oh, wait. There probably aren't any. We just haven't heard about them yet.

    1. Anonymous Coward
      Anonymous Coward

      Re: How about a change?

    2. Version 1.0 Silver badge

      Re: How about a change? has been secure for years.

    3. Graham Dawson Silver badge

      Re: How about a change?

      Pretty sure is still secure.

  2. Terry 6 Silver badge

    Safe storage

    On the one hand this is their stock in trade

    On the other it's as if they don't think it's worth protecting.

    Like a factory keeping its supplies under a tarpaulin

    sheet in the middle of the field where they plan to extend the car park. one day.

    1. Anonymous Coward
      Anonymous Coward

      Re: Safe storage

      Safe storage of what though, spam? If they weren't really storing anything crucial besides what spammers have, wtf is the point of using them at all... just for companies to say "we use the cloud for that"?

      Maybe for too many "cloud" == "irresponsible".

      P.S. maybe they aren't really a cloud, but it's not hard to imagine they were sold that way to beancounters.

      1. Shady

        Re: easy pickings

        If it uses Flat files, XML, JSON, YAML, Redis, Mongo, SQL Server, MySQL, MariaDB, C#, PHP, Perl, Ruby, Cobol, Visual Basic, BrainFuck or MSX Basic, and it runs on ARM, AMD or Intel Hardware, under Suse, RedHat, FreeBSD, RiscOS, AmigaOS, ReactOS or Qnix, on Laptops, Raspberry PI's, Atari ST's, Blades, Dell Power Edges or Sinclair calculators, hosted behind Dynamic DNS at home or co-located, then it qualifies as being Cloud, Enterprise and AI.

        At least according to some of the marketing types I've had to work with.

        1. katrinab Silver badge

          Re: easy pickings

          Cloud - operates over a network connection, this can include a Samba network share

          Enterprise - can be used by a company

          AI - contains if statements

      2. GnuTzu

        Re: Safe storage

        Marketers? Acting responsibly towards consumers? What dreamland was this supposed to be about?

      3. Anonymous Coward
        Anonymous Coward

        Re: Safe storage

        According to our marketing drones, our systems are on the cloud because our servers (physical boxes we own) aren't in our building...

  3. The Nazz

    UK Government

    The UK Govt should nab a copy, delete the data but keep the database structures.

    Then fill it with the appropriate data on the 65m, and rising, citizens/subjects, with plenty of spare capacity for the aliases many people use.

    Got to be easier, quicker and much cheaper than the numerous failed IT projects we ( eg Capita ) keep failing on.

  4. Nate Amsden Silver badge

    the ultimate form of compliance?

    Q: What information do you have on me and how do you share it?

    A: Here is the IP of the database, no authentication needed take a look for yourself

  5. mark l 2 Silver badge

    I am guessing business will be titsup within 6 months, not that I would be saddened in anyway by that. Why pay for their service now when you can download their entire db for free and do your own checks? Plus no doubt when the sh1t load of spam starts to hit these email addresses a lot will become abandoned by the owners and will therefore we worthless.

    1. F0rdPrefect

      They're worthless to start with.

      I've just checked the latest HaveIBeePawned update for my small domain and none of the addresses leaked from have ever existed and are ones that I have black holed for years due to the amount of spam sent to them.

  6. Anonymous Coward
    Anonymous Coward

    Pawned - or not.

    I checked our corporate email listings on and the vast majority of addresses in the databases are nonexistent and always have been, there's a nice industry out there creating fake email addresses to pad out the lists they are selling. But it's a very useful source of addresses for the mail-server honeypots - if I get an email to a honeypot address I blacklist the address that sent it for a few hours.

    1. Vince

      Re: Pawned - or not.

      Yeah I'd agree - our company domain listing from HIBP has an awful lot of never-existed aliases and some that are blatantly never going to exist and aren't even a good effort.

      It is interesting though that some are either guesses at possible aliases for staff that really do work for the company even though we've never set those aliases up and have no intention of doing so. Presumably someone once guessed at addresses, then got breached and those not-actually-true addresses got added to the growing list of nonsense.

      1. tiggity Silver badge

        Re: Pawned - or not.

        @Vince It is always interesting to have a look: Creating fake addresses and trying them has long been a thing. I remember some very bizarre prefixes before the @ that would never be real addresses in a million years, when, for a bit of an investigation* I (briefly) disabled auto bounce of unknown addresses.

        * To trick malicious senders into thinking they had a few legit addresses due to non bounce, and then I could carefully investigate subsequent emails sent to those addresses (perm disabled bounce for them) for hints of potential attacks to be aware of

        1. katrinab Silver badge

          Re: Pawned - or not.

          I looked at one my my domains - 78 of the 86 email addresses on it are hex numbers. Does anyone ever use hex numbers as email addresses? Then there were things like sales@ which I guess some companies might have, but I don't.

  7. Anonymous Coward
    Anonymous Coward

    It's not called...

    MongoDB for nothing.

    Sorry, not very P.C. :-/

    1. W.S.Gosset Silver badge

      Re: It's not called...


  8. GrapeBunch

    Mon dieu!

    How is that even a business? If I offered lists of, oh, where's the best place in each town to set up a bordello, for example, I'd be called a criminal.

    1. Velv

      Re: Mon dieu!

      And an outstanding public citizen at the same time

  9. Kevin McMurtrie Silver badge

    Second theft

    Nobody has 2 billion e-mail addresses that have legitimately opted into marketing use. It really sounds like had a database of personal data that was already been abused.

  10. RuffianXion

    Show me the money

    So is this a GDPR non-compliance? Who do I send an email to to get redress (yes, I havebeenpwned)? I don't have time to trawl through 2 billion records to find the email address of's CEO (Catastrophic Errors Officer).

  11. adfh

    So now the question is...

    ... who are the clients who used

    I got an alert for my family domain from and several legitimate email addresses were indeed flagged.

    1. I'm one of them

      Re: So now the question is...

      I'm a client but I never knew I signed up for it. My email is legit, the only thing that I got was a letter from pwned say my data was breached almost a week later. It worried me to think that my info that I keep.under lock n key like phone numbers address name pics and letters may have been or were exposed. Now I'm trying to figure out if any of my other emails have been exposed. It's bad enough that the government has info on me and tracks everyone now I get this.

      Grrr....So frustrating to me especially since I don't recall ever signing up for


  12. mptBrain

    Who the hell is I have never heard of this company until I received an email from haveibeenpwned, but apparently they had 3 email addresses from a personal domain.

    So what information did they have on me besides just my email address. How were they "verified"?

    Sus as shit!

    Edit: even Hunt says. "I’d never heard of the company until now and I certainly can’t ever recall consenting to their use of my data. Of course, it’s entirely possible that buried in some other service’s terms and conditions it says they’re allowed to pass my data around in this fashion, but that’s not really consistent with my expectations of how my data should be used." - from a wired article about this story.

    1. Angus Ireland

      According to the email I just got from HIBP...

      > Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses

      WTF of the highest proportions. Who are these people? This seems to me like a violation of all seven principles of the GDPR.

    2. Velv

      it’s entirely possible that buried in some other service’s terms and conditions it says they’re allowed to pass my data around in this fashion

      I know for a fact that one of the email addresses flagged to my domain does not exist and has never existed and I can therefore guarantee consent was never supplied to anyone for it to be stored or transferred.

  13. Korev Silver badge


    I know MongoDB is Webscale, but what benefit does it provide here? The data types don't change much and are easily normalised. Please someone fill me in!

  14. bpfh Silver badge

    No continued compliancy

    An unused for 10+ years email address of mine is in the list...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like