Update 1: Vinny Troia contacted me to question DynaRisk’s claims. He informs this site that he has all four databases, has all of the data that is in the Dynarisk screenshots, and there is nowheres near 2 billion records. So it seems that this questions is unsettled as yet. DataBreaches.net will be contacting Dynarisk.
Update 2: I’ve sent an inquiry to DynaRisk, but more significantly, I found that this leak had first been discovered and reported prior to Security Discovery’s report. @Cyber_War_News reported finding it in January. In a chat with @Cyber_War_News this morning, he informed me that there were more than four databases and that they were hosted on a number of IP addresses or servers. While he didn’t run a full analysis of the data, he informs me that there were closer to 2 billion records than 800 million, and that he had notified Bob Diachenko of that after Bob’s report appeared.
So for now, it seems like the larger figure is more likely to be correct.
Update 3 and Correction: DynaRisk never responded to inquiries from this site, and Vinny Troia sent this site additional statistics and directory structure supporting their claim that there are about 809 million records. As to CWN, I had misunderstood what leak he was talking about. My apologies to everyone involved.
Original post, which I’m tempted to just delete as inaccurate, but will leave it here with the correction above.
Thomas Claburn reports:
An unprotected MongDB database belonging to a marketing tech company exposed up to 809 million email addresses, phone numbers, business leads, and bits of personal information to the public internet, it emerged yesterday.
Today, however, it appears the scope of that security snafu was dramatically underestimated.
According to cyber security biz Dynarisk, there were four databases exposed to the internet – rather than just the one previously reported – bringing the total to more than two billion records weighing in at 196GB rather than 150GB. Anyone knowing where to look on the ‘net would have been able to spot and siphon off the data, without any authentication.
Read more on The Register.