CRITICAL SEVERITYData Broker

Verifications.io Data Breach

Verifications.io Email Verification Service Breach: 763M Records Including Names, Phone & Location

Email verification and marketing lead data service (now defunct)

Verified by ObscureIQ Intelligence

X in f @

8.0Severity

763.1MRecords

10Fields

2019Year

ObscureIQ Breach Intelligence Scores

1.0

Breach Risk Index

Data Value

Market Recency

2606

days

Since Breach

⚡ Risk Interpretation

High risk of spam, phishing, credential targeting, and large-scale marketing abuse. Verified-email status makes the dataset especially useful for attackers seeking live addresses.

🎯 Impact & Downstream Threats

The breach impact was severe because it exposed one of the largest publicly known marketing-data corpora of its kind. Have I Been Pwned says 763 million unique email addresses were exposed after researchers found a publicly accessible MongoDB instance with no password, and many records also contained names, phone numbers, IP addresses, dates of birth, and genders. That made the dataset highly useful for phishing, spam operations, identity linkage, profile enrichment, and targeted marketing abuse

Primary downstream threats:

Identity verification bypass using name + date of birth combination
SIM swap attacks where phone numbers are present
Targeted phishing campaigns using exposed email addresses
Doxxing risk from physical address exposure
Employment-based social engineering using job and employer data

🔓 Threat Vectors

Identity verification bypass

Phishing, credential stuffing & account takeover

Business Email Compromise seeding

Name-based social engineering

Profile enrichment

Pattern-of-life analysis & physical surveillance

Geolocation & account flagging

Vishing & authority impersonation

SIM swapping, vishing & SMS phishing

Physical stalking, mail fraud & identity verification

📋 Breach Intelligence

EntityVerifications.io

Organization • Global

Breach Date2019-02-01

HIBP Added2019-03-09

Records~763.1M (763,100,000 records)

Attack VectorSocial Engineering

Discovered ByBob Diachenko

Data SubjectsThird_Party

Breach PathwayDirect

SourceHave I Been Pwned / DataBreach.com / ObscureIQ ↗

SensitivityStandard

Breach ID1423;1422

StatusConfirmed

📝 Executive Summary

Verifications.io, an email validation and marketing-data service, exposed 763 million unique email address records after security researchers Bob Diachenko and Vinny Troia discovered the company's MongoDB database had been left publicly accessible without a password. No sophisticated attack was required. Anyone with an internet connection could access roughly 150 gigabytes of data. The company took its website offline during the disclosure process in February 2019. The exposed records went well beyond email addresses. Many entries also included names, phone numbers, physical addresses, IP addresses, dates of birth, genders, employers, and job titles. Because Verifications.io's core business was confirming that email addresses belonged to real, active users, the dataset was particularly valuable to bad actors. Verified, live addresses are far more useful for phishing campaigns and spam operations than unvalidated lists, and the additional personal details made large-scale identity profiling and targeted fraud easier to carry out. No passwords were included in the breach, but that offers limited reassurance given the volume and richness of the data. Affected individuals had no direct relationship with Verifications.io; their information was collected and held as third-party marketing data. People whose records were exposed face elevated risk of phishing attempts, spam, and identity-linked targeting. Anyone who suspects their information was included should treat unsolicited contact with extra caution, particularly messages that reference personal details to appear legitimate.

🏢 About Verifications.io

Verifications.io was an email validation and marketing-data service that helped customers clean and verify email lists for outreach and lead-generation use. In practice, that put it in the business of handling very large volumes of email-linked marketing and contact data rather than running a normal consumer platform.

Data Broker / Marketing Exposure | Email verification, marketing leads, and contact intelligence | Exposed lead verification database | Global

Global* defunct verifications.io

🗂 Why They Hold Your Data

Email-verification and lead-intelligence datasets aggregate email addresses, deliverability status, and marketing-linked contact intelligence for outreach and lead-generation workflows.

📰 Recent Developments

Verifications.io appears to be defunct. Public reporting after the 2019 exposure said the site went offline and the company appeared to be out of business shortly afterward, and today it is remembered mainly as a failed email-marketing data operation rather than as a continuing service.

🔍 Data Points Exposed

10 verified field types:

Dates of birth

Employers

Genders

Geographic locations

IP addresses

Job titles

Names

Phone numbers

Physical addresses;IP Address

Name

Exposure Categories

LocationPHYS ADDR | GEO LOCS

EmploymentEMPLOYER | JOB INFO

Canonical Fields

date_of_birth, email_address, employer, full_name, gender, geographic_locations, ip_address, job_information:job_title, phone_number, physical_address