Verifications.io 2019 Data Breach

Verifications.io Email Verification Service Breach: 763M Records Including Names, Phone & Location | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Social EngineeringData BrokerDate of BirthEmail AddressEmployerFull NameGenderGeographic LocationIP AddressJob Information
Low SeverityWebsite / service breach

Verifications.io Email Verification Service Breach: 763M Records Including Names, Phone & Location

Email verification and marketing lead data service (now defunct)

Verified by ObscureIQ Intelligence
19/100Breach Risk Index
10Data Value
10Market Recency
2606dSince Breach

Breach Intelligence Summary

Entity: Verifications.io · Actor: Unknown · Sources: 11 references
Attack: Social Engineering
Profile: Data Broker / Marketing Exposure · Email verification, marketing leads, and contact intelligence · Exposed lead verification database · Global
Timeline: Breach (2019-02-25) · Indexed (Mar 09, 2019) · Year (2019)
Exposure: 763.1M records · 10 fields: Date of Birth, Email Address, Employer, Full Name, Gender, Geographic Location, IP Address, Job Information, Phone Number, Physical Address
Status: Confirmed

Executive Summary

Verifications.io, an email validation and marketing-data service, exposed 763 million unique email address records after security researchers Bob Diachenko and Vinny Troia discovered the company's MongoDB database had been left publicly accessible without a password. No sophisticated attack was required. Anyone with an internet connection could access roughly 150 gigabytes of data. The company took its website offline during the disclosure process in February 2019. The exposed records went well beyond email addresses. Many entries also included names, phone numbers, physical addresses, IP addresses, dates of birth, genders, employers, and job titles. Because Verifications.io's core business was confirming that email addresses belonged to real, active users, the dataset was particularly valuable to bad actors. Verified, live addresses are far more useful for phishing campaigns and spam operations than unvalidated lists, and the additional personal details made large-scale identity profiling and targeted fraud easier to carry out. No passwords were included in the breach, but that offers limited reassurance given the volume and richness of the data. Affected individuals had no direct relationship with Verifications.io; their information was collected and held as third-party marketing data. People whose records were exposed face elevated risk of phishing attempts, spam, and identity-linked targeting. Anyone who suspects their information was included should treat unsolicited contact with extra caution, particularly messages that reference personal details to appear legitimate.

ObscureIQ assessment: High risk of spam, phishing, credential targeting, and large-scale marketing abuse. Verified-email status makes the dataset especially useful for attackers seeking live addresses.

Breach Impact

The breach impact was severe because it exposed one of the largest publicly known marketing-data corpora of its kind. Have I Been Pwned says 763 million unique email addresses were exposed after researchers found a publicly accessible MongoDB instance with no password, and many records also contained names, phone numbers, IP addresses, dates of birth, and genders. That made the dataset highly useful for phishing, spam operations, identity linkage, profile enrichment, and targeted marketing abuse at enormous scale.

About Verifications.io

Verifications.io was an email validation and marketing-data service that helped customers clean and verify email lists for outreach and lead-generation use. In practice, that put it in the business of handling very large volumes of email-linked marketing and contact data rather than running a normal consumer platform.

Why They Hold Your Data

Email-verification and lead-intelligence datasets aggregate email addresses, deliverability status, and marketing-linked contact intelligence for outreach and lead-generation workflows.

Recent Developments

Verifications.io appears to be defunct. Public reporting after the 2019 exposure said the site went offline and the company appeared to be out of business shortly afterward, and today it is remembered mainly as a failed email-marketing data operation rather than as a continuing service.

Data Points Exposed

10 verified field types
Date of Birth High
Email Address
Employer
Full Name High
Gender
Geographic Location
IP Address
Job Information
Phone Number
Physical Address High

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Identity verification bypass using name + date of birth combination
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
  • Employment-based social engineering using job and employer data
Threat vectors:
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Business Email Compromise seeding
  • Name-based social engineering
  • Profile enrichment
  • Pattern-of-life analysis & physical surveillance
  • Geolocation & account flagging
  • Vishing & authority impersonation
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Verifications.io breach?

Verifications.io, an email validation and marketing-data service, exposed 763 million unique email address records after security researchers Bob Diachenko and Vinny Troia discovered the company's MongoDB database had been left publicly accessible without a password. No sophisticated attack was…

What data was exposed?

Verified fields include Date of Birth, Email Address, Employer, Full Name, Gender, Geographic Location, IP Address, Job Information, Phone Number, Physical Address.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Breach Index
DataBreach.com
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachDirectory
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
DataViper.io
Independent catalogue listing
Cross-source
HackNotice.com
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
Cross-source
Leak-Lookup
Independent catalogue listing
Cross-source
LeakCheck.io (+1)
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation