MongoDB Misconfiguration Exposed 2 Billion Records

The enterprise email verification service,, has exposed around 2 billion records due the misconfiguration of MongoDB instances.

The data leak was discovered by researcher Bob Diachenko, who identified an unsecured 150 GB MongoDB instance. Analysis of the database showed it contained around 809 million records. However, a subsequent analysis by DynaRisk revealed four MongoDB instances had been exposed, which in total contained 2,069,145,043 records. The MongoDB instances were not password protected and the information was stored in plaintext.

Oftentimes when large collections of email addresses and personal records are found online, they have been collected from multiple data breaches, but this batch appeared to have come from a single source and seemed to be a unique set of data.

Diachenko identified the source of the data as He sent the company a notification about the leak and the database was secured the same day. According to, the databases had been compiled from public sources of information rather than client data.

Most of the information in the database was limited to email addresses, although there were millions of records that had more detailed personal information such as IP address, name, gender, phone number, and other information such as personal mortgage amounts, interest rates, employment information, Facebook, LinkedIn, and Instagram accounts that are associated with the email address.

DynaRisk’s analysis showed that 196 GB of data had been exposed. The 150GB database identified by Diachenko contained 798 million email records, 4.15 million records with names and phone numbers, and 6.2 million business leads with more detailed information.

The service is used by businesses that want to send marketing emails, but do not want to be seen to be spamming. They use the service to verify email information prior to conducting their marketing campaigns to ensure that the email addresses are valid.

While it does not appear that the database has been downloaded in the weeks that the information was exposed, that cannot be ruled out. Such a large quantity of data could be used for phishing campaigns and other scams so even though the data is publicly available, the breach is potentially serious and could face a significant penalty for noncompliance with GDPR.

The exposed data has now been uploaded to the HaveIBeenPwned database. Troy Hunt, who runs the service, said it was the second largest data breach in history, but the largest breach that traces back to a single source. Troy Hunt also recently tweeted saying the HaveiBeenPwned database now contains an astonishing 7,674,575,000 records. That is 742 million more records than the world population.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of