Over 982 million records exposed by email validation company

When GDPR regulations were enforced, many of us were left thinking that our data would finally be respected and used only as specifically outlined. But in one of the latest data leaks containing over two billion records, evidence shows we have a long way to go when it comes to regulating how our data is shared.

Verifications.io offer data cleaning services to companies looking to improve their bounce rates, but over a period of weeks the data was being exposed by one of their servers. As a result, 2,069,145,043 records** (made up of both individual consumers and businesses) have been leaked, accessible to anyone with the know-how to find it.

Four databases were leaked, totaling over 196 gigabytes of personal and professional information suitable for cyber criminals to launch attacks.

In just one of these databases, 808,539,849 records were exposed:

  • emailrecords = 798,171,891 records
  • emailWithPhone = 4,150,600 records
  • businessLeads = 6,217,358 records

The lists can be used to target the people on it with phishing emails and scams, telephone push payment fraud, and the data contains enough information to enable tailored scams aimed at key staff who could be targeted for CEO fraud or Business Email Compromise.

Sadly, GDPR regulations aren’t specific enough to prevent our data being used in this way. While a company must ask your permission to share your information with a third party, you are typically being asked to opt in or out of receiving marketing from third parties. In this instance, Verification.io don’t fall into this category, simply offering data cleaning. Companies are actively encouraged to ensure that data is kept up to date – so any business using a service like Verification.io are simply following that advice.

As with any data leak of this nature, the advice remains the same:

  1. Check if your information has been leaked in the past using our free scanning tool (we have started importing the Verifications.io records to our database)
  2. Be vigilant when receiving unsolicited emails or phone calls. Scams come in all shapes and sizes so if you know your information was leaked, you could become a potential target.
  3. Ensure passwords for all your accounts are strong – 8-12 characters, upper and lower case characters, numbers and special characters.

If you’re concerned your email address may have been compromised and want advice, contact one of our cyber specialists at info@dynarisk.com.


Upon further examination of the data, we have adjusted our total number of emails leaked to 982 million (982,864,972 to be exact – not the two billion as previously stated). The discrepancy in totals can be put down to the various ways in which the data can be interpreted. The original analysis (carried out by a number of other researchers) is correct and these sources appear to have analyzed the ‘mainEmailDatabase’ file that was leaked and found 808 million records. DynaRisk analyzed the three more databases from the same leak, namely ‘EmailScrub, PyEmail, VerifiedEmails’ which were to be found on the same server. These additional databases have 1.278 billion records and by adding them together we got over two billion records. Having now had a chance to clean all of the combined data, there are an additional 191 million bringing the total of email addresses to 982,864,972.

Share this: