Breach, Data Security

22 million emails found in mystery open database

An otherwise unremarkable find of an open Elasticsearch database containing millions of records became a Sherlock Holmes mystery as researchers cannot figure out the database’s origins.

Security researcher Troy Hunt, of Have I Been Pwned, was informed in February about an open database he has named db8151dd containing 90GB of data containing 22.8 million emails. Hunt noted the information likely was not obtained by scraping public sites and was aggregated in a unique fashion.

“Firstly, my phone number is not usually exposed and that was in there in full. Yes, there are many places that (obviously) have it, but this isn't a scrape from, say, a public LinkedIn page. Next, my record was immediately next to someone else I've interacted with in the past as though the data source understood the association,” he wrote.

This has led Hunt to believe the database could be from or associated with a customer relationship management system. However, three months of investigating has only turned up three clues. These three phrases appeared repeatedly through the data.

  • This contact information was synchronized from Exchange. If you want to change the contact information, please open OWA and make your changes there.
  • Exported from Microsoft Outlook (Do not delete).
  • Contact Created By Evercontact. (Evercontact is a contact management app available on Android.)

Evercontact had no additional information for Hunt and with that as a dead end he decided to upload all the emails found in the database into Have I Been Pwned to make their owners aware.

Unsecured databases have been a scourge on the industry for several years with hundreds of millions of records containing highly confidential PII having been exposed.

Two of the larger incidents happened in the last few months with 7.4 billion records belonging to the French newspaper Le Figaro. In March more than five billion records were exposed after an Elasticsearch “data breach database” managed by a U.K.-based security firm and housing a trove of security incidents from the last seven years was left unprotected.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.