Security researchers Bob Diachenko and Vinny Troia discovered the exposure in late February. The database possessed no authentication protocols whatsoever; in fact, anyone with an internet connection could access the email records. Moreover, the email records also contained other personal identifying information such as names, genders, IP addresses, and much more. The researchers contacted Verifications.io immediately; the company confirmed the exposure and claimed to close it the same day.
Verifications.io labeled itself as an enterprise email verification service, allowing businesses to confirm harvested emails. However, Diachenko noted that threat actors could have used the service to refine their phishing attacks. The site went offline in early March; additionally, company representatives remain largely unresponsive to questions by the press, prompting more questions about the company.
When the researchers first announced the breach, the records exposed appeared to only number around 700 million. However, in subsequent weeks, the number of discovered records exposed rose.