Verifications.io, Park Mobile and others fall victim of data leaks.
30 May 2021BREACHAWARE HQ
A total of 19 breach events
were found and analysed resulting in 128,345,859 exposed accounts
containing a total of 23 different data types of personal datum
. The breaches found publicly and freely available included Verifications.io, Park Mobile, Adapt.io, Phone House and GUNS.COM. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Social Relationships Data, Locational Data, Behavioural Data, Documentary Data, Socia-Demographic Data, Financial Data, Technical Data, Transactional Data, Special Category.
Data Breach Analysis
One of the largest and most notable datasets in this group stems from Verifications.io. This incident has been widely discussed in the cybersecurity community due to its scale and content. Verifications.io was a firm offering email validation services to marketers. In its operation, it had accumulated a vast dataset of personal and business email addresses, as well as supplementary personal details. When its database was discovered unsecured and exposed, it revealed hundreds of millions of records. What makes this case especially significant is that the company wasn't hacked, its database was left open without authentication, making it accessible to anyone who stumbled upon it.Park Mobile, a popular urban parking payment platform, represents a modern intersection between consumer convenience and cybersecurity vulnerability. Since Park Mobile is used in many major cities to manage public parking through a mobile app, the data exposed reflects the daily habits and movement patterns of individuals. This raises implications about physical location privacy, especially when combined with data from other breaches.
Adapt.io, a B2B marketing and sales intelligence platform, was also part of this breach group. Services like Adapt.io compile and analyse business contact information to provide lead generation insights. While this kind of information might be considered public by some standards, its mass aggregation into a single database without user consent presents a classic case of passive data exposure that can be exploited in phishing campaigns or corporate reconnaissance operations.
Phone House, a European mobile phone retailer, suffered a data breach that impacted millions of users. The breach reflects the risks associated with consumer electronics retail, where identity, contact, and financial transaction data intersect. While Phone House has a significant presence in countries like Spain, the ripple effects of such a breach can stretch across borders, particularly when user accounts are reused or associated with major mobile network providers.
GUNS.COM adds a unique dimension to this data set. As a platform related to firearms sales and information, a breach affecting GUNS.COM not only reveals personal identifiers but potentially exposes individuals’ interests or participation in politically sensitive domains. This poses reputational, legal, and even personal safety concerns depending on the regional or political climate.
What makes this collective dataset especially noteworthy is the presence of 23 different types of personal data. These go beyond the standard pairings of email and password.
The convergence of such a wide spectrum of data types means the affected individuals could be profiled not only in terms of identity and location but also professional context, consumer behaviour, and digital habits. For example, linking an individual's email from Verifications.io with job title data from Adapt.io and license plate data from Park Mobile could yield a granular personal profile usable in highly targeted attacks.
From a systemic viewpoint, the inclusion of marketing data firms and location-based service providers shows how personal information is increasingly circulated not only by those we explicitly trust with it (like retailers), but also by third-party aggregators and validators. The distinction between consented and inferred data becomes blurred, especially when companies aggregate from multiple sources without explicit user knowledge.
Further, breaches like these demonstrate the persistence of older data in modern threat environments. Even if some of these services or datasets are now defunct, their contents continue to resurface in breach dumps, leak archives, and dark web marketplaces. This legacy data has long-term value for cybercriminals, especially when used in conjunction with fresh breach material.
When datasets from industries as diverse as marketing, telecommunications, transportation, retail, and firearms commerce are combined, the resulting risk footprint is both broad and nuanced. Each sector brings unique sensitivities. In regulated industries like firearms or finance, data exposure can trigger legal liabilities. In more consumer-facing services, the reputational damage and long-term erosion of user trust can be equally severe.
In this case, the sheer number of accounts, over 128 million, and the depth of exposed attributes make this group of breaches a strong illustration of how varied and interconnected personal data has become in the digital economy. While much of this information may appear fragmented on the surface, its assembly into unified records by malicious actors can significantly heighten individual and organisational risks.