Israeli marketing firm Straffic exposed 49 million unique email addresses after mishandling authentication credentials for an Elasticsearch database. The credentials were sitting in plain text on an unprotected web server. A security researcher using the Twitter handle 0m3n found the credentials on the webserver after receiving a link in a spam message. 70% of the emails in Straffic’s database were already present on Have I Been Pwned, the data breach notification site he created, and many of them “didn’t come from previous breaches”””
Source: https://www.bleepingcomputer.com/news/security/49-million-unique-emails-exposed-due-to-mishandled-credentials/