Personal information including names, gender, date of birth, address, employer and details of social media accounts were also listed.
Security researchers uncovered the breach in an unsecured online database created by Verifications.io, a shady company offering 'enterprise email validation'.
Not much is known about companies like Verifications.io since they often employ dubious spam tactics to verify their email lists.
After the database was discovered, their website had been taken down and they were unavailable for comment.
Marketing companies use these services to send out mass emails to a large email list, they need to 'validate' that the list of addresses are real or still active.
This usually involves sending a email to everyone on the list and checking to see if any messages bounce.
Because of the tedium of this and spam filters, marketing companies usually employ third party verification companies.
The data breach puts the millions of people involved at a higher risk of being exposed to hack attacks, fraud, nuisance calls and emails.
The unprotected and publicly accessible MongoDB database contained 150 gigabytes of marketing data, according to the researcher's blog post.
The website went offline after Cyber security expert Bob Diachenko, one of the researchers who found the breach, notified its support team.
It was unclear whether the exposed data was accessed by others. Passwords and payment card details were not leaked.
Other records in the collection appeared to be 'business intelligence data', related to generating sales leads at businesses.
This included company names, annual revenue figures, company websites, and industry identifiers.
The researchers said that Verifications.io offered a service to marketers where it would 'verify' lists of email addresses by sending emails to see if they bounced.
If they do bounce they simply put them in a 'bounce list' so they can easily validate it later on.
The company, with an Estonia address, sends out tens of thousands of emails to validate these users.
Each one of the users on the list gets their own spam message saying 'hi'.
Then the company sends a verified, and valid list of users to these companies so they can start a more focused phishing campaign, according to Mr Diachenko.
They said that marketing companies hide behind services like this so that they are not blacklisted for spamming.
More about: hacking