Huge data breach. Misconfigured spambot reveals 700m email addresses and number of passwords
In what could be one of the largest data breaches ever, a misconfigured spambot has inadvertently revealed it contains 711 million email addresses as well as a number of passwords.
The discovery was reported on by Australian computer researcher Troy Hunt who runs the Have I Been Pwned site, a website that allows to check whether their personal data has been compromised in any of the numerous data breaches happening around the world.
He made the discovery after he was alerted by another security researcher known as Benkow, to the presence of a massive spam list, which spammers use to try and break into the email accounts of Internet users.
“Last week I was contacted by someone alerting me to the presence of a spam list. A big one,” Troy blogged. “That’s a bit of a relative term though because whilst I’ve loaded “big” spam lists into Have I been pwned (HIBP) before, the largest to date has been a mere 393m records and belonged to River City Media.”
“The one I’m writing about today is 711m records which makes it the largest single set of data I’ve ever loaded into HIBP,” he warned. “Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.
Essentially, the spammers had failed to secure one of their spamming servers based in the Netherlands, and Troy and Benkow are working together with law enforcement officials to get it closed down.
He went to explain how he located files on this server, some of which contained just emails addresses, others contained email addresses and passwords. In some cases, one of the files contained hundreds of millions of email addresses.
The good news however is that not all the email addresses seem to be geniunue, and many are not linked to real accounts. Some have been gathered from the public Internet, others are guessed email addresses.
Hunt warned that the majority of the passwords appear to have been collated from previous leaks. For example one set seems to be from the 164 million account details (email addresses and passwords) stolen from LinkedIn in May 2016.
That actual LinkedIn attack took place back in 2012.
“Finding yourself in this data set unfortunately doesn’t give you much insight into where your email address was obtained from nor what you can actually do about it,” Hunt blogged. “I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went ‘ah, this helps explain all the spam I get’.”
“And that’s the unfortunate reality for all of us: our email addresses are a simple commodity that’s shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth,” he wrote. “That, unfortunately, is life on the web today.”
Data breaches are unfortunately rife in today’s online world. Last year hackers for an Eastern European criminal gang were responsible for the Yahoo data breach that saw the personal information of at least 500 million Yahoo users stolen.
Quiz: Are you a security pro?