700 Million-Plus Email Addresses Leaked by Spam OperationPasswords for Accounts Included With Some Addresses
A sloppy spamming operation has exposed on a server in the Netherlands gigabytes of files that include 711 million email addressees and some associated account passwords.
It's perhaps the largest batch of email addresses ever found in one spot. It tops the 393 million email addresses exposed earlier this year by U.S-based email and SMS marketing company River City Media, says Troy Hunt, an Australia-based data breach expert (see Backup Error Exposes 1.37 Billion-Record Spamming Database).
While a good chunk of the email addresses and accompanying credentials appear to have been taken from other well-known breaches, including LinkedIn, Badoo and the Exploit.in list, some of them, nevertheless, are valid, which puts some users at risk.
Hunt says individuals often reuse authentication credentials despite repeated warnings about the risks that come from data breaches. "There will be valid data in it," he says of the exposed batch of files. "The individual who passed this on has verified that there are valid credentials."
The data is still exposed on an IP address hosted in the Netherlands that is run by a Russian hosting company. The spam operators mistakenly left directory browsing open, which exposed the data. Dutch law enforcement has been notified, and efforts are being made to have it taken down.
The email addresses and credentials are used by a spambot called Onliner, which has been investigated by a Paris-based researcher who goes by the nickname Benkow.
Onliner, which has been around since at least 2016, has been used to send malware called Ursnif, which infects computers and collects online banking credentials, Benkow writes in his blog. The spam messages spreading Ursnif have, in the past, purported to be invoices from the shipping company DHL.
He contends that computer security researchers often ignore spambots. But studying such operations is important, he contends, especially because spam is a vector for spreading malware such as ransomware.
"In a successful cybercrime campaign there are different parts; the final payload is important but the spam process is very critical too," Benkow writes.
Benkow says that he's been tracking the group behind Onliner for more than a year. His discovery of Onliner's back-end data and components sheds light into how spammers are trying to circumvent spam defenses.
It has become a lot more difficult for spammers to send spam due to the myriad defensive technologies that block and filter junk mail. Spammers used to attempt to compromise SMTP servers directly, but that avenue has been largely closed off.
One of the alternatives is to try to gain access to large numbers of legitimate email accounts and use them for spam. That's where this massive list comes in. Compromising email accounts that are clean means there's a greater chance that a spam message sent from one will be delivered to other inboxes.
Big, Messy List
Benkow passed the data to Hunt, who runs the Have I Been Pwned? data breach notification site. HIBP lets users input their email address, and the service returns whether an individual's email address has appeared in any of dozens of significant breaches over the last few years.
It doesn't, however, return what password someone used for a particular service. But it's enough information to let people know they should probably change their password immediately, which is its main goal.
Hunt analyzed the data passed to him by Benkow, running the email addresses through his repository of breaches. A somewhat surprising finding emerged: Only 27 percent of the email addresses were "new" in the sense that the addresses hadn't appeared in other major breaches.
"I would have expected to see it over 50 percent," Hunt says.
The list, overall, is messy. It appears the spambot artificially generated random email addresses in hopes that one would be an actual address. The code in many of the files, which Hunt described as a "dog's breakfast," is rife with vulnerabilities.
"It is a really shoddy operation," Hunt says. "It seems like a lot of these sort of cybercriminals are certainly not elite programmers."
We Want Data
Hunt decided to load the data into HIBP even though this leak doesn't qualify as a pure, hacking-related leak. Hunt says he reasons that by putting it into HIBP, it gives people a reason as to why they might be receiving spam.
"I polled people before I did this," Hunt says. "Eighty five percent of people - and I had more than 1,000 responses - said I would like to know if my data appears in spam lists."
It has proved incredibly popular. Due to the media attention around the breach, HIBP received more than 1 million visitors in just six hours, an all-time record for an already popular service. Hunt has posted a commentary about Onliner on his blog.