Massive spambot dump leaks hundreds of email addresses
31 Aug 2017
In what appears to be the biggest dump ever, hundreds of millions of email addresses and a number of passwords have been leaked onto the internet.
The details have been leaked on to the internet due to a broken spambot, potentially endangering anyone contained within it. The details also include a password, which means some people's accounts may now be compromised.
But the 711 million addresses in the dump may not all belong to real people and the real number may be much smaller, as the dump contains a range of fake and repeated addresses, according to Troy Hunt, the security researcher who made the breach public.
All of the emails were collected by people running a spambot, which sends out emails en masse to people to trick them into giving up money. The addresses were being stored on an email server that was not properly secured and could be downloaded by other people.
In addition to the addresses, the dump also contains millions of passwords for some of those same email addresses. But according to Hunt who runs the website Have I Been Pwned, they appeared to have been taken from other password dumps, like that from LinkedIn, meaning that most people were already exposed to those security problems.
A Paris-based security expert, who calls himself Benkow was the first to flag the Spambot.
The ZDnet news site then brought it to wider attention.
According to experts, in cases where the attackers know only an email address, they can only target the owner with spam in the hope of tricking them into revealing more information.
However, when they also have login password and other details, they can secretly hijack their accounts to aid their campaign via a spambot known as Onliner.
"While the list of mailable addresses is quite large, it is probably no larger than any seen previously," Richard Cox, former chief information officer of the Spamhaus project, told the BBC.