Hundreds of millions of email addresses and some passwords have been leaked onto the internet, in probably the biggest dump ever.
A broken spambot has made the details available on the internet, potentially endangering anyone contained within it. And it also includes passwords, meaning that some people’s accounts may now be compromised.
The guy who discovered this is Benkow moʞuƎq and he’s done some really interesting malware and spambot analysis in the past.
There’s 2 important classes of data you need to understand:
- Email addresses. That’s it – just masses and masses of email addresses used to deliver spam to. In some cases, a single file may contain tens or even hundreds of millions of addresses.
- Email addresses and passwords. Benkow explains that these are used in an attempt to abuse the owners’ SMTP server in order to deliver spam. I also believe that many of these may simply be aggregations from various other breach sources I’ll talk about a little later on.
But despite the fact that 711 million addresses are contained within the dump, it’s unlikely that each belongs to a real person. The true number of real people is likely to be much smaller, because the dump contains a range of fake and repeated addresses.
A random selection of a dozen different email addresses checked against HIBP (have i been pwned website) showed that every single one of them was in the LinkedIn data breach. Now this is interesting because assuming that’s the source, all those passwords were exposed as SHA1 hashes (no salt) so it’s quite possible these are just a small sample of the 164m addresses that were in there and had readily crackable passwords.
Another file contains 4.2m email address and password pairs, this time with every single account having a hit on the massive Exploit.In combo list. This should give you an appreciation of how our data is redistributed over and over again once it’s out there in the public domain.
Yet another file contains over 3k records with email, password, SMTP server and port. This immediately illustrates the value of the data: thousands of valid SMTP accounts give the spammer a nice range of mail servers to send their messages from. There are many files like this too; another one contained 142k email addresses, passwords, SMTP servers and ports.
All of the emails were collected by people running a spambot, which sends out emails en masse to people in the hope that they’ll be tricked into clicking onto them and giving up money. They were storing those addresses on an email server that wasn’t properly secured, meaning that other people could simply drop in and download them all.
As well as the addresses, the dump also contains millions of passwords for some of those same email addresses. But Mr Hunt, who runs the website Have I Been Pwned, said that they appeared to have been taken from other password dumps, like that from LinkedIn, meaning that most people were already exposed to those security problems.
There’s no way of knowing where the data, which is probably compiled from a variety of sources, actually came from. The dump includes a range of addresses from different sources, many of which are fake but some of which are entirely real.
That diversity “illustrates how broad the sources of data inevitably are; finding yourself in this data set unfortunately doesn’t give you much insight into where your email address was obtained from nor what you can actually do about it,” Mr Hunt wrote in his blog post.
“And that’s the unfortunate reality for all of us: our email addresses are a simple commodity that’s shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth. That, unfortunately, is life on the web today.”
All of the addresses, as well as data from a range of other dumps, are now contained in the Have I Been Pwned database, which can be searched to find out whether any person was caught up in the data.