Spambot Server Exposes 711 Million Email Addresses

A security researcher using the name Benkow recently came across 711 million email addresses and passwords on an unsecured server for the Onliner spambot, and forwarded the find to Troy Hunt of the website Have I been pwned (HIBP).

Onliner, according to Benkow, has been used since at least 2016 to spread the Ursnif banking Trojan.

In a blog post explaining the breach, Hunt said this is the largest single set of data he’s ever loaded into HIBP.

“Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe,” he wrote.

Disparate Sources

According to Hunt, much if not all of the data appears to have been collected from previous breaches, including last year’s massive LinkedIn breach. In addition to large breaches, Benkow notes, credentials can also come from phishing campaigns or credential stealing malware like Pony.

“It took HIBP 110 data breaches over a period of two and a half years to acumulate 711 million addresses and here we go, in one fell swoop, with that many concentrated in a single location,” Hunt wrote. “It’s a mind-boggling amount of data.”

As a result, Hunt said, it’s not possible to know how all of the data was initially obtained. “For this particular incident, if you’re creating strong, unique passwords on each service (get a password manager if you don’t have one already) and using multi-step verification wherever possible, I wouldn’t be at all worried,” he wrote.

Protecting Passwords

Still, Lastline vice president of products and business development Brian Laing told eSecurity Planet by email that the sheer size of the breach should be cause for concern, let alone the damage it could cause. “This breach is an example of how hackers merge data from multiple sources, building dossiers on potential victims, including spear phishing targets,” he said.

“Every breach reveals data that criminals can use to launch additional attacks, either by the initial attackers or other criminals to whom they sell the compromised data,” Laing added. “Every breach is a reminder of the importance of strong authentication measures in both personal and professional devices, networks, and Web applications.”

And VASCO Data Security director of product and market strategy Giovanni Verhaeghe said by email that breaches like these highlight the importance of user education regarding password management and password use. “Resetting compromised passwords can be a good first step, but the breach had little to do with the passwords that were used,” he said. “It was a result of the ease with which they can be accessed from the outside.”

Spammers Targeting B2B

According to a recent Kaspersky Lab report on spam and phishing in Q2 2017, 56.97 percent of all email traffic in the second quarter was spam.

The researchers noted a new surge in spam containing malicious attachments in password-protected archives, which has two key aims. “First, it is a form of social engineering, with the attackers emphasizing that all confidential data (such as business accounts) is additionally protected by a password,” the researchers wrote. “Second, until the files are extracted from the archive, they cannot be fully checked by antivirus software.”

Kaspersky Lab spam analyst expert Darya Gudkova said in a statement that cybercriminals have started to focus more on the B2B sector, seeing it as lucrative. “We expect this tendency will continue to grow, and the overall amount of corporate attacks, and their variety, will expand,” she said.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles