Is Your Email Password Part of Record 711 Million Dump?

A spambot containing an astounding 711 million email addresses — some with passwords, some without — was recently uncovered by a Paris-based security researcher.

The open and accessible web server is hosted in the Netherlands and contains “dozens of text files containing a huge batch of email addresses, passwords, and email servers used to send spam,” according to this ZDNet story.

Initially, the researcher, who goes by the handle Benkow, contacted Troy Hunt who runs the breach notification site Have I Been Pwned (HIBP). The data has been uploaded to Hunt’s site. You can easily see if your email address was compromised.

It’s the largest batch of data Hunt has even uploaded to the site and his own email address was in there — twice.

“I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went ‘ah, this helps explain all the spam I get,’” Hunt wrote in a post where he also analyzes the data itself, which he calls “mind-boggling” in its magnitude, sharing some stats from HIBP to illustrate:

“Email addresses, passwords and SMTP servers and ports spread across tens of gigabytes of files. It took HIBP 110 data breaches over a period of 2-and-a-half years to accumulate 711m addresses and here we go, in one fell swoop, with that many concentrated in a single location.”

According to the ZDNet story, the spambot was used to deliver the Ursnif banking malware into unsuspecting email boxes around the world, resulting in “more than 100,000 unique infections,” Benkow said. Malware, of course, is just one tactic cybercriminals use to steal your identity.

WHY DO THIEVES WANT YOUR EMAIL? 

Why are cybercriminals after your email address? They might want to take over your email account and email your contacts with malware-laden spam, or mine personal information from your account they could use to steal your identity.

Skeptical about how this could happen? Is your email address connected to your bank and credit card accounts? What if you used the same password for your email that you do for your bank accounts? You’d be surprised at how many folks use the same password for every account, despite repeated warnings. There’s an amazing amount of information stored in most people’s inboxes — invoices, scanned ID’s, insurance information, tax forms, travel itineraries, all things that could be used for identity theft. The fact remains, we’re living a big part of our lives through our email now.

Hackers could also use the information they find in your email — like which businesses and organizations you regularly communicate with — to construct highly targeted phishing campaigns where they try to steal even more information from you.

WHAT CAN YOU DO?

As you’ve likely already gathered, you should:

    • Check to see if your email address (and possibly your password) has been compromised.
    • Change your email password. Be sure and create strong, unique passwords (and usernames!) for every website you use. The latest advice when it comes to passwords is to use a passphrase instead, which is much harder to crack. And while you might be used to hearing the password advice, you might not know that usernames are important as well. Even using StoreName+YourName is better than just your name.
    • Use a password manager if you don’t already.
    • Set up two-factor or two-step authentication with your email account and other accounts.
    • Don’t access your email on public computers and be extra wary about using public WI-FI. Instead, use your phone to set up your own password-protected hotspot.

  • Subscribe to LibertyID, the most effective identity theft solution. Millions of Americans have their identity stolen every year, and they don’t know how to repair the damage. If you’re a LibertyID member and your identity is stolen, we will fix it. Our certified restoration specialists could save you hundreds of hours of work by placing fraud alerts, making all the necessary phone calls, filing the disputes and contacting government agencies, creditors, insurance companies and more. There’s no limit to the time or money we will spend to restore your identity to pre-event status. Sign up for an annual LibertyID subscription now and rest easy knowing our certified restoration specialists know just how to repair the damage.

Have you been a victim of a data breach?
Get Covered