The bad guys just got breached.
A spambot computer program, which harvests email addresses to send spam messages for everything from weight loss pills to those notorious Nigerian prince emails, has exposed 711 million email addresses and a number of passwords.
Security researcher Troy Hunt said it was the largest set of data he has ever uploaded to his site, “Have I Been Pwned?” The site allows people to enter their email or username to see if they have been compromised.
“Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe,” Hunt wrote.
There’s a good chance you may find out the spammers have your email address after checking at “Have I Been Pwned?” Hunt said he found himself in the data set — but unfortunately, it gives little insight into how the bad actors even got their hands on your data.
“Finding yourself in this data set unfortunately doesn’t give you much insight into where your email address was obtained from nor what you can actually do about it,” he wrote. If anything, he said, it may explain an increase in spam you’ve been receiving.
The massive database was exposed because spammers apparently neglected to secure their servers, allowing anyone to access and download the information without having to enter credentials.
Matthew Gardiner, a cyber security strategist at Mimecast, an email security company, told NBC News it’s also unclear how many times people may have downloaded the data from the spammers. He referred to this as a “re-breach” since the “bad actors” already had the data.
“It looks like they were sloppy in how they managed their servers with the data — so it left it in the public domain and then someone stumbled across it,” he said. “Did one guy download it or was it dozens, hundreds, thousands? They might not even know.”
While the sheer size of the breach is unprecedented, security experts say that not all of the email addresses appear to be valid. Hunt said many of them appear to be incorrectly scraped from the public internet and others appeared to have been guessed, so it’s likely that the number of people affected by the breach is much less than 711 million.
Change Your Password Anyway
Not every email address included in the breach came with a password. The passwords that were in the data set appear to be gathered from previous leaks, including the LinkedIn breach from 2012. The data stolen in that breach appeared for sale on the dark web in May 2016. LinkedIn responded by sending users who may have been affected a prompt to reset their passwords.
“While it’s large in terms of numbers, it’s not that risky. [Information] was already in the wrong hands and who knows what they or their associates have been doing with it already,” Gardiner said.
While the breach still raises plenty of questions, Gardiner said it’s a good reminder to make sure you’re practicing good cyber security hygiene — and that goes beyond just having a strong, different password for every account.
“It’s a good time to remind people on the consumer side you should have up to date antivirus,” he said. “And be suspicious of any email you don’t expect.”