Millions of passwords also contained in breach, a result of spammers collecting information in attempt to break in to users’ email accounts
More than 700m email addresses, as well as a number of passwords, have leaked publicly thanks to a misconfigured spambot, in one of the largest data breaches ever.
The number of real humans’ contact details contained in the dump is likely to be lower, however, due to the number of fake, malformed and repeated email addresses contained in the dataset, according to data breach experts.
Troy Hunt, an Australian computer security expert who runs the Have I Been Pwned site, which notifies subscribers when their data ends up in breaches, wrote in a blog post: “The one I’m writing about today is 711m records, which makes it the largest single set of data I’ve ever loaded into HIBP. Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.”
It contains almost twice the records, once sanitised, than those contained in the River City Media breach from March, previously the largest breach from a spammer.
The data was available because the spammers failed to secure one of their servers, allowing any visitor to download many gigabytes of information without needing any credentials. It is impossible to know how many others besides the spammer who compiled the database have downloaded their own copies.
While there are more than 700m email addresses in the data, however, it appears many of them are not linked to real accounts. Some are incorrectly scraped from the public net, while others appear to have been simply guessed at by adding words such as “sales” in front of a standard domain to generate, for example, “email@example.com”.
There are also millions of passwords contained in the breach, apparently a result of the spammers collecting information in an attempt to break in to users’ email accounts and send spam under their names. But, Hunt says, the majority of the passwords appear to have been collated from previous leaks: one set mirrors the 164m stolen from LinkedIn in May 2016, while another set mirrors 4.2m of the ones stolen from Exploit.In, another pre-existing database of stolen passwords.
“Finding yourself in this data set unfortunately doesn’t give you much insight into where your email address was obtained from nor what you can actually do about it,” Hunt says. “I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went ‘ah, this helps explain all the spam I get’.”
The leak is not the only major breach announced today. Video games reseller CEX notified customers that an online security breach may have leaked as many as 2m accounts, including full names, addresses, email addresses and phone numbers. Card information was also contained in the breach “in a small number of instances”, but the newest financial data dates to 2009, meaning it has likely expired for those users.
“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats,” the company said in a statement. “Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cybersecurity specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.”