711 million email records were leaked by a spammer who is using verified email servers to get past spam filters. Just to get a sense of how big that number is, it’s almost one address for every single human in Europe. Previously, the largest known leak had 392 million records and belonged to River City Media. The new list obviously contains a lot of repetitions, but then again, has a whole lot of new ones.
This post contains all that is known about the leak, finding out if your email has been leaked or not, and also what to do next to keep yourself safe.
Businesses are targeted the most
The dump was from an Onliner spambot. These accounts were used to distribute spam emails that were laden with malware. In an web server for Onliner command and control (C&C) asset, the security researcher who goes by the name “Benkow” came across the credentials.
At least since 2016, the Spambot has been targeting countries such as Italy and other businesses in the region. The emails were infected with Ursnif, a malware that can steal user data. The malware is also multifaceted. Not only can the trojan steal data, but it also creates a bunch of SMTP credentials that allows it to send out the spam.
Benkow explains how Ursnif accumulates these credentials:
“To create the list, the attacker provides to the second module a list of emails and credentials like firstname.lastname@example.org:123456.
“Then, the module tries to send an email using this combination. [sic] If it works, credential are added to the SMTP list. Else, credentials are ignored.”
How do these leaks happen?
Other than machines that are already infected with Ursnif, there are also other public leaks that happen. The 711m records also come from these previous leaks. This includes the massive LinkedIn data breach in 2016.
Benkow found a total of 80 million sets of email addresses, passwords, and SMTP configuration records in the directory. Onliner uses these details, in turn, to send out “fingerprinting” emails to 630 collected user addresses. These messages leverage a hidden 1×1 GIF to document a recipient’s IP and User-Agent before transmitting it back to the spammer.
With that information, the attacker can specifically target Windows computers and exclude mobile devices.
How to Find out if Your credentials are leaked or not?
First, check out Troy Hunt’s website. His site is located at haveibeenpwned.com. There, enter your username or email address to check if it has been leaked anywhere or not, and if so, when. If you have changed your password after the leak, then chances are that you are safe.
When it comes to staying safe, make sure that you do not sign up anywhere and everywhere. You never know from where your data will be leaked. Keep one account for signing up for all those non-serious accounts. This can be a Google or Facebook account from where passwords do not get leaked. The app or site just uses tokens to sign in. Also, when you are online, make sure that you have proper security software, use HTTPS on your browser and always scan your mails.