Hundreds of millions of private email addresses leaked onto internet in biggest spambot dump ever

It's easy to find if you're affected – but there's not much you can do

711 million addresses are contained within the dump but it’s unlikely that each belongs to a real person
711 million addresses are contained within the dump but it’s unlikely that each belongs to a real person

Hundreds of millions of email addresses and some passwords have been leaked onto the internet, in probably the biggest dump ever.

A broken spambot has made the details available on the internet, potentially endangering anyone contained within it. And it also includes passwords, meaning that some people’s accounts may now be compromised.

But despite the fact that 711 million addresses are contained within the dump – enough to give one each for every man, woman and child in Europe – it’s unlikely that each belongs to a real person. The true number of real people is likely to be much smaller, because the dump contains a range of fake and repeated addresses, said Troy Hunt, the security researcher who made the breach public.

All of the emails were collected by people running a spambot, which sends out emails en masse to people in the hope that they’ll be tricked into clicking onto them and giving up money. They were storing those addresses on an email server that wasn’t properly secured, meaning that other people could simply drop in and download them all.

As well as the addresses, the dump also contains millions of passwords for some of those same email addresses. But Mr Hunt, who runs the website Have I Been Pwned, said that they appeared to have been taken from other password dumps, like that from LinkedIn, meaning that most people were already exposed to those security problems.

There’s no way of knowing where the data, which is probably compiled from a variety of sources, actually came from. The dump includes a range of addresses from different sources, many of which are fake but some of which are entirely real.

That diversity “illustrates how broad the sources of data inevitably are; finding yourself in this data set unfortunately doesn’t give you much insight into where your email address was obtained from nor what you can actually do about it,” Mr Hunt wrote in his blog post.

“I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went ‘ah, this helps explain all the spam I get’,” he continued.

“And that’s the unfortunate reality for all of us: our email addresses are a simple commodity that’s shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth. That, unfortunately, is life on the web today.”

All of the addresses, as well as data from a range of other dumps, are now contained in the Have I Been Pwned database, which can be searched to find out whether any person was caught up in the data.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in