In what could one of the biggest data breaches of 2017, more than 700 million email addresses, as well as a number of passwords have been leaked publicly because of an incorrectly configured spambot.
The total number of real users contact details contained in the dump is likely to be lower, however, due to the number of fake, malformed and repeated email addresses contained in the dataset, according to data breach experts.
Australian computer security expert, Troy Hunt, who runs the Have I Been Pwned website, which notifies subscribers when their data ends up in breaches, wrote in a blog post: “The one I’m writing about today is 711 million records, which makes it the largest single set of data I’ve ever loaded into HIBP. Just for a sense of scale, that is almost one address for every single man, woman, and child in all of Europe.”
The data was available because the spammers failed to secure one of their servers, allowing any visitor to download many gigabytes of information without needing any credentials. It is impossible to know how many others besides the spammer who compiled the database have downloaded the copies.
While there are more than 700m email addresses in the data, however, it appears many of them are not linked to real accounts. Some are incorrectly scraped from the public net, while others appear to have been simply guessed at by adding words such as “sales” in front of a standard domain to generate, for example, “email@example.com”.
“Finding yourself in this data set unfortunately doesn’t give you much insight into where your email address was obtained from nor what you can actually do about it,” Hunt says. “I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went ‘ah, this helps explain all the spam I get’.”