Huge data breach led to more than 700m email addresses being leaked

A spambot has leaked more than 700 million email addresses and passwords publicly in a huge data breach.

The data dump occurred thanks to a misconfigured spambot, dubbed ‘Onliner’, and was discovered by a Paris-based security researcher known as Benkow.

Troy Hunt, an Australian computer security expert, who runs the breach website, Have I Been Pwned (HIBP), said in a blog post “the one I'm writing about today is 711m records, which makes it the largest single set of data I've ever loaded into HIBP.”

The scale and size is hard to comprehend but Hunt summed it up nicely, “that's almost one address for every single man, woman and child in all of Europe”, he wrote.

The data were accessible due to an open and accessible web server used by spammers, and was hosted in the Netherlands. The web server stored a huge collection of email addresses and passwords that were used to send spam after breaking into the users’ accounts and sending emails from those accounts.

While the sheer number of leaked addresses and passwords is mind-boggling, there is some reason to be optimistic, as the actual number of real humans’ contact details contained in the dump will likely be reduced due to the number of fake and repeated email addresses contained in the data.

“The data in the dump has a bunch of junk prefixed to the address, junk which appears to be a HTML file name and may indicate the 'address' was scraped off the web and the parsing simply wasn't done very well”, Hunt said. “The point here is that there's going to be a bunch of addresses here that simply aren't very well-formed so whilst the '711 million' headline is technically accurate, the number of real humans in the data is going to be somewhat less”.

Indeed, the leaked email addresses have strong connections to the 164 million emails that were stolen from LinkedIn in May 2016. After running a random selection of different email addresses, Hunt found that “every single one of them” appeared in that data breach just over a year ago. Another set of email addresses tested, mirrored the 4.2 million stolen from Exploit.In.