In one of the largest data breaches ever, a spambot has leaked over 700 million email addresses and several million passwords publicly. However, the actual number of users affected might be much less than 700 million as a number of email credentials have been repeated and several are fake too.
The huge database which consists of credentials from hundreds of millions of internet users was first spotted by a security researcher, Benkow, on an open web server hosted in Netherlands.
This server contained a number of text files with email addresses, passwords and email servers that were used to send spam.
The security researcher also told ZDNet that the spambot, dubbed ‘Onliner’, is used to deliver the ‘Ursnif’ banking malware via email and has infected over 100,000 systems worldwide.
Ursnif is a malware used to steal data such as login details (including passwords) and financial data such as credit card numbers from the infected system and is typically sent as an attachment to an email.
According to a computer security expert, Troy Hunt — who runs the ‘Have I Been Pwned’ website that notifies people when their data has been breached — said that this is the largest breached data set he has witnessed and is roughly equal to the population of entire Europe.
Processing the largest list of data ever seen in @haveibeenpwned courtesy of a nasty spambot. I’m in there, you probably are too.
“The largest to date has been a mere 393m record and belonged to River City Media. The one I’m writing about today is 711m records which makes it the largest single set of data I’ve ever loaded into HIBP,” Troy wrote in his blog post.
The malware is targeted towards Windows users as iPhone and Android devices can not be infected using it. In order to identify which system is being used to access the email account, the attacker sends a hidden pixel-sized image in the email.
As soon as the email is opened, the pixel-sized image determines the system information and relays it back to the attacker.
Troy also mentioned that 27 percent of the email addresses found in the breached data set was already there on Have I Been Pwned. If you’re looking to confirm whether or not your email ID credentials have been leaked to, visit the website.