711 million emails have been captured by a massive spambot

[JohnnyCorporalTech]

A recent gigantic data leak reveals that some 711 million email addresses, and even some passwords, have been used by a massive spambot, designed to spread malware that steals banking details and infects people’s computers to pump out more viruses as well as vast amounts of spam. 

Quote

One of the largest ever collections of email addresses, some with matching passwords, has been posted online. Seven-hundred-and-eleven-million email addresses have been identified in the data dump, which can be used by spammers and other cyber criminals.

Quote

The addresses - and in some cases associated passwords - have apparently been gathered to help spread banking malware.

Members of the public can check if their accounts have been affected via the Have I Been Pwned service.

Troy Hunt, who owns the website HaveIBeenPwned, said the leak was

Quote

the largest single set of data I’ve ever loaded into HIBP.

He also states:

Quote

Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe,

It is highly recommended that users of any compromised email accounts change their account Passwords as soon as possible. 

Check whether your email has been compromised: https://haveibeenpwned.com/

Sources:

BBC - http://www.bbc.com/news/technology-41095606

The Verge - https://www.theverge.com/2017/8/31/16232144/onliner-largest-malware-spambot

News.com.au - http://www.news.com.au/technology/online/hacking/change-your-email-password-now-if-youre-on-this-list-of-711-million-accounts/news-story/3fecd838cbde75f59b6cad8d7d298f8b

Edited September 1, 2017 by JohnnyCorporalTech
website to check if email has been compromised

[TVwazhere]

Good news for me was that the one incident of my email being compromised happened back in like 2013, and I've already changed the password since then.

 

https://haveibeenpwned.com/

[captain_to_fire]

2 minutes ago, TVwazhere said:

Good news for me was that the one incident of my email being compromised happened back in like 2013, and I've already changed the password since then.

 

https://haveibeenpwned.com/

My outlook account has been compromised once. My gmail is standing strong and uncompromised. 

[Delicieuxz]

I'm skeptical about using the haveibeenpwned site. What if somebody hacks it to get a record of all email addresses people searched for, and then adds all of them to another spam bot list? It seems to me like it could be a exploited for email harvesting. But I don't know much about that stuff.

[mynameisjuan]

12 minutes ago, Delicieuxz said:

I'm skeptical about using the haveibeenpwned site. What if somebody hacks it to get a record of all email addresses people searched for, and then adds all of them to another spam bot list? It seems to me like it could be a exploited for email harvesting. But I don't know much about that stuff.

First off is Troy Hunt's mission is to fix the bullshit around companies hiding leaks. 

 

Second is if it is whether you go to the site or not, his database has your email if it has been leaked. You dont need to enter it since its probably already there. And if it is leaked, well...ok, he grabbed the addresses from an already leaked source. He explains it in more detail on the site.

 

Troy Hunt is a great security expert and haveibeenpwned has actual shown to have quite an impact on leaks and breaches. Look through the site on the about and FAQs and look at his twitter. 

[Delicieuxz]

6 hours ago, mynameisjuan said:

First off is Troy Hunt's mission is to fix the bullshit around companies hiding leaks. 

 

Second is if it is whether you go to the site or not, his database has your email if it has been leaked. You dont need to enter it since its probably already there. And if it is leaked, well...ok, he grabbed the addresses from an already leaked source. 

 

Troy Hunt is a great security expert and haveibeenpwned has actual shown to have quite an impact on leaks and breaches. Look through the site on the about and FAQs and look at his twitter. 

Yeah, but Troy Hunt is not a person who might hack his website, and his intentions are not the same as those of someone who might hack his website.

[mynameisjuan]

Just now, Delicieuxz said:

Yeah, but Troy Hunt's person and intentions are not the persons and intentions of someone who might hacks the database and website.

Again, if they do hack and leak it, its already data that has been leaked. There is nothing loss if the data is stolen.

[Notional]

I mean, at this point it's pretty much all private email addresses ever anyways.

[Delicieuxz]

Just now, mynameisjuan said:

Again, if they do hack and leak it, its already data that has been leaked. There is nothing loss if the data is stolen.

My concern is that a log of all searched-for email addresses could be obtained by a hacker, in which case, email addresses that weren't on the spam list could then appear on other spam lists. Even if Troy Hunt doesn't keep a log of which email addresses are searched for, I wonder whether somebody could hack the site and leave a script that logs all entered email addresses somewhere else. If so, then the site could be maliciously turned a place where everybody enters their email addresses into a spam list.

[mynameisjuan]

5 minutes ago, Delicieuxz said:

My concern is that a log of all searched-for email addresses could be obtained by a hacker, in which case, email addresses that weren't on the spam list could then appear on other spam lists. Even if Troy Hunt doesn't keep a log of which email addresses are searched for, I wonder whether somebody could hack the site and leave a script that logs all entered email addresses somewhere else. If so, then the site could be maliciously turned a place where everybody enters their email addresses into a spam list.

Again he ALREADY HAS A DATABASE OF EMAILS whether you type it in or not. You type your email in, it compares it to his database, if not it discards it. Could there be a chance of a hacker logging those addresses, well yeah, but most the time you are already in that database so they would just try to access that database rather than try to hack the site. 

 

Also he is a security expert and periodically shows the attempts made by hackers and shows how he prevents them. So if you are paranoid then dont use the site. But the benefits of getting an email when  your email has been leaked or even posted your password on pastebin is way better than not knowing because you think you might get added to a spam list. He explains the attacks and what they stole. Its a great site and he pays out of his own pocket to maintain this. 

[Delicieuxz]

6 hours ago, mynameisjuan said:

Again he ALREADY HAS A DATABASE OF EMAILS whether you type it in or not. You type your email in, it compares it to his database, if not it discards it. Could there be a chance of a hacker logging those addresses, well yeah, but most the time you are already in that database so they would just try to access that database rather than try to hack the site. 

 

Also he is a security expert and periodically shows the attempts made by hackers and shows how he prevents them. So if you are paranoid then dont use the site. But the benefits of getting an email when  your email has been leaked or even posted your password on pastebin is way better than not knowing because you think you might get added to a spam list. 

My comment was not in concern of hackers getting the email addresses in his database, but of getting the email addresses searched for, which are not in the hosted database, thereby adding them to another database. The site could be made into a golden egg-laying goose for spam listers.

 

Good to hear that he pays attention to hacking attempts.

[mynameisjuan]

Just now, Delicieuxz said:

My comment was not in concern of people getting the email addresses in his database, but of getting the email addresses searched for, which are not in the hosted database, thereby adding them to another database. The site could be make into a golden egg-laying goose for spam listers.

Again just got to the site and read in the FAQ section why your point doesnt matter in the end. 

[Delicieuxz]

9 minutes ago, mynameisjuan said:

Again just got to the site and read in the FAQ section why your point doesnt matter in the end. 

It matters, as something to take into consideration where the whole goal is to ensure that an email address isn't on a spam list. The site's FAQ doesn't prove why what I mentioned is impossible - in fact, it raises the very point:

 

Quote

Is anything logged when people search for an account?
Nothing is explicitly logged by the website. The only logging of any kind is via Google Analytics and NewRelic performance monitoring and any diagnostic data implicitly collected if an exception occurs in the system.

 

Quote

How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.

 

So, Troy Hunter is not personally logging or harvesting searched-for email addresses. Nice to hear, but I didn't argue that he was.

 

Someone who hacks his website could install their own script to log and harvest searched-for email addresses, making the website a gold mine for spam lists - and Troy wouldn't necessarily know about it, unless he caught it. It could well be that he's on top of everything and there isn't anything like that happening.

[mynameisjuan]

Just now, Delicieuxz said:

It matters, as something to take into consideration. The FAQ doesn't prove why what I mentioned is impossible - in fact, it raises the very point, itself:

 

 

 

So, Troy Hunter is not personally logging or harvesting searched-for email addresses. Nice to hear, but I hadn't suggest that he was. But, someone who hacks his website could install their own script to log and harvest searched-for email addresses - and Troy wouldn't necessarily know about it, unless he caught it.

Like I said who cares. If you are added to a spam list whoopdee fucking doo. But instead if you do enter it and find out your email WITH password has been leaked and you prevent any damage before it happening is a hell of a lot better. 

 

He said if you dont trust it dont use it. So just dont use it instead of complaining. This site has proven to be very helpful to many.

[ivan134]

2 hours ago, VegetableStu said:

why so angry? o_o he asked nicely

Probably because the guy he's taking to is not actually reading what he's writing.

[SpaceNugget]

29 minutes ago, ivan134 said:

Probably because the guy he's taking to is not actually reading what he's writing.

no, he is mad that he finally understood the simple concept that emails being search that haven't been previously pwned are NOT "data that has been leaked."

 

He realised he was wrong and is now being defensively angry. 

 

All you can do is trust that troy is both: not malicious, and impervious to being hacked.

[ivan134]

1 hour ago, SpaceNugget said:

no, he is mad that he finally understood the simple concept that emails being search that haven't been previously pwned are NOT "data that has been leaked."

 

He realised he was wrong and is now being defensively angry. 

 

All you can do is trust that troy is both: not malicious, and impervious to being hacked.

Another person who doesn't get the point.

[Delicieuxz]

2 hours ago, ivan134 said:

Probably because the guy he's taking to is not actually reading what he's writing.

I read what they wrote, but what they wrote didn't seem like it included an understanding of what my point was. Anyway, everything is clarified now.