It’s never good news to receive an alert from the Have I Been Pwned? (HIBP) project but it’s better to know than not.
Founded by Troy Hunt after the historically embarrassing Adobe breach of 2013, HIBP is a database of breached, scraped and otherwise stolen email accounts that lets anyone check whether theirs is known to be circulating among cybercriminals.
Vast numbers are, and to this total we can now add another 711m, recently discovered by a researcher called Benkow in an unsecured state inside text files on a Netherlands-based server that has been using them to fuel the “Onliner” spambot.
This, HIBP informs me, includes an email address registered to a domain I’ve used for years, the third time the site has spotted it inside a breach cache in four years.
Should I, or anyone else receiving the same email alert from HIBP about this spam list, be worried?
Hunt sums up the cache’s mountainous size:
Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.
It’s true the 711m haul is the largest yet reported by the site, but some of these will have been mentioned in previous breaches, in my case Adobe (152m) and Dropbox in 2012 (68m). Aggregated from different sources, the numbers aren’t cumulative.
HIBP also describes my email address as having been “pwned” in the latest dump although, strictly speaking, it’s the sites that allowed a breach to happen that deserve to be chastised – my failing was to entrust the address to companies that failed to protect it.
More concerning is what these addresses are being used for. Much of the new cache appears to be email addresses, which means that anyone whose address appears within it will be targeted by spam including, in the case of Onliner, the Ursnif banking malware.
Because my email address appeared in previous breaches, that was already the case, so arguably I’m no worse off than before. I’m in good company at least – Hunt spotted an email address used by him mentioned twice in the cache.
Of larger concern might be the group whose passwords are included, including those apparently extracted from unsalted SHA-1 hashes that were part of the 2012 LinkedIn breach whose troubling scale was didn’t come to light until 2016.
Other files contained tens of thousands of email server credentials, including SMTP server and port configuration. Explains Hunt:
Thousands of valid SMTP accounts give the spammer a nice range of mail servers to send their messages from.
Separately, Benkow, the researcher who discovered the cache, estimates a total of 80m credentials of different kinds.
Hunt and Benkow are now trying to have the cache data removed from the site it was found on, which is still up and accessible to anyone who knows where to look. Ironically, whomever was farming this data didn’t devote much effort to keeping it to themselves.
Anyone who thinks they might be affected can check HIBP manually for their email addresses or account name. Anyone anxious about their email server credentials should change the password at the very least before going for a long, calming lie down.
Sometimes it’s better to know what’s really going on even if that knowledge is depressing or troubling. In the case of this cache, it’s that addresses, credentials and personal data have long since become a criminal commodity. This can’t be stopped or reversed, merely contained.
But at least email addresses and credentials can be changed, more than can be said for users whose names, addresses, dates of birth and social security numbers are breached. This cache of breached data looks bad – but it could be so much worse.
Mahhn
administrator AT microsoft DOT com Oh no — pwned! Pwned on 7 breached sites and found no pastes”
lol
My main personal Email (thanks linkedIn and BC/BS) and work Email say pwned many times. BUT my junk email account that I use for blogs, and stuff for the last 3 years, not pwned once :/
Anonymous
I guess the people who look after this list don’t do much in the way of quality control, considering the address is-spam AT sophos DOT com is “Oh no — pwned!” – for reference this address is where you can send spam samples to help ensure they are blocked, surely this counts as a “reverse pnwing” :-)
Paul Ducklin
Hahahaha, I hadn’t noticed that.
As one of my colleagues quipped a couple of weeks ago, “I wonder how many spammers spam themselves?” We assumed it was about 100%, and not for quality assurance purposes, either…