Spambot Uploads 711M E-Mail Accounts Online

Image courtesy of (Stuart Miles) /

A massive spambot dump has left 711 million e-mail accounts exposed online.

The news comes courtesy of a European security researcher known as Benkow who came across a spambot server hosted in the Netherlands that stores text files containing e-mail addresses and their associated passwords. Some of these passwords are old, having been collected from past security breaches.

Used to run the spambot’s mammoth malware operation, the collected credentials that are still valid are utilized to circumvent spam filters by sending messages through valid e-mail servers.

The spambot, known as Onliner, has been used since at least 2016 to spread a banking trojan called Ursnif, according to Benkow, who added that the spambot has been known to target specific countries like Italy, or specific business like hotels.

Troy Hunt, owner of the Have I Been Pwned website, described the dump as the “largest single set of data” he’s ever written about on his site.

Hunt, a security researcher who was contacted by Benkow last week, wrote in a blog post that the breach contains two classes of data: “masses and masses of e-mail addresses used to deliver spam to” and e-mail addresses and passwords “used in an attempt to abuse the owners’ SMTP server in order to deliver spam.”

Hunt said it is likely many of these credentials could be aggregations from various other breach sources. Benkow agreed. He wrote in a blog post that while it can be difficult to determine just where the credentials were acquired, it seems likely they came from breaches like the LinkedIn hack and other such security breaches.

Roughly 80 million of the impacted accounts contain the e-mail addresses and passwords as well as the SMTP server and the port used. Once the spammer tests the entries and finds accounts that work, they are then used to send “fingerprinting” spam to other target e-mails.

“When you open this random spam, a request with your IP and your User-Agent will be sent to the server that hosts the gif,” Benkow explained. “With these information, the spammer is able to know when you have opened the e-mail, from where and on which device (Iphone ? Outlook?…).
At the same time, the request also allows the attacker to know that the e-mail is valid and people actually open spams.”

According to Hunt, those who use strong, unique passwords on each service and are using multi-step verification wherever possible, likely don’t have much to be worried about.

Those who are more lax with their security, however, should change their passwords, get set up with a password manager and take advantage of two-factor authentication on all sites that offer it.


About the author


Jennifer Cowan

Jennifer Cowan is the Managing Editor for SiteProNews.


Click here to post a comment