Security Researchers Discover Spammer List of Over 711 Million Email Accounts

Photo: AP
Photo: AP

An unknown hacker has gathered up to 711 million email accounts stored on an “open and accessible” server in the Netherlands, ZDNet reported. The server contains passwords to both email addresses and servers which are apparently being used to send large amounts of spam through legitimate accounts, thereby bypassing filters.


A Paris-based researcher using the pseudonym Benkow first brought the list to the attention of Troy Hunt, the web security expert best known for running Have I Been Pwned, a site which alerts users to breached accounts. In a post on his website, Hunt wrote the server hosting the spam accounts was inexplicably left unprotected and publicly accessible as of Tuesday, and he had already contacted authorities in an attempt to get it scrubbed from the web.

Hunt was quick to note many of the email addresses appeared to have been scraped off the web or aggregated from other sources, “so whilst the ‘711 million’ headline is technically accurate, the number of real humans in the data is going to be somewhat less.” But the overall amount of data in the breach was “mind-boggling,” he added, and it took Have I Been Pwned “110 data breaches over a period of 2 and a half years” to accumulate the same quantity.

According to ZDNet, the unknown parties behind the server were using the list in coordination with the Onliner spambot to distribute the Ursnif malware, which is capable of stealing large amounts of data from browsers and software (particularly banking info). As Benkow explained, the list includes “a huge list of SMTP credentials”—in the neighborhood of 80 million—which appeared to have been tested for validity and then deployed against the remaining 630 million accounts in an attempt to bypass spam filters.

The emails sent appeared to include an almost invisible 1x1 pixel GIF.

If a user opens the email, Benkow wrote, “a request with your IP and your User-Agent will be sent to the server that hosts the GIF. With these information, the spammer is able to know when you have opened the email, from where and on which device.”

That information is necessary to create a slimmed-down list of potential secondary targets—the people who would be hit with second emails containing malware. Yet another reminder not to open spam.

According to Hunt, he’s added the email addresses listed in the server to Have I Been Pwned, making it easy as pie to check whether any email address has possibly been compromised. So go do it.



"... An upperclassman who had been researching terrorist groups online." - Washington Post


“If a user opens the email...” I’m not clear on what exactly ‘opens’ the email. Is it just right-clicking on it to send it to a spam folder, or is there further action required? Do I have to click on something within the email? I never stopped to consider when an email became “opened”.