Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
Typically, your spam folder catches a lot of the malware-infected crud sent by the mischievous ne'er-do-wells from the darker corners of the internet. Unfortunately, a newly discovered attack has targeted more than 711 million email accounts.
Fortunately, only some -- not all -- of the targets' passwords have been taken.
The Onliner spambot, first discovered by a Paris-based security researcher who goes by the Benkow pseudonym, was confirmed by well-regarded security expert Troy Hunt in an August 30 blog post. Hunt -- a Microsoft Regional Director who runs the breach-tracking website Have I Been Pwned -- referred to a data dump from Onliner as "a mind-boggling amount of data," in which he even found his own email address.
How does Onliner do it?
According to a ZDNet report, the hooligans behind the spambot compiled a massive database of 80 million email credentials from a number of other breaches, such as the LinkedIn hack. These logins were then used to spam 630 million email addresses, whose spam filters they jumped right over.
What can you do?
First, check Have I Been Pwned to see if your email account information is in the hack, Onliner may not have much of your information beyond your address. Onliner worked by sending two rounds of emails, as only a fraction of the 711 million targets could actually be infected by its malware.
If Have I Been Pwned says your email address appeared in the Onliner dump, there are three steps you need to take immediately. The first is changing the password to your email account. Second, make sure you're not using that password in any other online accounts -- especially those for banking. Lastly, enable two-factor authentication, so your email address and password alone aren't enough for your account to be cracked.
MORE: Best Mobile Password Managers
The spambot campaign whittled its target list down by placing a difficult-to-see, pixel-sized image in its initial emails, which contained code to send a user's IP address and system information back to HQ. If the pixel detected its recipient was a Windows PC (Androids, iOS devices and Macs are protected), it would tell the server to send more-targeted emails -- which looked like invoices -- to the addresses it identified as vulnerable.
Now's a good time to look into a password manager, which can help you create strong, hard-to-guess passwords. And of course, do your best to avoid opening suspicious-looking emails, especially those that look like invoices for services you don't pay for.
The secondary wave of emails is smaller for the sake of obscurity, since larger attacks are more likely to draw the attention of law enforcement and security experts. The infectious emails contain a JavaScript file that does all the dirty work, pwning your machine.
