Skip to main content

711 Million Email Addresses Exposed: How to Protect Yourself

Typically, your spam folder catches a lot of the malware-infected crud sent by the mischievous ne'er-do-wells from the darker corners of the internet. Unfortunately, a newly discovered attack has targeted more than 711 million email accounts.

Fortunately, only some -- not all -- of the targets' passwords have been taken.

Credit: OLEH SLEPCHENKO/Shutterstock

(Image credit: OLEH SLEPCHENKO/Shutterstock)

The Onliner spambot, first discovered by a Paris-based security researcher who goes by the Benkow pseudonym, was confirmed by well-regarded security expert Troy Hunt in an August 30 blog post. Hunt -- a Microsoft Regional Director who runs the breach-tracking website Have I Been Pwned -- referred to a data dump from Onliner as "a mind-boggling amount of data," in which he even found his own email address.

How does Onliner do it?

According to a ZDNet report, the hooligans behind the spambot compiled a massive database of 80 million email credentials from a number of other breaches, such as the LinkedIn hack. These logins were then used to spam 630 million email addresses, whose spam filters they jumped right over.

What can you do?

First, check Have I Been Pwned to see if your email account information is in the hack, Onliner may not have much of your information beyond your address. Onliner worked by sending two rounds of emails, as only a fraction of the 711 million targets could actually be infected by its malware.

If Have I Been Pwned says your email address appeared in the Onliner dump, there are three steps you need to take immediately. The first is changing the password to your email account. Second, make sure you're not using that password in any other online accounts -- especially those for banking. Lastly, enable two-factor authentication, so your email address and password alone aren't enough for your account to be cracked.

MORE: Best Mobile Password Managers

The spambot campaign whittled its target list down by placing a difficult-to-see, pixel-sized image in its initial emails, which contained code to send a user's IP address and system information back to HQ. If the pixel detected its recipient was a Windows PC (Androids, iOS devices and Macs are protected), it would tell the server to send more-targeted emails -- which looked like invoices -- to the addresses it identified as vulnerable.

Now's a good time to look into a password manager, which can help you create strong, hard-to-guess passwords. And of course, do your best to avoid opening suspicious-looking emails, especially those that look like invoices for services you don't pay for.

The secondary wave of emails is smaller for the sake of obscurity, since larger attacks are more likely to draw the attention of law enforcement and security experts. The infectious emails contain a JavaScript file that does all the dirty work, pwning your machine.