700 Million Email Accounts Hijacked by Spammers

John Lister's picture

More than 700 million email addresses and passwords have been leaked online. While many are bogus, enough appear to be genuine that security experts have advised users to change their email passwords.

The collection of account details does not appear to have been used for identity theft or other fraud. Instead, the collection has been marketed as a way to send spam messages.

The idea is that spammers can login to the compromised accounts in order to send their unsolicited emails. This effectively flies under the spam radar, as most spam comes from IP addresses without any reputation. In this case, however, reputable email providers (such as yahoo, aol, hotmail, etc) would be used to send the unsolicited junk mail.

Accounts Used To Pass On Malware

The unsolicited junk email won't be used solely for sending advertising, however. It has also been used to send messages with bogus attachments that carry malware. (Source: zdnet.com)

Even before the mass email leak, it was bad news for anyone that was compromised. Having an account used in this way increases the chance that it will be added to spam and malware blacklists, making it harder for legitimate emails to get through.

The publication of the spam list makes things worse, however. It increases the risk that anyone could use the account details to access someone else's messages and steal confidential data, or find login information for other accounts.

Account Hijack is Biggest Ever

Researchers say that the 711 million addresses make this likely the biggest ever list of its type and that it seems to have been gathered together from multiple sources, including previous leaks. Some of the addresses appear not to be genuine and instead are made up of random words put together in the hope of stumbling on real addresses. However, researchers say the list contains enough genuine addresses, often with accompanying passwords, that it should cause concern. (Source: theguardian.com)

It's possible to check if an email address appears in any publicly leaked lists through independent sites such as https://haveibeenpwned.com/. If an address brings up hits on such sites, it may be worth changing email passwords on the associated sites and any other sites that you've used the same password on. That said, security experts recommend using unique, strong passwords on ALL sites to minimize risk.

What's Your Opinion?

Are you surprised that so many addresses appeared in one list? Were you aware that email accounts being hijacked for spam could be as big a problem as people trying to access messages? How do you balance security and practicality when it comes to your email security?

Need Help Setting Up and Automating Strong, Unique Passwords?

Programs like Roboform can be a true God-send if you hate having to remember passwords. It can not only generate and remember strong passwords for every site you visit - it can also fill the forms for you. All you need to do is remember a single master password to unlock all your passwords. It even works with fingerprints. Download Roboform today - you won't regret it. If you need help setting up Roboform, Dennis would be more than happy to assist - send an email briefly describing the issue and he'll get back to you ASAP.

Rate this article: 
Average: 4.8 (6 votes)


Dennis Faas's picture

I just went to https://haveibeenpwned.com/ and checked my main email address and was surprised it reported two leaks on two different sites - LinkedIn and Elance, which I both used in the past. That said: I have always used unique, strong passwords on every site (thanks to Roboform!) - as such, this data leak would not have caused any further damage to my accounts on other sites. Good to know!

doulosg's picture

Ironically, my official (full local-government domain name) work address does not show any hits in the haveibeenpwned data, but two shorter aliases do. Fortunately, the passwords on these are changed regularly.

Even more ironically, of the various personal accounts I use, the only one NOT showing any hits is the "junk" one! And the one with the greatest exposure (4 hits versus 2) gets the least amount of spam/phish.