Lists of email addresses with password and other information, used to send phishing emails and spam, were hosted on an open server and available to copy or download. While at least one-quarter of the email and password combinations were identified from previous data breaches, this collection of 711 million email address account credentials shows the scale of data breaches and consumers who are still using compromised passwords.
A sophisticated fraudster or fraud ring was operating a spam operation with an automated spam bot called Onliner and a curated list of email, password, server and port (SMTP) information for using these accounts to send malicious and unwanted emails. The compromised emails came from various sources, including 2 million emails associated with Facebook accounts compromised from a phishing campaign, and all the email addresses associated with LinkedIn data breach discovered in 2016.
The fraudster operating the spam sending service was primarily focused on just that, distributing spam. Compromised information came from free sources, was possibly purchased in the black market, or maybe compromised by the spam ring operators themselves. Leaving the databases of compromised emails and information needed to send spam available to anyone who could find where to access it (which someone eventually did) was likely an oversight.
Having access to active or legitimate consumer email accounts for sending spam is a major asset in the fraudster world and black market. Email providers and third-party email security vendors constantly update blacklists of bad servers known for sending spam. Using real email accounts circumvents many of these filters.
The website and service Have I Been Pwned? maintains a searchable database of email addresses compromised in data breaches. After adding the 711 million compromised emails to their list, they could see that 27 percent of them had already been identified from past data breaches including LinkedIn and Badoo.
For more information: