711 Million Email Addresses Exposed: How to Protect Yourself
A spambot built on data from previous data breaches has targeted more than 711 million email addresses. Here's how to stay safe.
Typically, your spam folder catches a lot of the malware-infected crud sent by the mischievous ne'er-do-wells from the darker corners of the internet. Unfortunately, a newly discovered attack has targeted more than 711 million email accounts.
Fortunately, only some -- not all -- of the targets' passwords have been taken.
The Onliner spambot, first discovered by a Paris-based security researcher who goes by the Benkow pseudonym, was confirmed by well-regarded security expert Troy Hunt in an August 30 blog post. Hunt -- a Microsoft Regional Director who runs the breach-tracking website Have I Been Pwned -- referred to a data dump from Onliner as "a mind-boggling amount of data," in which he even found his own email address.
How does Onliner do it?
According to a ZDNet report, the hooligans behind the spambot compiled a massive database of 80 million email credentials from a number of other breaches, such as the LinkedIn hack. These logins were then used to spam 630 million email addresses, whose spam filters they jumped right over.
What can you do?
First, check Have I Been Pwned to see if your email account information is in the hack, Onliner may not have much of your information beyond your address. Onliner worked by sending two rounds of emails, as only a fraction of the 711 million targets could actually be infected by its malware.
If Have I Been Pwned says your email address appeared in the Onliner dump, there are three steps you need to take immediately. The first is changing the password to your email account. Second, make sure you're not using that password in any other online accounts -- especially those for banking. Lastly, enable two-factor authentication, so your email address and password alone aren't enough for your account to be cracked.
MORE: Best Mobile Password Managers
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
The spambot campaign whittled its target list down by placing a difficult-to-see, pixel-sized image in its initial emails, which contained code to send a user's IP address and system information back to HQ. If the pixel detected its recipient was a Windows PC (Androids, iOS devices and Macs are protected), it would tell the server to send more-targeted emails -- which looked like invoices -- to the addresses it identified as vulnerable.
Now's a good time to look into a password manager, which can help you create strong, hard-to-guess passwords. And of course, do your best to avoid opening suspicious-looking emails, especially those that look like invoices for services you don't pay for.
The secondary wave of emails is smaller for the sake of obscurity, since larger attacks are more likely to draw the attention of law enforcement and security experts. The infectious emails contain a JavaScript file that does all the dirty work, pwning your machine.
Henry is a managing editor at Tom’s Guide covering streaming media, laptops and all things Apple, reviewing devices and services for the past seven years. Prior to joining Tom's Guide, he reviewed software and hardware for TechRadar Pro, and interviewed artists for Patek Philippe International Magazine. He's also covered the wild world of professional wrestling for Cageside Seats, interviewing athletes and other industry veterans.