711 MILLION email addresses leaked online – here’s how to check if your email is compromised


More than 700 million email addresses have been leaked online in what is believed to be one of the biggest breaches of its kind.

The email addresses were leaked by a spambot, a piece of software designed to carry out spam email campaigns on a massive scale.

Users can check if their email address has been affected by the breach by going to haveibeenpwned.com.

Users who discover their email address has been compromised are advised to update their password immediately.

The 711 million leaked emails, the equivalent of almost every man, woman and child in Europe, was discovered by cyber security expert Troy Hunt, who runs the Have I Been Pwned website.

“Last week I was contacted by someone alerting me to the presence of a spam list. A big one

“That’s a bit of a relative term though because whilst I’ve loaded ‘big’ spam lists into Have I been pwned (HIBP) before, the largest to date has been a mere 393m records and belonged to River City Media.

“The one I’m writing about today is 711m records which makes it the largest single set of data I’ve ever loaded into HIBP,” Troy wrote in a blog post.

“Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.

“This blog posts explains everything I know about it.”

Emails and passwords leaked in data breach. Image: Troy Hunt

Troy warns that the spambot which leaked the 711 million emails is called Onliner and also leaked account credentials and passwords.

Troy says the spambot is being used to spread a dangerous banking trojan dubbed Ursnif, designed to steal online banking credentials and spread to other computers by sending spam emails from the victim’s account.

Troy said that after conducting random tests many of the emails appeared to made up of addresses leaked in previous major breaches.

“A random selection of a dozen different email addresses checked against HIBP showed that every single one of them was in the LinkedIn data breach.

“Now this is interesting because assuming that’s the source, all those passwords were exposed as SHA1 hashes (no salt) so it’s quite possible these are just a small sample of the 164m addresses that were in there and had readily crackable passwords.”

To ensure you use a secure password, Troy recommends using a password manager.

“For this particular incident, if you’re creating strong, unique passwords on each service (get a password manager if you don’t have one already) and using multi-step verification wherever possible, I wouldn’t be at all worried.

“If you’re not, now’s a great time to start.”


Comments are closed.