Security Tech News

711 Million Email Addresses Compromised by Onliner Spambot

Gavin Phillips 31-08-2017

Another day, another security breach. Yet, the Onliner Spambot dump is slightly different to others: it contains over 700 million email addresses and passwords. As such, it is the largest leak to date.


Onliner Spambot Password Dump

The Onliner Spambot dump is a significant haul in a year that has already seen several massive data breaches 560 Million Old Passwords Have Leaked Online It's probably time to change your passwords again. Because a huge database of 560 million login credentials has been found online, waiting to be discovered by ne'er-do-wells. Read More . These breaches, including River City Media, Verizon, Lynda, Deep Root Analytics, Edmodo, and Atlassian HipChat, are minute compared to the combined weight of the Onliner Spambot leak.

Onliner Spambot was uncovered by Benkow mo?u?q, a security researcher based in France. The spambot has collected over 700 million individual email addresses, passwords, and email servers, all used to send spam. The spambot is primarily used to deliver the Ursnif banking trojan How Does Malware Get Into Your Smartphone? Why do malware purveyors want to infect your smartphone with an infected app, and how does malware get into a mobile app in the first place? Read More to unsuspecting users. Benkow estimates over 100,000 unique systems have been infected around the world.

The Ursnif trojan steals data, such as login credentials, banking and credit card data, passwords, and more. However, what sets Onliner apart from other spambots is the sophisticated delivery method.

The “standard” method of delivery — a spam email containing a dropper file Don't Be Fooled By This New "Helpful" Email Scam You might think you know all about email scams now, but there's a new one that's even trickier. Here's what it looks like and what you must know about it. Read More — is relatively easy to combat. Spam filters are getting smarter, and domains found to send spam are easily blacklisted.

Instead, Onliner scraped email server credentials from existing data breaches, collating an enormous, 80 million-strong list of valid accounts to send spam from. Therefore, the spam appears to originate from a legitimate email account, avoiding any spam filters.


“To send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it. And it’s the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign”

Next, instead of bombarding potential victims, the spambot sends a single email containing a single-pixel fingerprinting image. When the email is open, the pixel image sends back important user information, such as IP address, user-agent details, and more. This helps the attackers know which computers to target — specifically seeking Windows systems — instead of a more general spray-gun approach.

Spambot Safety

According to Troy Hunt, creator of Have I Been Pwned?, only 27% of the email address already existed in the HIBP database. That means some 519 million individual email address and password combinations are now compromised. In a blog post, Hunt also pointed out that 711 million is basically the entire population of Europe — a serious amount of compromised addresses.

So, what can you do?

First, head to Have I Been Pwned? and enter your email address(es) into the search bar. It takes a few seconds, and you’ll immediately discover if your address and password have been compromised. And that’s not only for the Onliner spambot. If your address leaked during any other data breach (contained in the database), you will find out.

711 Million Email Addresses Compromised by Onliner Spambot Have I Been Pwned Compromised Page

If compromised, you need to begin the reset process for any services using that email address. It is important to remember as many accounts as possible, but I understand that is difficult. Start by changing any linked to sensitive information: accounts holding financial data, debit and credit cards, and so on.

Next, start using two-factor verification on all of your accounts, and seriously consider using a password manager Is Your Password Manager Secure? 5 Services Compared Unless you have an incredible memory, there's no way you can possibly hope to remember all your usernames and passwords. The sensible option is to use a password manager -- but which is best? Read More to keep track of and to secure your passwords.

Once your address and password is out there, it won’t disappear. But you can mitigate the potential effects.

Have you been pwned? Did you realize that more than one account is compromised? What is your favorite password manager? Let us know your thoughts on data breaches below!

Image Credit: elwynn via

Related topics: Computer Security, Password Manager, Security Breach.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. fcd76218
    August 31, 2017 at 9:19 pm

    I checked my email accounts on Have I Been Pwnd and a few of them came up as pwnd. Interestingly, the passwords for those accounts did not. I tried to contact Troy Hunter on his site but he does not make that very easy.

    • Gavin Phillips
      August 31, 2017 at 9:35 pm

      To be fair to Troy, there are now billions of email addresses (some duplicate, mind) contained in the database. In the blog I linked in the article, he explains that a tool for searching the database isn't available as it would require a lot of work from the ground up. The service doesn't show you the password -- that would mean anyone, anywhere could grab your password, rather than just those with the database (which is unfortunately a fair few people -- email accounts are extremely cheap). *If* he created a tool to search for a password, it would almost certainly be abused in some way.

      • dragonmouth
        August 31, 2017 at 10:42 pm

        There is a tool on the HIBP site that test if a password has been pwnd. That is what I was referring to.

        Does an email address ever get deleted from the HIBP database or once it gets into the database, it listed forever? The reason I ask is that one of my email addresses came up as pwnd. I changed the password 2 days ago. So supposedly it should be secure for at least a little while. If an address stays in the database forever than that will cause many false positives.