Author Lauren Howells
The leak also contained some passwords, putting the security of the affected people’s email accounts in danger.
“Mind-boggling amount of data”
You can check if your account may have been compromised by going to the have i been pwned? website. Security expert Troy Hunt, who runs the site, described it as the “largest single set of data I’ve ever loaded into HIBP” and a “mind-boggling amount of data”.
In order to give a sense of scale, he went on to say that it worked out as nearly one address for every single man, woman and child in the whole of Europe.
However, the number of ‘real’ email addresses involved in the leak is reportedly likely to be lower, because some of the email addresses may be fake. There may also be a number of repeated email addresses in the data.
What is a spambot?
Spambots are used to harvest email addresses from the internet. The people who were running this particular spambot reportedly did not properly secure a server that they were storing the addresses on. This meant that anyone could access the data.
In his blog post regarding the spambot, Troy Hunt describes 2 “classes” of data within the database that has been leaked. The first one is email addresses, which are used to deliver spam to.
The second is email addresses and passwords, which can be used to “abuse the owners’ SMTP server” to deliver spam.
Some believe that at least part of the data may have been gathered from previous leaks.
Mr Hunt said that the IP address of the server was in the Netherlands and he had been talking to a “trusted source” there, who was communicating with law enforcement to try and get the server shut down.
How have they got hold of my data?
During his blog post on the subject, Troy Hunt says that just because you have discovered your email address is in this data, that in itself doesn’t give you “much insight” into where your email address was taken from.
Mr Hunt goes on to say that he has no idea how his email address ended up on there and that this is
“ the unfortunate reality for all of us: our email addresses are a simple commodity that’s shared and traded with reckless abandon”.
What can I do about it?
Check if your email address is part of the data by going to have i been pwned?.
At this moment in time, there’s no way to check whether you are part of the first class of data (just email addresses) or the second class of data (email addresses and passwords).
If you discover that your email address is on the list, it would probably be prudent to change your password.
Additionally, as always, don’t click on a link in an email (or download an attachment) unless you are 100% sure that you know where it’s come from and what it is.