News broke that a huge spambot ensnaring 711 million email accounts has been uncovered. A Paris-based security researcher, who goes by the pseudonymous handle Benkow, discovered an open and accessible web server hosted in the Netherlands, which stores dozens of text files containing a huge batch of email addresses, passwords, and email servers used to send spam. Those credentials are crucial for the spammer’s large-scale malware operation to bypass spam filters by sending email through legitimate email servers. IT security experts are commented below.
Christian Lees, CTO and CSO at InfoArmor:
“Several factors come to mind in consideration of this data disclosure. Here’s points to consider.
There is evidence of a significant amount of speculative data, yet also the potential for meaningful amounts of pre-breached data from existing aggregation. Threat actors continue to expand their methods to potentially mainstream or expand their revenue streams. Continuous large data disclosures of this type, with potentially unverifiable data sources and targets, increase alert fatigue for security professionals. Also – this is another reminder that threat actors also live the dual-edge sword of security.”
Giovanni Verhaeghe, Director Product & Market Strategy at VASCO Data Security:
“Breaches like this highlight, once again, the importance of education when it comes to password management and password use. Resetting compromised passwords can be a good first step, but the breach had little to do with the passwords that were used. It was a result of the ease with which they can be accessed from the outside. The burden of responsibility lies heavily on organizations, and how much they invest in securing the information users share with them will make a huge difference to user confidence.
“Also, as users now demand a seamless experience across channels, organizations have the added responsibility of making sure that information is secure across these channels. The more user-friendly the system is, the more it needs security. This security can be transparent for sure, but if it doesn’t protect users and their data, it could be leaving the door opening for malicious and crippling attacks.”
Jonathan Sander at STEALTHbits Technologies:
“Perhaps the scariest part of this massive Spambot leak is seeing how much data the bad guys have and how little they are doing to protect it. Some may think the bad guy has no motivation to protect our data, but they do. The amount and how well enriched their data set is becomes their competitive advantage in a crowded black market. Just like people using Google more than other search engines because of their huge reach, the black market has brands that stake their reputation on having the biggest database of quality, stolen data. To see that even with such financial motivation they are failing to secure their ill-gotten goods is disheartening.”
Gaurav Banga, Founder and CEO at Balbix:
“From an enterprise perspective, employees often use the same password for sensitive corporate applications and their personal social media accounts. As a result, information such as valuable login credentials can be exposed and compromised when a social platform provider gets hacked. Enterprises need a way to continuously monitor the risk of credential theft from password sharing between corporate trusted and unknown websites and apps.”
Salim Hafid, Product Manager at Bitglass:
“At scale, phishing attacks that bypass spam filters and spoof legitimate sources are no doubt more effective than typical phishing strategies. These targeted attacks, where malware is delivered to millions of individuals, can spread at higher rates and yield more information.”
John Suit, CTO at Trivalent:
“In this case, a spam list of over 700 million email addresses and passwords was discovered on an unprotected server. Allegedly, this information was used to send large amounts of spam through legitimate email accounts, which allows the emails to bypass spam filters. Revelations like this continue to be a wake-up call to organizations everywhere. Even with regular employee training, it only takes one employee opening a bad email to put an entire enterprise’s data at risk of malware, ransomware and other threats. The only way to completely circumvent hacker threats this is by approaching data protection proactively, rather than reactively, protecting enterprise data at the file level—even in the event of a breach. With this defense-in-depth protection, malicious threats from spammers can never succeed in gaining access to actual company files.”
Matt Kaplan, GM at LastPass:
“Your email address is the username for most of your online accounts so it’s crucial to protect it like your identity depends on it. Using unique passwords for all your online accounts will ensure that if your email, or password, is leaked in a breach like this one, they can’t be used by hackers to get into any of your other accounts. While humans are inherently bad at making passwords, and continue to reuse them, a password manager is a simple and secure way of keeping unique passwords in one place.
If your email service offers it, be sure to turn on two-factor authentication, so that an extra code or text message is required whenever you’re logging in from a new location. That way, even a compromised password won’t allow access to your email account.”
Jim Walter, Senior Research Scientist at Cylance:
“This is an important reminder of one aspect of the data-breach lifecycle. The threats outlined are not new or novel, nor is the credential harvesting/storage methodology. Data breaches don’t end after the public disclosure. Leaked/breached data can continue to live on and be used, reused, sold, re-sold, etc. for purposes just as described here. Any organisation that is not aware of and closely following OSINT specific to their company/brand/intellectual property/etc. is bound to fall victim to continued use of their data or infrastructure for ongoing malicious activity. The real take-away here should not be to alarm or scare, but rather to educate and remind everyone of the permanence of breached/leaked data and the need to not only defend your organisation, but also monitor the ‘ether’ for continued misuse of data and resources.”
Brian Laing, VP at Lastline:
“The sheer size of the breach is alone a cause for concern, let alone the damage it could cause further down the line. This breach is an example of how hackers merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. In this instance, the majority of the passwords appear to have been collated from previous leaks, including the 2012 LinkedIn data breach. Every breach reveals data that criminals can use to launch additional attacks, either by the initial attackers or other criminals to whom they sell the compromised data.
“Every breach is a reminder of the importance of strong authentication measures in both personal and professional devices, networks, and web applications. The blurring of personal and professional use of enterprise assets such as laptops underscores the criticality of protecting organizations from the network core to the outer edges against advanced persistent threats and evasive malware that could be introduced as a result of an infected personal device targeted as a result of a prior data breach. Data breaches provide a distribution hub for malware for years to come.”
John Gunn, CMO at VASCO Data Security:
“Sophisticated hackers are increasingly weaponized by the large pools of identities that they stealing from poorly secured targets. Weak security at organizations with large pools of data is the nemesis of the well-secured enterprise.”