OK guys, this is no joke, prolific Security blogger Troy Hunt was alerted to a very big spam list recently, containing a whopping 711 million email addresses by Paris-based security researcher Benkow moʞuƎq.
Now there are two classes of data to this list, the first lot of data is pure email addresses -shed loads of them (hundreds of millions) and the second lot is a collection of email addresses and passwords. Which is obviously a lot more serious, as you can imagine.
So what you need to do, RIGHT NOW, is go to haveibeenpwned.com, enter your email address and see if your email address has been harvested. I know mine has, and I'm ultra careful who I give my email address out to.
Now the haveibeenpwned.com site is run by Troy Hunt. He basically takes massive lists like the one Benkow gave to him and uploads the emails to his server, enabling people to check whether their email address has been leaked or not.
The most alarming thing about this data breach is that it's the largest list that has ever been uploaded to HIBP, quoting his blog:
"The one I'm writing about today is 711m records which makes it the largest single set of data I've ever loaded into HIBP. Just for a sense of scale, that's almost one address for every single man, woman and child in all of Europe."
How Did This Data Come About?
The email addresses and passwords that have been uncovered have been used by a spambot known only as "Onliner".
Unfortunately a directory on the spambot's web server was open, which basically made it a free-for-all to download gigabytes worth of email addresses without needing any credentials. Consequently, it is impossible to know how many others might have downloaded this list apart from the actual spammer who compiled the list in the first place.
Now, even though there are over 700 million email addresses in the data, not all of them are legit, and many have been generated or "guessed".
Also, in terms of the passwords that have been leaked, many of them have been seen before in previous leaks such as 164 million stolen from LinkedIn in May 2016.
But these things don't make the leak any less severe. So a word of advice here, if you have discovered that your email address has been leaked, then you need to change your password.
And if you've used the same password on multiple sites, change the passwords for each of these sites, and make sure they're different for each site.
If you'd like some help regarding passwords, read this blog post on how to create a password that is both secure and easy to remember.
I know passwords are a pain, and I don't know anyone that doesn't get annoyed by passwords, but if you treat your passwords like a front door key, then you won't go far wrong.
And like a front door key, if someone ever gets hold of it, then you need to change it straight away, you'd change your locks wouldn't you?