More than 700 million email addresses and a number of passwords have been leaked in what could be the biggest spambot dump ever seen.

The data dump is believed to have originated with a spambot called Onliner in the Netherlands.

The information was leaked after cyber criminals allowed visitors to their servers to download their database without needing a username or password.

A screenshot from the server being used to store the sensitive private data. The screenshot was taken by Troy Hunt, an Australian computer security expert. Photo / Supplied
A screenshot from the server being used to store the sensitive private data. The screenshot was taken by Troy Hunt, an Australian computer security expert. Photo / Supplied

Users of affected accounts are advised to change their passwords as soon as possible to avoid being further compromised.

Advertisement

Australian computer security expert Troy Hunt runs the website Have I Been Pwned (HIBP), which lets you check whether your account has been breached by leaks. You can check if your account has been compromised here.

He was the first to raise the alarm over the data dump.

The bot behind it is designed to spread malware that steals bank details and causes people's devices to transmit the virus, as well as pumping out spam messages used by internet criminals in online scams.

Hunt said that the 711 millions records leaked "makes it the largest single set of data I've ever loaded into HIBP".

Writing in a blog post today, he added: "Just for a sense of scale, that's almost one address for every single man, woman and child in all of Europe.

"The first place to start is with an uncomfortable truth: my email address is in there. Twice.

"Finding yourself in this data set unfortunately doesn't give you much insight into where your email address was obtained from nor what you can actually do..

"I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went 'ah, this helps explain all the spam I get'."

The leak also contained millions of passwords, which may have been collected in an effort to break into email accounts and turn them to spam.

The majority of the passwords in the latest security breach appear to have been collated from previous leaks.

Have I Been Pwned site lets you check whether your account has been breached by leaks. Email addresses that are unaffected will result in this screen being displayed.
Have I Been Pwned site lets you check whether your account has been breached by leaks. Email addresses that are unaffected will result in this screen being displayed.
Users whose accounts have been breached will see this screen, which also lets you check details of when the breach occurred and if your email address has been pasted publicly on sites like Pastebin.
Users whose accounts have been breached will see this screen, which also lets you check details of when the breach occurred and if your email address has been pasted publicly on sites like Pastebin.

For instance, one set mirrors the more than a million passwords stolen from LinkedIn in 2012.

Although there are more than 700m email addresses in the data, the number of genuine accounts may be far lower.

Many of the addresses were duplicates and variations on a particular domain, perhaps based on previously 'scraped' data which can be automatically extracted from public websites.

Some were seemingly guessed at by the spammers by adding a prefix to a domain name, for example sales@domainname.com.

Taken from previous leaks

The majority of the passwords in the latest security breach appear to have been collated from previous leaks.

For instance, one set mirrors the more than a million passwords stolen from LinkedIn in 2012.

Last year, LinkedIn the true scale of its 2012 breach.

It said hacker stole 117 million user emails and passwords in the breach - up from the 6.5 million user credentials that the company originally said were compromised.

Those 6.5 million passwords were reset in 2012 and the company advised the rest of its users to change their passwords too.

The hacker, who goes by the name 'Peace,' was trying to sell the passwords on the dark web for five bitcoins, or about US$2200 ($3067), according to a Forbes report.

Cyber security experts say news such as this should serve as a reminder that passwords should be changed frequently, ideally every few months.

How to protect yourself

Australian computer security expert Troy Hunt runs the website Have I Been Pwned (HIBP).
It lets you check whether your account has been breached by data leaks, including the most recent Onliner spambot leak.

Users of affected accounts are advised to change their passwords as soon as possible to avoid being further compromised.

You can check if your account has been compromised here.