The CyberNews research team uncovered an unsecured data bucket owned by an unidentified party, containing seven gigabytes worth of unencrypted files that include 350,000,000 strings of unique email addresses.
The massive trove of emails was left on a publicly accessible Amazon AWS server, allowing anyone to download and access the data. This is a huge leak even by today’s standards, with an average of 7 million records being exposed daily in 2020.
As cyberattacks become ever more frequent and sophisticated across the board, both organizations and individuals are still struggling to catch up with cybercriminals when it comes to data security. The 350 million email leak discovered by CyberNews is only the latest example of this cybersecurity gap that continues to grow despite increasing investment in the security industry.
On June 10, the exposed S3 bucket was closed by Amazon and is no longer accessible.
The publicly available Amazon S3 bucket contained 67 files.
Example of leaked email addresses:
Besides the CSV files, the bucket also contained voice recordings of several sales pitches to digital marketers about RepWatch, which appears to be a long-defunct domain reputation management tool and may or – considering when the files were uploaded – may not be related to the CSV files stored in the bucket.
Screenshot from the latest forum discussion about RepWatch in 2013:
The CSV files appear to have included the same set of 350 million unique emails, separated into three groups: hashed, hashed and salted, and unencrypted files. The dates and times when the files were created suggest that the unidentified owner uploaded the files to the bucket in stages: hashed and salted emails were uploaded first, while the unencrypted files were uploaded last.
The timeline of uploads might indicate that these emails have been either stolen or acquired on the black market back in October 2018, and then gradually decrypted by the owner of the bucket.
The unsecured bucket was located in the US and hosted on an Amazon S3 server that has been exposed for what seems to be at least an 18-month period.
While it is unclear if any malicious actors have accessed the S3 bucket, anyone who knew where to look could have downloaded and accessed the CSV files, without needing any kind of permission.
If the emails were stolen to begin with, however, their owners should assume that their email addresses have already been sold on the black market 18 months ago.
Although most people think that having their email exposed will not result in any serious damage, there are many reasons why email addresses are bought and sold on the dark web. In many cases, an email address is merely the first avenue of attack against an unsuspecting target and can conceivably cause the victim significant harm down the line.
Here are some examples of how potential attackers can use the data found in the unsecured Amazon S3 bucket against the owners of the exposed email addresses:
Attackers can also combine the leaked email addresses with data from other breaches and build more detailed pictures of their potential targets. They can then conduct elaborate phishing and social engineering attacks to gain access to the victims’ accounts on other digital services such as entertainment and shopping platforms or even online banking.
In the worst-case scenario, an exceptionally successful phishing or social engineering attack can even lead to identity theft, whereby attackers accrue so much personal data from their target that they are then able to take out loans in their victim’s name.This is why large email lists can fetch relatively good prices on the black market, where emails can go for $5-$50 per 100,000 addresses depending on their quality. With 350 million unique email addresses stored in this bucket, the value of this leak could fall anywhere between $17,500 and $175,000.
Due to the fact that we were unable to identify the owner of the exposed data bucket, we reached out to Amazon to help them secure it on June 10. They were able to close the bucket on the same day.
Since the number of emails exposed by the unidentified owner of the data bucket is so massive, there is a chance that your email address might be among those leaked.
To make sure your account is safe when it comes to this email breach, we recommend doing the following:
Even if your email address has not been exposed in this or other breaches, securing your email account is key if you want to keep it from joining the 7 million daily leaked records statistics cited above.
(SecurityAffairs – hacking, email addresses)