Pierluigi Paganini August 27, 2020

Experts found an unsecured data bucket containing seven gigabytes worth of unencrypted files that include 350,000,000 strings of unique email addresses.

Original post at: https://cybernews.com/security/350-million-email-addresses-left-exposed-on-an-unsecured-server/

The CyberNews research team uncovered an unsecured data bucket owned by an unidentified party, containing seven gigabytes worth of unencrypted files that include 350,000,000 strings of unique email addresses.

The massive trove of emails was left on a publicly accessible Amazon AWS server, allowing anyone to download and access the data. This is a huge leak even by today’s standards, with an average of 7 million records being exposed daily in 2020. 

As cyberattacks become ever more frequent and sophisticated across the board, both organizations and individuals are still struggling to catch up with cybercriminals when it comes to data security. The 350 million email leak discovered by CyberNews is only the latest example of this cybersecurity gap that continues to grow despite increasing investment in the security industry.

On June 10, the exposed S3 bucket was closed by Amazon and is no longer accessible.

To see if your email address has been exposed in this or other security breaches, use our personal data leak checker.

What data is in the bucket?

The publicly available Amazon S3 bucket contained 67 files.

• 21 files in the bucket were CSV files containing email addresses
• Seven CSV files contained email addresses that were hashed
• Seven CSV files contained emails that were hashed and salted for an additional layer of encryption using the unreliable MD5 algorithm
• The remaining seven CSV files were unencrypted, each of which included 50,000,000 strings of unique email addresses of (presumably) US users

Example of leaked email addresses:

Besides the CSV files, the bucket also contained voice recordings of several sales pitches to digital marketers about RepWatch, which appears to be a long-defunct domain reputation management tool and may or – considering when the files were uploaded – may not be related to the CSV files stored in the bucket.

Screenshot from the latest forum discussion about RepWatch in 2013:

The CSV files appear to have included the same set of 350 million unique emails, separated into three groups: hashed, hashed and salted, and unencrypted files. The dates and times when the files were created suggest that the unidentified owner uploaded the files to the bucket in stages: hashed and salted emails were uploaded first, while the unencrypted files were uploaded last.

The timeline of uploads might indicate that these emails have been either stolen or acquired on the black market back in October 2018, and then gradually decrypted by the owner of the bucket.

Who had access?

The unsecured bucket was located in the US and hosted on an Amazon S3 server that has been exposed for what seems to be at least an 18-month period.

While it is unclear if any malicious actors have accessed the S3 bucket, anyone who knew where to look could have downloaded and accessed the CSV files, without needing any kind of permission.https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5928161074779380&output=html&h=280&adk=3371048370&adf=3264790055&w=616&fwrn=4&fwrnh=100&lmt=1598550333&num_ads=1&rafmt=1&armr=3&sem=mc&pwprc=8526721217&tp=site_kit&psa=1&guci=1.2.0.0.2.2.0.0&ad_type=text_image&format=616×280&url=https%3A%2F%2Fcybernews.com%2Fsecurity%2F350-million-email-addresses-left-exposed-on-an-unsecured-server%2F&flash=0&fwr=0&pra=3&rh=154&rw=616&rpe=1&resp_fmts=3&wgl=1&fa=27&adsid=ChAI8LOd-gUQhY3UkNq_2aIvEkUAdIfKkOHmGMbt2swUA2nn0_5aF7_g8ORQhkUoQq9d0WsLRqhi8unJ-RyGTgtyOLUXx-Ef0J1azFcJqxKKpOSAKfBBJxI&dt=1598550333271&bpp=1&bdt=2329&idt=1&shv=r20200820&cbv=r20190131&ptt=9&saldr=aa&abxe=1&prev_fmts=0x0%2C616x280&nras=3&correlator=184525495110&frm=20&pv=1&ga_vid=310975659.1590091446&ga_sid=1598550333&ga_hid=1040183046&ga_fc=0&iag=0&icsg=171799229091&dssz=42&mdo=0&mso=0&u_tz=120&u_his=1&u_java=0&u_h=720&u_w=1280&u_ah=680&u_aw=1280&u_cd=24&u_nplug=3&u_nmime=4&adx=104&ady=3630&biw=1148&bih=481&scr_x=0&scr_y=0&eid=21066922%2C21066944&oid=3&pvsid=935534131577982&pem=827&rx=0&eae=0&fc=1408&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C680%2C1163%2C481&vis=1&rsz=%7C%7Cs%7C&abl=NS&cms=2&fu=8320&bc=31&jar=2020-08-27-17&ifi=2&uci=a!2&btvi=2&fsb=1&xpc=yhl9t2wzen&p=https%3A//cybernews.com&dtd=54

If the emails were stolen to begin with, however, their owners should assume that their email addresses have already been sold on the black market 18 months ago.

What can threat actors do with this data?

Although most people think that having their email exposed will not result in any serious damage, there are many reasons why email addresses are bought and sold on the dark web. In many cases, an email address is merely the first avenue of attack against an unsuspecting target and can conceivably cause the victim significant harm down the line. 

Here are some examples of how potential attackers can use the data found in the unsecured Amazon S3 bucket against the owners of the exposed email addresses:

• Spamming 350 million email IDs
• Carrying out phishing attacks
• Brute-forcing the passwords of the email accounts

Attackers can also combine the leaked email addresses with data from other breaches and build more detailed pictures of their potential targets. They can then conduct elaborate phishing and social engineering attacks to gain access to the victims’ accounts on other digital services such as entertainment and shopping platforms or even online banking. 

In the worst-case scenario, an exceptionally successful phishing or social engineering attack can even lead to identity theft, whereby attackers accrue so much personal data from their target that they are then able to take out loans in their victim’s name.This is why large email lists can fetch relatively good prices on the black market, where emails can go for $5-$50 per 100,000 addresses depending on their quality. With 350 million unique email addresses stored in this bucket, the value of this leak could fall anywhere between $17,500 and $175,000.

What happened to the data?

Due to the fact that we were unable to identify the owner of the exposed data bucket, we reached out to Amazon to help them secure it on June 10. They were able to close the bucket on the same day.

What to do if you have been affected?

Since the number of emails exposed by the unidentified owner of the data bucket is so massive, there is a chance that your email address might be among those leaked. 

To make sure your account is safe when it comes to this email breach, we recommend doing the following:

1. Use our personal data leak checker to see if your email has been leaked.
2. If your email happens to be among those leaked, we strongly recommend that you immediately change your email password.
3. Watch out for potential spam messages and phishing emails. Clicking on suspicious messages or any links therein is a risk that may result in your computer being infected with malware.

Even if your email address has not been exposed in this or other breaches, securing your email account is key if you want to keep it from joining the 7 million daily leaked records statistics cited above. 

Here’s how:

1. Create long, strong, and unique passwords that are difficult to guess, or use a password manager to generate strong passwords for you.
2. Change your passwords approximately every 30 days.
3. Enable two-factor authentication (2FA) for as many of your online accounts as possible.

Pierluigi Paganini

(SecurityAffairs – hacking, email addresses)

[adrotate banner=”5″]

[adrotate banner=”13″]