A massive spambot that contained more than 700 million email accounts has been found in a server in the Netherlands, computer security expert Troy Hunt announced Wednesday.

The trove of data was pointed out by a security researcher under the name Benkow, who discovered an open and accessible web server used by the “Onliner Spambot.” The database  contained email addresses, passwords and email servers used to send spam. This data breach is almost twice as large as the previous River City Media breach earlier this year, which contained 393 million records.

“The one I'm writing about today is 711m records which makes it the largest single set of data I've ever loaded into HIBP,” wrote Hunt in a post, referring to the “Have I Been Pwned” site. “Just for a sense of scale, that's almost one address for every single man, woman and child in all of Europe.”

Structure Security Newsweek is hosting a Structure Security event in Sept. 26-27 in San Francisco. Photo: Newsweek Media Group

However, the number of humans affected by the breach might be “somewhat less” than the 711 million, because of malformed and repeated email addresses in the trove. It also seems like many of the email addresses are not linked to real accounts. Some addresses look like they’ve been scrapped from the internet, for example:


That address appears twice in the datasets. Meanwhile, other addresses seemed to have been invented, like putting “sales” in front of domain addresses.

Hunt said many of the records appear to have been collected from previous breaches, including LinkedIn’s incident last year, in which 117 million accounts were affected, as well as the 4.2 million email addresses stolen from the Exploit.In database.

Hunt said:

“A random selection of a dozen different email addresses checked against HIBP showed that every single one of them was in the LinkedIn data breach. Now this is interesting because assuming that's the source, all those passwords were exposed as SHA1 hashes (no salt) so it's quite possible these are just a small sample of the 164m addresses that were in there and had readily crackable passwords.

A similar file (with a similar naming structure) contains 4.2m email address and password pairs, this time with every single account having a hit on the massive Exploit.In combo list. This should give you an appreciation of how our data is redistributed over and over again once it's out there in the public domain.”

Hunt said he and Benkow have been communicating with a source who’s talking to law enforcement so the IP address of the database can get “shut down ASAP."

Has Your Email Address and Password Been Compromised?

Hunt uploaded all 711 million email addresses from the database to the “Have I been Pwned” site, which notifies people of breaches.

“Email addresses, passwords and SMTP servers and ports spread across tens of gigabytes of files. It took HIBP 110 data breaches over a period of 2 and a half years to accumulate 711m addresses and here we go, in one fell swoop, with that many concentrated in a single location,” he said. “It's a mind-boggling amount of data.”

To see if your email address has been compromised, go to the site and enter your email address. The site will display the breaches in which your email address was affected and what information may have been compromised. Passwords that have been affected are not shown on the site.

Hunt stressed the importance of creating strong passwords and getting a password manager to keep your passwords organized. He also suggested people use multi-step verfification.

“If you're not, now's a great time to start,” said Hunt.