A Trove of Email Addresses Was Left Exposed and Accessible Online
- About 350 million email addresses have been left exposed in an unprotected database for 18 months.
- The contents included both hashed and unhashed email IDs, and can be used for phishing or spamming.
- Brute-forcing the passwords is also a possibility, so resetting the password now is advisable.
Another day, another unprotected Amazon S3 bucket was left unprotected and accessible by anyone with a web browser. The contents of the bucket include CSV files of about 7 GB, which were populated with lists of unhashed email addresses. The number of the strings exposed is approximately 350,000,000, so this was a pretty massive collection of email addresses.
The discovery and the reporting come from the CyberNews research team, who couldn’t figure out who is the owner of the unprotected database. Thus, they contacted Amazon directly on June 10, 2020, and the internet company closed the bucket almost immediately.
More specifically, the contents of the S3 bucket were the following:
- 21 files in the bucket were CSV files containing email addresses
- Seven CSV files contained email addresses that were hashed
- Seven CSV files contained emails that were hashed and salted for an additional layer of encryption using the unreliable MD5 algorithm
- The remaining seven CSV files were unencrypted, each of which included 50,000,000 strings of unique email addresses of (presumably) US users
- Voice recordings of several sales pitches to digital marketers about RepWatch
Source: Cyber News
The unsecured bucket remained online for at least 18 months, so the possibility of malicious access should be considered a certainty. With that taken for granted, the question should be what the consequences are.
First of all, actors could use these CSV files for spamming 350 million email addresses. Secondly, these addresses could be used for phishing attacks and malware/botnet spreading campaigns. Thirdly, knowing the email address of someone is the first step required for taking over the account, so brute-forcing the passwords is the worst possible scenario. Hackers could search the email address on breach data indexes and get more relevant details that could help them with their brute-forcing effort.
The researchers estimate the value of this leak to be between $17,500 and $175,000, depending on the actual quality of the content.
As for what the exposed individuals can do now, first, check if you’re included in the particular database. If you find that you are, reset your email password and pick something strong that you’re not using anywhere else. From now on, treat incoming communications with extra care - although this is something that you should be doing anyway. If the volume of spam you’re getting increases suddenly, you will at least know the reason why that happens.
Read More:
- Unprotected Server Contains Sensitive Data From Various Firms
- ‘IndieFlix’ Has Exposed 93,867 Sensitive Files via S3 Server Misconfiguration [Update]
- Cosmetics Brand ‘Avon’ Has Leaked 7GB of Data Online