alphaspirit - Fotolia
How should security teams handle the Onliner spambot leak?
A security researcher recently discovered a list of 711 million records used by the Onliner spambot. Expert Matt Pascucci explains what actions exposed individuals should take.
A security researcher discovered a list of email addresses and passwords used by the Onliner spambot. This leak contained 711 million individual records. How can security teams find out if an organization's employees are on that list? What steps should they take for individuals that have been exposed in the leak?
A list of 711 million records stolen by the Onliner spambot was recently discovered, and it's utterly staggering to think of the sheer size of this data set. To put things into perspective: the United States only has 323 million people. Even if everyone in America had their data on this list, it would only make up half of that data.
The list of data that the Onliner spambot stole was given to security researcher Troy Hunt, who then imported the entire list onto his site Have I been pwned? This site creates a searchable database of email addresses and usernames that have shown up following today's largest breaches, such as those at LinkedIn, Adobe and Myspace.
It would be beneficial for you to personally validate if your email addresses or usernames have been compromised in these breaches. By submitting your email address or username, the site queries the aggregated list of dumped credentials found and informs you if you were a part of it. If your credentials are found in the aggregated list, then you should reset the passwords for those accounts immediately.
There are also ways for organizations to determine and be notified if a user account on their domain has been caught in a data breach. Once an enterprise has submitted its domain name to the site and completed the verification process, an email is sent each time an email address with that domain is found in a data breach that's within the Have I been pwned? database.
In addition to changing passwords as soon as possible, users should also determine if they are reusing the hacked password on any other sites. If so, those passwords should be changed as well, since we've seen attackers use breaches like these and attempt to reuse the credentials on other sites in hopes of the credentials being the same.
Some advice to users who reuse their credentials would be to start using password vaults to store passwords, as this is an easier way to manage multiple complex passwords for different accounts. Likewise, users should attempt to use some sort of multifactor authentication on their accounts to limit the effect of massive breaches, as attackers won't have the second form of authentication. Even though the credentials would still be public, the second factor would not be within these lists, thus acting as a stop gap to limit attackers from using these accounts.
Using Have I been pwned? as a tool to increase your situational awareness on the status of current major breaches, such as the Onliner spambot, is an added way to keep yourself and your organization safe. Similarly, enforcing multifactor authentication and eliminating credential reuse can go a long way to help you stay safe.