Every transaction in the world today is increasingly data-driven and communication has also undergone a radical digital transformation to keep pace with technology.
At the core of this digital transformation in communication is the email media that has practically superseded any other conventional methods previously in use. Making email security more important than ever.
The bane of this digital and data-dependency has been the ever-present threat of cyber-attacks that negatively affect millions of people and businesses globally through email security breaches, as happened with Yahoo back in 2013. Here is a look at some examples of recent email security breaches and their consequences.
The Verifications.io leak
Verifications.io is a managed service provider (MSP) that offers an email verification platform for marketers to screen and validate email lists intended for marketing campaigns. This service brings into their custody tons of private customer data either directly from client companies or through web scraping.
All was well until February 2019, when a little over 763 million records were found in the public domain by an independent researcher. Vital public-facing databases not protected by advanced email security were exposed in this monumental breach that broke all records to date, with an estimated two billion customer records at last count in the open.
Onliner spambot accounts
In August of 2017, security researcher Benkow discovered another massive trove of 711 million email addresses and passwords on public servers. As technology has advanced alongside the adoption of AI in business, so has email security, including better spam filters against malicious files.
However, cybercriminals will always find ways around the best data security and in this case, they adopted fingerprinting by taking over existing accounts and using these to send out emails to targets. Onliner used 80 million existing accounts to send out the Ursnif malware – a banking Trojan that mined critical information, including credit card data from target computers.
The Exploit.in accounts breach was a classic case of credential stuffing where hackers introduced fraudulently acquired usernames and passwords into websites to access other user accounts. The dump list included 593,427,119 breached accounts complete with email addresses and passwords that appeared on " back in 2016.
The end game in credential stuffing is to troll websites for any other accounts the user may have reused the same password to sign in. Hackers use super bots to launch multiple attempts at logins simultaneously simulated to appear as originating from different addresses and able to escape blockage for several failed logins.
Anti public combo list accounts
Yet another combo list containing a huge database of password and email address pairs collected over a long period from multiple data leaks appeared in mid-2017. The list known as the anti-public combo had a massive 457,962,538 breached accounts in plain text pairing of usernames and passwords dumped on the dark web for sale.
The worst affected were accounts on yahoo.com, accounting for over 42%, although researchers noted from examining the breached credentials that users were adopting stronger passwords. An emerging pattern indicated users were combining symbols, numbers, and even spaces with alphabet characters to create stronger passwords for enhanced privacy.
River city media spam list
In January of 2017, it was River City Media’s turn to suffer data exposure online with over 393 million email addresses at risk. The records left exposed online in this spamming operation for nearly three months had account names, physical addresses, IP addresses, and even zip codes linked to the email addresses.
It appears River City may have inadvertently leaked this critical data when backing up their databases on servers without functional password protection. This case is an illustration that sometimes the managed service providers could be the weak link in data breaches when they fail to enforce strict access and privacy policies.
Myspace accounts breach
In the early 2000s, Myspace was a mighty social networking site that attracted scores of budding musicians trying to create a following. In 2013 the company suffered a major data security breach affecting over 360 million accounts with compromised usernames and passwords.
Myspace has since lost its luster, but as subscribers left, their accounts, although moribund, can still expose their privacy on other sites. This is true as multiple surveys have shown that over 50% of Internet users find it convenient to use one password across all accounts they operate.
NetEase data breach
NetEase, another email service provider, had over 235 million user accounts hacked and exposed online in the fall of 2015. The Chinese company continues to deny this happened and insists the data in question is unverified. However, DoubleFlag, a dark web market site, has commercialized the usernames, passwords, and other user data, selling to shadowy bidders online.
The only major downside to this breach is not that it happened at all, but that the company chose to stonewall the incident rather than confront it publicly for better management.
LinkedIn data leak
Hackers scrapped over 500 million LinkedIn accounts to collect user profiles that are now circulating on offer for sale. The scraped data contained users’ details, including full names, IDs, phone numbers, workplace information, links to other profiles, and email addresses that could expose them to identity theft.
The hacker(s) posted a sample of 2 million accounts on a hacker’s forum that prospective buyers could inspect to confirm authenticity before buying from the larger trove of over 500 million. The upshot of this leak is that fraudsters could use the data to brute-force LinkedIn profile passwords or mount targeted phishing attacks on account holders.
The Dubsmash data breach
Dubsmash is a video messaging app with viewership at 1 billion monthly and is popular with the younger social media generation.
However, the company suffered a major data breach in 2018, with over 160 million user data compromised in an attack that targeted five other companies exposing 620 million records.
The stolen member data that included email addresses and passwords did not contain credit card numbers or physical addresses, according to Dubsmash. The threat actors posted the credentials for sale on the dark web marketplace at rates as low as $2 for an entire database.