Over 1.3bn email addresses compiled by a huge spam operation posing as a legitimate marketing firm were left exposed online after the illicit scammers left a backup connected to the web without adequate password protection, a security expert has revealed.
The leaked records were from an organisation called River City Media (RCM), led by two men called Alvin Slocombe and Matt Ferris. Other files in the trove reportedly contained personal information, full names, addresses and computer internet protocol (IP) addresses.
The cache was found online by MacKeeper security researcher Chris Vickery. Upon analysis, many records appeared to be as recent as January this year.
In a blog post, Vickery said the incident "presents a tangible threat to online privacy and security" due to the sheer scale of the leaked information.
"Someone had forgotten to put a password on this repository and, as a result, one of the biggest spam empires is now falling," he explained. He said an active market exists for trading in his sort of data and issued a warning: "Chances are that you, or at least someone you know, is affected."
While Vickery, alongside technology website CSO and Spamhaus, has not completely verified the massive leak of addresses, several entries have been confirmed to be legitimate. Luckily for some victims, a number of records do appear to be a few years old at this point.
The scope of the leak is staggering, which begs the question: how did the firm get this data? "Well-informed individuals did not choose to sign up for bulk advertisements over a billion times," Vickery explained. "The most likely scenario is a combination of techniques. One is called co-registration.
"That's when you click on the 'Submit' or 'I agree' box next to all the small text on a website. Without knowing, you have potentially agreed your personal details can be shared with affiliates of the site. You are never told who the affiliates are and groups like River City Media capitalise on that."
Furthermore, some of the malicious techniques used to compile email accounts have already been forwarded to the relevant providers, including Apple and Microsoft. On top of this, law enforcement in the US has been notified and is now probing the incident.
The analysis of the massive leak remains ongoing. "There are enough spreadsheets, hard drive backups, and chat logs here to fill a book," Vickery said, promising more releases soon.
According to CSO's Salted Hash, Spamhaus, the project which compiled and monitors known spammers, has now blacklisted all of the IP addresses and infrastructure connected to RCM's entire infrastructure as the investigation continues.
Vickery, who is well-known for his work identifying data breaches and leaky databases using the Shodan search engine, initially spoke about the leak on 3 March. Fuelling mass speculation in security circles, he teased: "1.4 billion identity leak story incoming."