350 Million Emails Have Been Found in a Bucket That Might Have Been Exposed Since 2018

350 Million Exposed Email Addresses

When you enter your email address in a registration form, are you really sure where it will end up? The answer is 'no, you're not.' You might think that only the service provider you're creating an account with will see it, but the truth is, often, this is not the case.

In addition to the fact that some website operators share your data with third parties (with or without your consent), your personal details might also get stolen. When hackers take them, they can use them for their own malicious campaigns, or they can sell them to other cybercriminals. They can also put them in a misconfigured Amazon S3 bucket and forget them for 18 months.

Researchers find a forgotten trove of email addresses in an exposed S3 bucket

In early-June, a team of researchers from CyberNews stumbled upon the next in a very long line of unprotected AWS S3 buckets that contain the personal information of millions of unsuspecting users.

Their investigation couldn't determine the owner of the bucket, which is why they notified Amazon directly, and on June 10, the data was pulled offline. By then, however, it had been exposed for at least 18 months. During that period, anyone who knew where to look could have accessed the data inside it. But what did the leaky bucket expose exactly?

The good news is, the researchers didn't find any passwords, credit card details, Social Security numbers, or other information that could lead directly to identity theft. Instead, the bucket contained a total of 350 million unique email addresses that, according to CyberNews, were stolen in 2018.

Although this is far from the biggest data leak we've ever seen, the number is definitely significant. The affected users are at a very real risk of receiving a barrage of spam emails, and if the attackers are motivated enough, the victims could be targeted by more sinister campaigns as well. CyberNews put together a HaveIBeenPwned-like checker that can tell you if your email address was in the exposed bucket.

The data has been on quite a journey

Having your email address exposed without your consent is not pleasant, but it must be said that the lack of any particularly sensitive information minimized the potential damage the leak could cause. In fact, what is more worrying is the number of unanswered questions surrounding the origin of the data.

There were a total of 67 files in the S3 bucket, but the exposed email data was in 21 of them. Seven CSV spreadsheets held the addresses in hashed form. Another seven CSVs contained the same data, only hashed and salted with the weak MD5 algorithm. The final seven spreadsheets contained the 350 million email addresses in plain text.

The files' timestamps suggest that initially, the data was hashed with an algorithm that CyberNews didn't name. The cybercriminals apparently broke it and found out that whoever collected the data had put additional protection with MD5. After they got through it, the hackers ended up with the plaintext data.

Of course, the origin of the emails remains unknown, which means that all this is more or less speculation. In addition to the emails, the leaky bucket also contained voice recordings of sales pitches regarding a now-defunct company called RepWatch. RepWatch has left next to no online traces, but by the looks of things, it was a reputation monitoring service that helped online marketers get to their targets more easily. It stopped functioning long before the CSV files found their way to the exposed Amazon bucket, so it's really difficult to say whether there's a connection.

As things stand, there are more questions than answers. For all we know, the organization that originally collected the email addresses might not even be aware of the theft. The only silver lining for the affected users is that no other data seems to have been exposed by this particular bucket. Nevertheless, victims should keep their eyes peeled for any potential scams.

August 13, 2020

Leave a Reply