Spammers 'leak database of 1.4 billion users'

One of the world's largest spam email operations has reportedly had its entire repository of 1.37 billion user records leaked publicly online, due to the spammers failing to password protect the database.

In what is being described as a "tangible threat to online privacy and security", the massive data hoard apparently includes email addresses, real names, IP addresses, and in some cases home addresses and post codes.

The discovery was made when Chris Vickery, security researcher at MacKeeper Security Research Centre, stumbled upon the publicly exposed database that was lacking password protection. Since then, a research cooperative made up of investigators from MacKeeper, CSOOnline and Spamhaus has been trawling through the leaked files, and believe that a group known as River City Media were behind the leaked files.

"The leaky files, it turns out, represent the backbone operations of a group calling themselves River City Media (RCM)," said Chris Vickery, in a blog post describing the operation. "Led by known spammers Alvin Slocombe and Matt Ferris, RCM masquerades as a legitimate marketing firm while, per their own documentation, being responsible for up to a billion daily email sends."

RCM calls itself an email marketing firm but resides in the top 10 list on the Register of Known Spam Operations (ROKSO).

"Well-informed individuals did not choose to sign up for bulk advertisements over a billion times," added Vickery. "The most likely scenario is a combination of techniques. One is called co-registration - that's when you click on the 'Submit' or 'I agree' box next to all the small text on a website. Without knowing it, you have potentially agreed your personal details can be shared with affiliates of the site."

How can two individuals be responsible for up to a billion email sends in a single day? The answer, Vickery explains, is extensive automation and illegal hacking techniques.

Part of a conversation discovered by the research team - courtesy of Chris Vickery

In one screenshot highlighted by Vickery, the spammers appear to admit to using a technique which attempts to open as many connections as possible between themselves and targeted Gmail servers. Normally Gmail would shutdown these connections as it becomes overloaded but, according to Vickery, connections are made extremely slowly and fragmented in a way that bypasses this check.

The research group has yet to fully verify the data set as legitimate, but Vickery has cross checked a small sample of addresses and found them to be genuine.

The researchers have forwarded details of the abusive scripts and techniques to Microsoft and Apple, as well as unnamed law enforcement agencies.

According to CSOOnline, the leak was the result of a faulty backup - Vickery said: "Someone had forgotten to put a password on this repository and, as a result, one of the biggest spam empires is now falling.

"The situation presents a tangible threat to online privacy and security as it involves a database of 1.4 billion email accounts combined with real names, user IP addresses, and often physical address. Chances are that you, or at least someone you know, is affected."