Australian computer security expert Troy Hunt runs a website, Have I Been Pwned, that notifies people if their data has been leaked in breaches. Hunt wrote on his blog that 711 million records were leaked in this breach, "which makes it the largest single set of data I’ve ever loaded into HIBP. Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe."
Before this incident the largest breach hunt encountered involved 393 million records.
The database was exposed when the spammers neglected to secure one of their servers, allowing uncredentialed people to potentially download gigabytes of data. It isn’t clear how many people may have actually done so.
Given that the data was already in the hands of spammers, the leak isn’t causing too much concern. Cyber security strategist Matthew Gardiner told NBC News, "While it's large in terms of numbers, it's not that risky. [Information] was already in the wrong hands and who knows what they or their associates have been doing with it already."
Hunt says that while millions of passwords were leaked in the breach, mostly due to spammers attempting to break into users’ emails to send spam through their accounts, many of them seemed to have been culled already from other breaches.
One set of passwords resembles the 4.2 million that were stolen from the stolen password database Exploit.In in May, while another mirrors the 164 million stolen from networking site LinkedIn in May 2016.
"Finding yourself in this data set unfortunately doesn’t give you much insight into where your email address was obtained from nor what you can actually do about it," Hunt wrote. "I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went 'ah, this helps explain all the spam I get.'"
CEX, a video game reseller, also announced a leak today, notifying its customers of an online security breach that released up to 2 million accounts that include personal information like addresses, phone numbers, full names and email addresses.
The company said in a statement, "We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats."
"Clearly however, additional measures were required to prevent such a sophisticated breach occurring," the company conceded. "We have therefore employed a cybersecurity specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again."