Which? uses cookies to improve our sites and by continuing you agree to our cookies policy.

Vast data leak affects 700m email addresses

Passwords and personal email addresses included in largest ever spam breach

Email addresses caught in huge data breach by spambot

In what may be the largest spamming operation ever recorded, over 700 million compromised email addresses have been listed online. We explain what’s happened and how to find out if your own address has been affected.

The email addresses, which have been leaked online, are accompanied in some cases by millions of passwords from data hacks. The leak is the result of a spambot, which was used to send out spam emails en masse, being left unsecured by its creators. This meant that other hackers and spammers were able to lift data from the spambot’s code and compile a vast database of email addresses.

We explain how to find out if your own email address has been compromised by this leak, and what to do to make sure your online accounts are secure.

Best Buy antivirus software – leave nothing to chance when protecting your computer

Learn if your email address is affected

News of the leaked email addresses was broken by Troy Hunt, a cyber security expert responsible for the Have I Been Pwned website. This site is a safe service that allows web users to check their email address against lists of known data leaks. This latest list of email addresses appears to combine data from multiple breaches, making it available online for would-be hackers and scammers.

No stranger to vast data leaks, Hunt still expresses surprise at the sheer scale of this incident in a blog post, stating that the list is long enough for ‘almost one address for every single man, woman and child in all of Europe.’ Hunt even admits to finding his own personal email address within the list.

Fortunately, the list contains a huge amount of speculative, ‘guesswork’ email addresses. However, it still contains a large number of genuine ones that have been lifted from data hacks, and – in some cases – passwords for accounts.

To find out if your own email address has been affected by a data breach, head to the Have I Been Pwned website. You’ll need to enter your email address here – don’t worry, there’s no security threat to doing so, and you’ll never be asked to enter a password or other personal data.

If the news is bad, you’ll see a message stating you’ve been ‘pwned’, which is to say, your email address was included in a data breach at some stage, recorded by this website. Don’t worry – there are steps you can take to secure yourself.

Change your passwords

If your email address has been compromised in a data breach, it’s a smart move to change your login password for your email address, and for the service which was affected by the breach.

Even if your email account itself hasn’t been victim of a data breach, there’s a security risk if another account that you log into with the same password has been affected.

Ideally, you should never use the same passwords across multiple websites. It can, admittedly, be a pain to remember multiple logins. If nothing else, you should always have a completely unique password for logging into your email account – don’t use this same password on any other service.

When creating a strong password, use a mix of upper and lower case letters, numbers and symbols.

Learn more in our guide to creating secure online passwords

Watch out for spam

After an incident such as this, it’s more important than ever to watch out for spam and junk messages. Clicking on links within spam, or responding to messages, is a risk – you may expose your address to a data breach, or inadvertently install a virus on your computer. Keep an up-to-date antivirus program running on your PC at all times.

Keep an eye out, too, for signs that your own email address may be sending out spam. The most likely symptom of this is a deluge of ‘bounceback’ emails. You may see automatic responses or ‘address not recognised’ messages in response to emails that you didn’t intentionally send.

If you believe your own address has been used to send spam, don’t panic, there are steps you can follow to secure your account and let your contacts know what has happened.

See our guide on what to do if you are sending spam messages

Back to top