Blog
Recent
Security News

The Onliner Spambot: What You Actually Need to Know 

Amber SteelAugust 31, 2017
Please note that this Security Challenge functionality discussed in this post has been updated. For updated information please visit our blog post from 8/5/2020.  We've teamed up with our partner PasswordPing to bring you our joint perspective on this event. You may have caught the headlines about Onliner Spambot, a recently-discovered spam server with more than 711 million email addresses, along with some compromised passwords and server addresses used for sending spam. Understandably, this discovery is newsworthy because of the massive size of the spam list.  In the world of security, large email lists and breaches get large headlines.  When we took a deeper dive, here were our conclusions:
  1. The vast majority of the list consisted of just email addresses, without passwords.
  2. For the email addresses on the list that also had password data, the majority looked to be recycled from previous data breaches that have been circulating for some time.
  3. Good password hygiene can negate the impact of this list.  
Should you be worried? Here's our take:

Spammers already have your email address.  

For the vast majority of people whose emails appear on the Onliner Spambot list, it simply means that you were on the distribution list for this particular spam network.  Like most other people, you probably receive daily spam in your email inbox already, so this is not really news and in itself is not really a cause for concern. Now, apart from the more “benign” form of spam, which is just trying to sell you things you don’t want, there is evidence this particular spambot was also being used to distribute malware and conduct phishing attacks. While this is typical for a spam network, it just goes back to being smart about when you open attachments or click on links.  You shouldn't let these facts create fear just because your email address is found on a new spam list. LastPass takes care not to alert customers unnecessarily and doesn’t believe that an email address exposure alone warrants any action. To recap: 
  • Being on a spam distribution list is not itself cause for concern.
  • Make sure you don't click on links or open attachments in unsolicited emails.
  • Practice good email hygiene by using a strong unique password and turning on multi-factor authentication.

This doesn't appear to be a major new breach.

A key point is that Onliner Spambot doesn’t appear to contain a major new leak of user credentials.  The large majority of the email and password combinations found in the data appear to be sourced from past data breaches. This is typical, as hackers and spammers regularly recycle credentials from previous data breaches. In this case, the spambot operators use these lists of previously-breached credentials to attempt to access email accounts for those users. Once they get access to a user’s email account, they can then send yet more spam through that account and try to expand their spam network. Given that most of the exposed user credentials are recycled from previous breaches and it was a small minority of what was exposed to begin with, we believe the risk to our users is relatively low.   LastPass provides all customers with access to breach alerts for their LastPass account email addresses as well as all the emails stored in the vault as usernames. When matches are found along with a compromised password, notifications are sent to the affected emails, so users can update their passwords. To recap: 
  • The passwords were primarily recycled from previously breaches.
  • Use the breach alerts built in to the Security Challenge to identify the accounts you need to update the password for.

The biggest threat is password reuse - just don’t do it. 

The reason why spammers, like those behind Onliner Spambot, can use a recycled list is they know that most people reuse their passwords. For example, if they take a password exposed on the LinkedIn breach, there is a good chance that a certain percentage will work if they try to access an email account or other online service using the same username and password combination.  The absolute best strategy to ensure you are not at risk is to use a strong and unique password for every site. The good news is, using LastPass makes this easy. The LastPass Security Challenge audits your password security and identifies weak, reused, old, and vulnerable passwords. The LastPass Password Generator makes it easy to then generate random passwords automatically. To recap: 

Peace of mind with LastPass

While the Onliner Spambot is remarkable for the number of email addresses it was targeting, it’s not a particularly significant password-related threat.  In summary, for those using LastPass for secure password management, with PasswordPing for breach alerts, we have you covered! If you are cautious about your email security and practice good password hygiene with a password manager, you can sit back and relax in the knowledge that you're doing online security right.