It's become relatively common for databases to be breached and passwords to leak online, but it is usually the result of a hack. The latest discovery of usernames and other personal information online was apparently the result of carelessness by a spam operation, a security researcher says.
MacKeeper security researcher Chris Vickery revealed on his website Monday that he discovered more than 1.4 billion email accounts — linked directly to other personal information including real names, user IP addresses and physical addresses — collected by notorious spam syndicate River City Media.
River City Media did not reply to International Business Times requests for comment.
The massive record of personal information was first discovered in January, Vickery said, when he found a remote backup of the repository online, completely exposed and accessible without even password protection.
The leaked data was available due to a failed remote backup attempt, which left the data sitting exposed on a server for several months. Anyone who may have stumbled across it, including Vickery, was able to access internal chat logs and emails from the company, as well as its massive email list.
Vickery, along with members of MacKeeper Security Research Center, CSOOnline and cybersecurity intelligence firm Spamhaus, worked to confirm that the information in the database was accurate. Vickery reported he was able to confirm the authenticity of records by looking up people he knew who were listed in the database, though he noted some of the information was outdated.
According to Vickery, the collection of emails was likely amassed through a number of techniques employed by the spammers in order to reach as many people as possible. He pointed to a technique called "co-registration," which essentially gets people to willingly allow their information to by shared by burying text about it in a long terms-of-service agreement.
The exposed database also unveiled some of the ways that River City Media spammers did business. The company was able to manipulate security systems by sending emails to their own addresses to open connections with the servers before overwhelming them with upward of one billion emails sent per day.
The prolific spammers have used their skills to help aid in a number of marketing campaigns despite being listed on the Register of Known Spam Operations (ROKSO). River City Media has worked with Nike, Covergirl, AT&T, Gillette and Victoria’s Secret, though likely through third-party arrangements and not directly with the corporations themselves.
Vickery said he believes the discovery of the database will help put a stop to River City Media's operation, which has proven difficult to shut down in the past due to its overwhelming presence. But plenty of potential privacy concerns caused by the discovery of the database remain.