The FBI collected over 4.3 million email addressed during a January takedown of the Emotet botnet. The agency recently handed those email addresses to the Have I Been Pwned service to better alert victims. The service, owned and operated by Australian security researcher Troy Hunt, is a trusted breach alert service, underpinning the Mozilla breach-alert notification system.
Emotet distributed banking trojans, ransomware, and other cyber threats through malspam and phishing campaigns since 2014. The reign of terror came to an end in January when Netherlands law enforcement took control of key domains and servers. The Bundeskriminalamt (BKA) federal police agency in Germany updated over 1.6 million computers infected with the malware to launch a kill switch for the malware.
Hunt said in a blog that the FBI gave him “email credentials stored by Emotet for sending spam via victims’ email providers” and “web credentials harvested from browsers that stored them to expedite subsequent logins.”
The credentials were loaded into the Have I Been Pwned database as a single breach, even though it isn’t the typical kind of breach reported by the service. Have I Been Pwned currently lists over 11 billion “pwned” accounts from data breaches across the past decade, including a 2012 breach of MySpace and LinkedIn. The website also has a credential stuffing list of common passwords used to hack into accounts.
Hunt tagged the breach as “sensitive,” meaning that the addresses can’t be searched publicly.
“I’ve taken this approach to avoid anyone being targeted as a result of their inclusion in Emotet,” Hunt explains. “All impacted HIBP subscribers have been sent notifications already.”