Emotet botnet harvested 4.3 million email addresses. Now the FBI is using Have I Been Pwned to alert the victims

The law enforcement agency is working with the data breach service to alert people that their information may have been harvested by the botnet.
Written by Liam Tung, Contributing Writer

The FBI has handed over 4.3 million email addresses that were harvested by the Emotet botnet to the Have I Been Pwned (HIBP) service to make it easier to alert those affected. 

HIPB, run by Australian security research Troy Hunt, is a widely trusted breach alert service that underpins Mozilla's Firefox own breach-alert notifications

The FBI collected the email addresses from Emotet's servers, following a takedown in January. The Emotet malware botnet was taken down by law enforcement in the US, Canada and Europe, disrupting what Europol said was the world's most dangerous botnet that had been plaguing the internet since 2014. 

SEE: Security Awareness and Training policy (TechRepublic Premium)

Emotet was responsible for distributing ransomware, banking trojans and other threats through phishing and malware-laden spam. 

In January, law enforcement in the Netherlands took control of Emotet's key domains and servers, while Germany's Bundeskriminalamt (BKA) federal police agency pushed an update to about 1.6 million computers infected with Emotet malware that this week activated a kill switch to uninstall that malware.   

Hunt says in a blogpost that the FBI handed him "email credentials stored by Emotet for sending spam via victims' mail providers" as well as "web credentials harvested from browsers that stored them to expedite subsequent logins". 

The email addresses and credentials have been loaded in to HIPB as a single "breach", even though it's not the typical data breach for which the site collects credentials and email addresses. 

HIBP currently contains 11 billion 'pwned' accounts from a range of data breaches that have happened over the past decade, such as MySpace and LinkedIn's 2012 breach, as well as huge credential-stuffing lists found on the internet that are used by criminals to hijack accounts with previously breached email addresses and passwords. Credential stuffing takes advantage of people using common passwords like 1234567, or reusing passwords across multiple accounts.  

SEE: Hackers are actively targeting flaws in these VPN devices. Here's what you need to do

Hunt has tagged this breach as "sensitive" on HIBP, which means the email addresses are not publicly searchable. 

"HIBP enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone's presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as "sensitive" and may not be publicly searched, the site states in its definition of "sensitive breach".

"Individuals will either need to verify control of the address via the notification service or perform a domain search to see if they're impacted," noted Hunt. 

"I've taken this approach to avoid anyone being targeted as a result of their inclusion in Emotet," he added. "All impacted HIBP subscribers have been sent notifications already." ZDNet has reached out to Hunt who was not available at the time of publishing. 

For individuals or organisations that find their details in the data, Hunt suggests:

  1. Keep security software such as antivirus up to date with current definitions. 
  2. Change your email account password, and change passwords and security questions for any accounts you may have stored in either your inbox or browser, especially those for services such as banking.
  3. For administrators with affected users, refer to the YARA rules released by DFN Cert.
Editorial standards