A huge spam operation involving a database of 1.37 billion email accounts combined with real names, user IP addresses and some physical address was discovered by Chris Vickery, a security researcher for MacKeeper, after the organization holding the data mistakenly failed to properly configure its backups, according to MacKeeper.
The data was collected by a group called River City Media (RCM), which is led by known spammers Alvin Slocombe and Matt Ferris, and which masquerades as a legitimate marketing firm offering free services like credit checks, educational opportunities and sweepstakes.
Vickery since shared with Salted Hash, Spamhaus, as well as relevant law enforcement agencies, which have been working with Vickery since January to examine the files. Through random sampling, Vickery verified some of the entries are accurate, though some appeared outdated.
The number is pretty staggering, and researchers suspect in addition to making phony free offers to gather the addresses, RCM also used a process co-registration, which secretly gets people to agree to share their personal details when clicking the "Submit" or "I agree" box next to all the small text on a website, to collect the email addresses. The leaked data also exposed some of RCM’s attempts at probing vulnerable mail servers.
The incident demonstrates how easy it is for malicious organizations to collect the personal data floating around the internet. It’s also a reminder for companies to educate employees not to fall for "free offers" online that appear to good to be true.
Spam has received less attention over the years as ransomware and phishing schemes have become more dangerous and prominent. But spam is still prevalent, and a huge annoyance, especially as it becomes automated and clogs company networks with junk. RCM sends up to a billion messages a day to spam filters across the world, according to MacKeeper researchers.