Onliner Spambot leaks 711 million email addresses

Wednesday, 6 September, 2017

A treasure trove of 711 million email addresses have been harvested by a spambot called ‘Onliner’, putting millions of people at risk of criminal activity.

It’s thought the attack originated in Holland. Law enforcement agencies were contacted as soon as the leak was discovered, but as of 6 September 2017 the software is still up and running.

The spambot hoovers up email addresses so it can then send spam out to them, while stealing passwords enables those behind the attack to hack into user’s accounts.

Troy Hunt, owner of the haveibeenpwned (HIBP) website, warned that the attack is the biggest ever on record for this kind of cyber violation.

HIBP is a website that allows internet users to check if their personal data has been compromised by breaches.

Onliner Spambot leaks 711 million email addresses

Troy Hunt explained that it took examining 110 data breaches over two years to accumulate 711m addresses and here, astonishingly, we have that number in one fell swoop.

Writing in his blog, Hunt said: “Last week I was contacted by someone alerting me to the presence of a spam list – a big one. I’ve loaded ‘big’ spam lists into HIBP before, the largest to date has been a mere 393m records.

“The one I’m writing about today is 711m, which makes it the largest single set of data ever loaded into HIBP. Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.

“The unfortunate reality for all of us is our email addresses are a simple commodity that’s shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of enormous overseas wealth (if only we make a small payment up front, of course).

That, unfortunately, is life on the web today.”

So what can you do now to make sure you’ve not been hit? Firstly, head over to Then, type in your email address and it will tell you if your email has been compromised. If so, it is strongly recommended that you immediately change your password.

It is recommended that you use a password manager and try as much as you can to create strong, unique passwords.

In fact, Hunt says: “Enable multi-step verification on everything you store online, this renders the credentials alone absolutely useless.”

MAIN IMAGE: Mike Mozart/Flickr

Tim Bamford author picture


Tim is a veteran freelance journalist writing extensively on internet news and cybersecurity.