Nearly 1.4 billion email account holders around the world face potential privacy breaches and fraud after a US-based email mass-marketing company publicly exposed their details online in an unprotected archive of files.
Chris Vickery, a security research expert with MacKeeper who discovered the archive in January described the company that mishandled the archive as an “illegal spamming operation” after making a close examination of its contents.
In a blog post on the MacKeeper web site, Mr Vickery described the archive and its contents as “the backbone of operations” for River City Media (RCM). Mr Vickery wrote that the archive contained emails, the real names of the people behind them, and in some cases their physical addresses.
Mr Vickery was unable to verify that the list, containing 1.36bn email addressed, was authentic but wrote in the blog that he could ascertain that many details in the list were real by comparing them against those of people he knew personally.
If the list is found to be authentic, then Mr Vickery could have stumbled across one of the largest international privacy breaches in recent history.
“The natural response is to question whether the data set is real. That was my initial reaction. I’m still struggling with the best software solution to handle such a voluminous collection, but I have looked up several people that I know and the entries are accurate,” Mr Vickery wrote.
Mr Vickery wrote that he had reported his findings to law enforcement authorities and described them as being “interested in the matter”.
The archive contained more than just email account data. It also contained a chat log that appeared to demonstrate that RCM operatives deliberately used sophisticated techniques to temporarily break anti-spam measures in Gmail emails servers and squeeze large amounts of bulk email through them.
“Details of the even more abusive scripts and techniques have been forwarded on to Microsoft, Apple, and others,” Mr Vickery wrote.
Assuming the list is real, Mr Vickery speculated that the emails were most likely collected by dubious means as part of an illicit trade in such lists for spamming purposes.
“Well-informed individuals did not choose to sign up for bulk advertisements over a billion times,” Mr Vickery speculated in his blog.
Rather, he believes, that is more likely the list was generated from collecting details of internet users who sign up to web sites and unwittingly agree to share their details with its affiliates.
Not-for-profit anti-spam group, Spamhaus, has reportedly blocked access to all of RCM's infrastructure.