​Named and shamed: Mass marketer leaves 1.36bn emails exposed online

Nearly 1.4 billion email account holders around the world face potential privacy breaches and fraud after a US-based email mass-marketing company publicly exposed their details online in an unprotected archive of files.

Chris Vickery, a security research expert with MacKeeper who discovered the archive in January described the company that mishandled the archive as an “illegal spamming operation” after making a close examination of its contents.

In a blog post on the MacKeeper web site, Mr Vickery described the archive and its contents as “the backbone of operations” for River City Media (RCM). Mr Vickery wrote that the archive contained emails, the real names of the people behind them, and in some cases their physical addresses.

Mr Vickery was unable to verify that the list, containing 1.36bn email addressed, was authentic but wrote in the blog that he could ascertain that many details in the list were real by comparing them against those of people he knew personally.

If the list is found to be authentic, then Mr Vickery could have stumbled across one of the largest international privacy breaches in recent history.

“The natural response is to question whether the data set is real. That was my initial reaction. I’m still struggling with the best software solution to handle such a voluminous collection, but I have looked up several people that I know and the entries are accurate,” Mr Vickery wrote.

Mr Vickery wrote that he had reported his findings to law enforcement authorities and described them as being “interested in the matter”.

The archive contained more than just email account data. It also contained a chat log that appeared to demonstrate that RCM operatives deliberately used sophisticated techniques to temporarily break anti-spam measures in Gmail emails servers and squeeze large amounts of bulk email through them.

“Details of the even more abusive scripts and techniques have been forwarded on to Microsoft, Apple, and others,” Mr Vickery wrote.

Assuming the list is real, Mr Vickery speculated that the emails were most likely collected by dubious means as part of an illicit trade in such lists for spamming purposes.

“Well-informed individuals did not choose to sign up for bulk advertisements over a billion times,” Mr Vickery speculated in his blog.

Rather, he believes, that is more likely the list was generated from collecting details of internet users who sign up to web sites and unwittingly agree to share their details with its affiliates.

Not-for-profit anti-spam group, Spamhaus, has reportedly blocked access to all of RCM's infrastructure.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Spamhausprivacy breachessecurity researchersCSO AustraliaMacKeeperChris VickeryRiver City Media (RCM)

More about AppleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Andrew Colley

Latest Videos

More videos

Blog Posts