Alleged spammer leaks 1.37bn email addresses after backup catastrophe

In January, MacKeeper researcher Chris Vickery stumbled upon a backup repository containing a mixture of files and a database of 1.37bn email addresses sitting on a server in an unprotected state.

Vickery quickly realised that this was more than a run-of-the-mill data breach because the victim was River City Media (RCM), a company which presents itself as a legitimate marketing while allegedly being a front for a spamming on a massive scale.

Eye-catching enough, but there was more: the files appeared to reveal the secrets of RCM’s entire spamming operation right down to accounting notes planning, affiliations, and even techniques for defeating Gmail’s anti-spam layers using what Vickery likens to a clever variation on the Slowloris DDoS attack.

There were also chat logs referring to what sounded like chicanery. Says Vickery:

I say illegal hacking due to the presence of scripts and logs enumerating the groups’ many missions to probe and exploit vulnerable mail servers. […] Details of the even more abusive scripts and techniques have been forwarded on to Microsoft, Apple, and others.

On that basis, Vickery appears to have discovered more than enough smoking guns to land RCM and its founders in serious hot water should the authorities get involved. The next issue is where the company got hold of the nearly 1.4bn email addresses and who they belong to.

Even allowing for duplicates and dead ends, a database of almost 1.4bn people sounds like a spamming crown jewels, with a sizable portion including full names, addresses and even IP addresses.

However it was assembled, the database appeared to have been left exposed for some weeks before Vickery found it so in theory could now be in anyone’s hands. So how did such an extraordinary data breach even occur?

The most likely culprit is a naïve use of rsync, a handy Linux utility for synchronising entire servers that should ideally be piped through SSH with any repositories carefully secured against prying eyes. It’s often set as an automatic process so anyone not verifying the backup or sync regime might not realise that something has gone off kilter.

Says Vickery:

Someone had forgotten to put a password on this repository and, as a result, one of the biggest spam empires is now falling.

Before anyone gloats, organisations similarly undone by the same rsync woe include a Canadian ISP and the DownForce IndyCar racing forum, both also uncovered by Vickery. The problem may be more common than anyone realises.

Vickery’s discoveries serve as a reminder that not all big data breaches are caused by hackers: indeed, a small but noteworthy minority number seem to have at their root something as simple as weak synchronisation backup.