Jonathan Vanian, Fortune, comments, “It’s bad enough we have to worry about spam emails promising discount medications and other shady deals. Now we have to be concerned that the spammers don’t accidentally leak user data they probably dubiously obtained.”
To give you a sense of River City’s scope and scale, some of the documents left exposed by the hack detail that on a single day of operation, the company was responsible for sending out emails to more than 18 million messages to Gmail users and 15 million messages to AOL users, netting them a little over $36,000. That amounts to more than thirteen million dollars over the course of the year.
The database exposed by the breach was found by security researchers Chris Vickery and Steve Ragan of MacKeeper and CSOOnline, respectively, who discovered it on an open server without the benefit of even rudimentary password protection. It was literally sitting in plain sight, for all the world to see.
How were 1.4 billion email addresses collected by River City Media? Chris Vickery, MacKeeper, says, “The most likely scenario is a combination of techniques. One is called co-registration. That’s when you click on the ‘Submit’ or ‘I agree’ box next to all the small text on a website. Without knowing it, you have potentially agreed your personal details can be shared with affiliates of the site.” Source.
Not only did it contain a great deal of proprietary information about how the company is run, but also included some 1.4 billion user records containing email addresses, passwords, physical addresses, phone numbers, IP addresses and more.
Given the sheer size of the database, odds are good that your name is on it. Even if it isn’t, it’s almost a certainty that you know someone whose name is on it.
theguardian reports, “Anti-spam organisation Spamhaus, working alongside MacKeeper and Vickery, has used the information contained in the leak to add River City Media’s details to its database, blacklisting the firm’s entire infrastructure.”
Needless to say, in light of this discovery, it’s time to change your passwords again. All of them. And if you’re one of the multitude of users still logging in with the same password across multiple websites, it’s well past time to change your approach. As this breach demonstrates, it’s just a matter of time before you fall victim to identity theft.