Reply to post: Re: 617M real account details?

620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts

Lee D Silver badge

Re: 617M real account details?


When I do haveIbeenpwnd on my work domains and personal domains, they are the same situation.

Either nonsense, made-up-hex-looking usernames, or off-by-ones in the database (e.g., etc. where someone can't write a spam database program properly and it jumbles up things. I also get valid-looking but never-been-present usernames on my domain (e.g. where genuinelookingname was probably associated with domains *similar* to mine, but not actually mine), etc.

There's a lot of junk. A lot of those accounts may have been valid at some point but not any longer. Most people barely keep an email account more than a handful of years, in my experience. Mine is over 22 years old, though, and still going - because I bought the domains and just forward to Hotmail/Gmail/SquirrelMail/my own server/whatever was trendy at the time to actually *read* the email.

In that time, you'd expect my domain to be spammed to oblivion with all those old accounts. A couple of companies have been compromised in the past, so those email address crop up quite a lot (because spammers just copy other spammer's old databases). Things like addresses I used on Usenet and mailing lists are spammed all the time. Anything used in plain-text on a website (e.g. contact addresses, etc.). But most of the spam is literal made-up or false junk @mydomain.

I'd estimate there are 100 addresses on my domain that are actually valid. Of those about 3-4 are compromised or spammed. About 10 or so I've blackholed for either being spammed or other reasons. But my server sees attempts to deliver to several thousand emails every day that have never actually existed at my domain.

The best bit of such a system - compromise the database, grab the email and password from some ancient account from a defunct company... now try to apply that anywhere else on the net apart from that company's services. Even if I've re-used that password elsewhere (e.g. forum accounts that I just don't care about and hold no information on me), you can't even start to guess the email I actually used to sign up with for, say, Paypal or Amazon or whatever so you couldn't re-use that password anyway.

617m account details would, if I applied statistics, probably relate to less than a million real accounts that are active. Some of those would probably be shared. Most of them would be bog-useless to do anything other than send a spam email (e.g. if you got into my Reg account... what exactly could you do with it? Post a dodgy comment?).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019