The threat actors behind the notorious Emotet botnet managed to collect over four million victim email addresses over the past few years, it has emerged.
The news came from Troy Hunt, Microsoft regional director and founder of breach notification site HaveIBeenPwned.
The FBI recently reached out to Hunt to ask if the site could be used as an intermediary to help those concerned they may have been affected to check their emails against the trove.
“In all, 4,324,770 email addresses were provided which span a wide range of countries and domains,” Hunt explained in a new blog post.
“The addresses are actually sourced from two separate corpuses of data obtained by the agencies during the takedown: email credentials stored by Emotet for sending spam via victims' mail providers; and web credentials harvested from browsers that stored them to expedite subsequent logins.”
Hunt advised any individual who finds their email was in possession of Emotet to ensure their anti-malware is up-to-date, and to change their email account password as well as any passwords and security questions for accounts that might have been stored in their inbox or browser.
“For administrators with affected users, refer to the YARA rules released by DFN Cert, which include rules published by the German BKA,” he added.
Other best practice security tips also apply, including the use of two-factor authentication where possible, and strong unique passwords stored in a password manager, as well as prompt patching of all OS and software.
Emotet was finally disrupted back in January after action from the FBI and European police. Last Sunday law enforcers delivered an update to the botnet designed to erase the malware from all infected machines globally.
However, with some of the group still at large, experts believe it’s only a matter of time before they come back with an improved version of the malware.