Scans of a huge botnet have revealed that it has harvested at least 16 million usernames and passwords for email sites and other online services, according to a report released by German security agency, the Bundesamt für Sicherheit in der Informationstechnik (BSI).
The agency has not revealed what malware is behind the attack, which is also sending spam from the infected computers, according to The Register’s report. It's also not clear what the email-password combinations provide access to.
Tim Griese, a spokesman for BSI, said that although around half of those affected are German email addresses (ie from the German .de domain, there are .com addresses on the list, according to PC World's report.
Griese said, ““We can’t tell more about the background,” while the investigation was ongoing, and this was also the reason that the BSI had not released details on which botnet was involved, or which malware was behind the attack.
The BSI’s FAQ says that users who are affected should check their computer, and other computers in the home for malware, and that, “ Users should change all passwords they use to log on to social networking sites , online shops , email accounts and other online services.”
According to The Inquirer’s report, a website (German-language only at present), allows users to check whether their email is among the list of victims.
Pasting an address into a box on the site results in the BSI sending victims an email with a code displayed on screen - a move which should prevent the cybercriminals sending fake emails masquerading as the BSI. “This reply e-mail also contains recommendations on necessary protective measures,” the agency said.
Under German law it is illegal for the government to contact users directly, even in cases such as this, according to PC World’s report.
ESET Senior Research Fellow David Harley says:“Where your login credentials have been revealed, it’s obviously a good idea to change your password. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him (of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”