FBI hands over four million compromised email addresses from Emotet to Have I Been Pwned

Three months ago, law enforcement agencies from across the planet worked together to bring down Emotet, one of the world's most infamous botnets.

This action resulted in huge numbers of compromised email addresses being obtained by the various agencies, and the FBI has now offered these to Have I Been Pwned (HIBP) to make it easier for anyone to check if their information was harvested and used by Emotet.

Troy Hunt, the brains behind Have I Been Pwned, explains:

Following the takedown, the FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their accounts had been affected by Emotet. This isn't the first time HIBP has been used by law enforcement in the wake of criminal activity with the Estonian Central Police using it for similar purposes a few years earlier.

The FBI has handed over 4,324,770 email addresses from a wide range of countries and domains and these come from two separate bodies of data obtained during the takedown.

The first is made up of email credentials used by Emotet to send spam, and the second is stored web credentials harvested from browsers.

Unlike compromised credentials from most breaches, this data is not publicly searchable. Hunt has flagged this incident as sensitive in HIBP to prevent anyone who has been included in Emotet from being targeted.

To check if your data is included you will need to verify ownership of the address via the notification service or perform a domain search.

Photo credit: ruskpp / Shutterstock