Alert Priority MEDIUM: 12.5 million Australian email accounts leaked online

31 August 2017

12.5 million Australian email accounts leaked online


The email addresses of 711 million people have been published online, and include those of 12.5 million Australians.

The personal data has been dumped on a server called Onliner Spambot, which since 2016 has been used to spread malware to steal banking details, and infect people’s computers so they send out viruses and spam (unwanted emails).

The two types of data on the Onliner Spambot server are:

  • Email addresses. These are used to send spam and may contain malicious links. For example, one email sent by the server purported to be from Roads and Maritime in NSW and related to E-tags for paying tolls. Because the email looked as if it came from a legitimate source, unsuspecting users could click on the link and go through to a bogus website to pay.
  • Email addresses and passwords. These are used to send spam from user accounts using their internet provider’s mail servers so they look genuine and bypass anti-junk measures.

It is thought the email addresses with passwords match those leaked in the 2012 LinkedIn data breach, and that two million addresses come from a Facebook phishing campaign. Some email addresses appear to have been scraped from websites and are incorrect.

Find out if your email address has been breached

To find out if your email address has been published in a data breach, go to HaveIBeenPwned and follow the prompts.

What you should do now

If you find that your email has been breached, change your password immediately.

Ways to protect yourself

  • Create strong and unique passwords and don’t use the same password for multiple online accounts.
  • Use a password manager.
  • Understand that scams exist and use caution online.
  • Criminals may use information they gather about you from social media in order to make their messages more appealing or appear more authentic.
  • Don’t open messages or click on links if you don’t know the sender.
  • Avoid malicious messages—don’t share your email address online unless you need to.

What to do if your identity is stolen

  • Notify your financial institutions.
  • Change your passwords.
  • Notify the relevant websites.
  • Request a credit report from a reputable credit reference bureau.

More information

Find out more about creating strong passwords and protecting your information online at Stay Smart Online.

Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.

This information has been prepared by the Attorney General’s Department (‘the Department’). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.

© 2017 Australian Government. All rights reserved