Go to top of page

12.5 million Australian email accounts leaked online

Priority Level: 
31 August 2017

The email addresses of 711 million people have been published online, and include those of 12.5 million Australians.

The personal data has been dumped on a server called Onliner Spambot, which since 2016 has been used to spread malware to steal banking details, and infect people’s computers so they send out viruses and spam (unwanted emails).

The two types of data on the Onliner Spambot server are:

  • Email addresses. These are used to send spam and may contain malicious links. For example, one email sent by the server purported to be from Roads and Maritime in NSW and related to E-tags for paying tolls. Because the email looked as if it came from a legitimate source, unsuspecting users could click on the link and go through to a bogus website to pay.
  • Email addresses and passwords. These are used to send spam from user accounts using their internet provider’s mail servers so they look genuine and bypass anti-junk measures.

It is thought the email addresses with passwords match those leaked in the 2012 LinkedIn data breach, and that two million addresses come from a Facebook phishing campaign. Some email addresses appear to have been scraped from websites and are incorrect.

Find out if your email address has been breached

To find out if your email address has been published in a data breach, go to HaveIBeenPwned and follow the prompts.

What you should do now

If you find that your email has been breached, change your password immediately.

Ways to protect yourself

  • Create strong and unique passwords and don’t use the same password for multiple online accounts.
  • Use a password manager.
  • Understand that scams exist and use caution online. 
  • Criminals may use information they gather about you from social media in order to make their messages more appealing or appear more authentic.
  • Don’t open messages or click on links if you don’t know the sender.
  • Avoid malicious messages—don’t share your email address online unless you need to.

What to do if your identity is stolen

  • Notify your financial institutions.
  • Change your passwords.
  • Notify the relevant websites.
  • Request a credit report from a reputable credit reference bureau. 

More information

Find out more about creating strong passwords and protecting your information online at Stay Smart Online.