The U.S. Department of Justice is accusing three men of being responsible for, or profiting from, what it calls “the largest data breach of names and email addresses in the history of the Internet.”
The indictments against two Vietnamese citizens and a Canadian citizen — operating from Vietnam, the Netherlands, and Canada — alleges the trio were involved in hacking at least eight U.S. email service providers, spamming tens of millions of email recipients, getting money from affiliate relationships for spammed products, and laundering the proceeds.
“The defendants allegedly made millions of dollars by stealing over a billion email addresses from email service providers,” U.S. Assistant Attorney General Caldwell said in a statement. “This case again demonstrates the resolve of the Department of Justice to bring accused cyber hackers from overseas to face justice in the United States.”
The Department of Justice (DOJ) estimates the accused allegedly took in approximately $2 million through the affiliate marketing sales linked to spam. One of the three is said to have already pleaded guilty.
While the DOJ isn’t naming whose email data was breached, the blog Krebs on Security suspects it ties back to the hack of email marketing giant Epsilon in 2011. Epsilon and other email marketing management firms may have been the initial targets, and the indictments say the spam was allegedly sent by then hijacking the servers of the email service providers.
The firms, Krebs notes, “send email to customers on behalf of some the biggest firms in the world.” In the case of the 2011 breach, “Epsilon didn’t name which ESPs were impacted, but the voluminous complaints from consumers about spam indicated that those ESPs served a broad range of major companies, including JP Morgan Chase, U.S. Bank, Barclays, Kroger, McDonalds, Walgreens, and Honda, to name but a few.”
Retailer Eddie Bauer also was affected, and notified customers of the email address thefts at the time.