There was an article published a couple hours ago on TechCrunch that’s worth a read, it delves into a large spam operation and how it was used to send personalized spam email.
According to the article the emails were so convincing more than 100,000 people clicked through.
From the article:
Security researcher Bob Diachenko found the leaking data and with help from TechCrunch analyzed the server. At the time of the discovery, the spammer’s rig was no longer running. It had done its job, and the spammer had likely moved onto another server — likely in an effort to avoid getting blacklisted by anti-spam providers. But the server was primed to start spamming again.
Given there were more than three million unique exposed credentials sitting on this spammer’s server, we wanted to secure the data as soon as possible. With no contact information for the spammer — surprise, surprise — we asked the hosting provider, Awknet, to pull the server offline. Within a few hours of making contact, the provider nullrouted the server, forcing all its network traffic into a sinkhole.
Another tidbit in the article that might be worth checking out is the website, Have I Been Pwned
This website shows you all the times your email might have been misused.
I think a MAJOR area of “leakage” is from webhosting companies, many now based in India and I am 101% CERTAIN they use their clients data and sell email addresses they glean from their servers. I tried by setting up a fake email that I NEVER publicised and within 1 week started receiving SPAM emails.
IF anyone knows a 100% secure, bonafide webhost then please let us know.