FBI Offers Millions of Emotet Compromised Credentials to Have I Been Pwned


The FBI has offered millions of passwords obtained from seized Emotet malware domains to HIBP (Have I Been Pwned) to make it easier to alert impacted users and companies.

Law enforcement took down most of the Emotet infrastructure in one of the most significant collaborative efforts, gathering authorities from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

Attackers used hundreds of servers across the world as command and control centers, but the efforts of the authorities and a new approach allowed them to dismantle the entire system from inside. During this process, law enforcement identified 4,324,770 compromised email addresses, which they now offer to the HIBP service.

“Following the takedown, the FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their accounts had been affected by Emotet,” said security researcher Troy Hunt, who’s running HIBP. “This isn’t the first time HIBP has been used by law enforcement in the wake of criminal activity with the Estonian Central Police using it for similar purposes a few years earlier.”

There are actually two different sets of email addresses: one used by Emoted to send spam and another of emails harvested from browsers. As usual, the security measures and possible mitigations remain the same for data breaches.

If people or companies discover that their emails have been compromised, they should change the credentials as soon as possible, along with security questions. This also applies to credentials of online services stored in compromised systems. Of course, having an up-to-date and powerful security solution running on all devices is paramount.