Science

Bell breach may have exposed over 1 million new email addresses to phishing and spam

According to one estimate, 60 per cent of the leaked email addresses haven't appeared in prior data breaches, giving attackers a potential source of new data.

An estimate suggests 60% of the leaked email addresses haven't appeared in other data breaches before

The stolen files containing the Bell email addresses are available online and may be of interest to spammers and those who run phishing schemes. Use common sense and be vigilant about the links you click and the attachments that you open. (Frederic J. Brown/AFP/Getty Images)

Earlier this week, Bell confirmed that email addresses belonging to approximately 1.9 million customers and 1,700 phone numbers and names had been stolen by "an anonymous hacker."

Aside from informing affected customers in an email Tuesday morning, the company hasn't said much since. While it's still not clear how the breach happened, or when it took place, the breach doesn't seem as bad as it could have been. Fortunately, there were no passwords or financial information leaked. 

But there's still a lot that can be done with the email addresses that were obtained, mostly by spammers and those who run phishing schemes.

According to the breach-tracking website Have I Been Pwned? 60 per cent of the email addresses contained in the Bell breach were new. In other words, they hadn't been leaked in any of the previously leaked databases that are indexed by the site.

That means enterprising spammers and phishing attackers potentially have over one million new email addresses at their disposal.

What can you do? Not much, unfortunately, now that that files containing the email addresses are available online. But as always, use common sense, and be vigilant about the links you click and the attachments you open. If you're not expecting to receive a document or link from a friend, for example, pay extra attention to things like the sender's email address, or the URL in your browser's address bar — both of which can be cleverly crafted to appear legitimate, but may be fake.

And if you haven't already, check out Have I been pwned? for yourself. It's operated by computer security expert Troy Hunt — in other words, it's not some fly-by-night operation — and lets you see how many times your personal information has been leaked in previous data breaches affecting sites such as MySpace and LinkedIn.

If your email address has been leaked in a previous data breach, it's a good idea to change the password to your Bell account too, just in case. If you used a password on your Bell account that's the same as on a website that previously had its users' passwords leak, a determined attacker might be able to use that information to access your Bell account, too — which likely contains even more personal information about you than what was actually leaked this week.

ABOUT THE AUTHOR

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at [email protected]. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.