More than 700 million email addresses and a number of passwords have been leaked in what could be the biggest spambot dump ever seen.
The data dump is believed to have originated with a spambot called Onliner in the Netherlands.
The information was leaked after cyber criminals allowed visitors to their servers to download their database without needing a username or password.
Users of affected accounts are advised to change their passwords as soon as possible to avoid being further compromised.
Australian computer security expert Troy Hunt runs the website Have I Been Pwned (HIBP), which lets you check whether your account has been breached by leaks.
You can check if your account has been compromised here.
He was the first to raise the alarm over the data dump.
The bot behind it is designed to spread malware that steals bank details and causes people’s devices to transmit the virus, as well as pumping out spam messages used by internet criminals in online scams.
Mr Hunt said that the 711 millions records leaked ‘makes it the largest single set of data I’ve ever loaded into HIBP.’
Writing in a blog post today, he added: ‘Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.
‘The first place to start is with an uncomfortable truth: my email address is in there. Twice.
‘Finding yourself in this data set unfortunately doesn’t give you much insight into where your email address was obtained from nor what you can actually do about it.
‘I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went “ah, this helps explain all the spam I get”.’
The leak also contained millions of passwords, which may have been collected in an effort to break into email accounts and turn them to spam.
The majority of the passwords in the latest security breach appear to have been collated from previous leaks.
It said hacker stole 117 million user emails and passwords in the breach – up from the 6.5 million user credentials that the company originally said were compromised.
Those 6.5 million passwords were reset in 2012 and the company advised the rest of its users to change their passwords too.
The hacker, who goes by the name ‘Peace,’ was trying to sell the passwords on the dark web for five bitcoins, or about $2,200 (£1,700), according to a Forbes report.
Cyber security experts say news such as this this should serve as a reminder that passwords should be changed frequently, ideally every few months.