In another effort to mitigate the effects of the Emotet malware, the Federal Bureau of Investigation has shared 4.3 million email addresses stolen by the botnet with the Have I Been Pwned (HIBP) breach notification site.

According to computer security expert and HIBP creator Troy Hunt, the email addresses span a wide range of countries and domains and are actually sourced from two separate data corpuses obtained by the agencies during the takedown:

  • Email credentials stored by Emotet for sending spam via victims’ mail providers;
  • Web credentials harvested from browsers that stored them to expedite subsequent logins.

Hunt says the Emotet data will help victims take prompt action to ensure their online accounts have strong, unique passwords that are not reused across services.

As previously reported, on January 27th, 2021, Emotet botnet’s infrastructure has been taken down, effectively disrupting the spread of Emotet malware. This result was achieved as part of an international coordinated operation led by Europol and Eurojust. Law enforcement agencies from all across Europe, including Germany, Ukraine, France, Lithuania, the Netherlands, and the UK collaborated with authorities from the United States to take control of the cybercrime rink’s zombie computer servers.

On April 25th, with the help of the malware module delivered in January, Emotet was removed from all infected devices.

emotet takedown HIBP image heimdal security

Image Source: Europol

The fact that the FBI decided to add the email addresses on the HIBP platform means that there is a better chance for those affected by Emotet to be notified.

Hunt has flagged the data as “sensitive”, which means that users can enter any email address into HIBP to see if the email address has been exposed in any of the indexed breaches. However, Hunt restricts what HIBP returns for certain types of sensitive breaches, like Emotet. In those cases, users must check their email address or run a domain search.

(…) Individuals will either need to verify control of the address via the notification service or perform a domain search to see if they’re impacted. I’ve taken this approach to avoid anyone being targeted as a result of their inclusion in Emotet. All impacted HIBP subscribers have been sent notifications already.


As highlighted by Emotet’s long-standing history, repairing the damage inflicted by the Trojan when it burrows into your network can be quite expensive to deal with.

Together with the FBI, Hunt listed a few recommendations for those that find themselves affected by the malware:

  • Keep an updated security software (antivirus);
  • Change your email account password and security questions;
  • Use a password manager and create strong, unique passwords;
  • Use 2-factor authentication wherever available;
  • Keep operating systems and software patched;
  • Administrators with affected users should refer to the YARA rules released by DFN Cert, which include rules published by the German BKA.

Emotet Malware Over the Years: The History of an Infamous Cyber-Threat

End of An Era: Emotet Malware Uninstalled from All Infected Devices

Security Alert: Emotet Trojan Returns with New Waves of Spam Campaigns

Leave a Reply

Your email address will not be published. Required fields are marked *