WASHINGTON—Three men have been charged in what’s being called the biggest-ever e-mail address breach, according to the Justice Department.
The incident involved the theft of more than one-billion e-mail addresses from more than 100 different businesses, with at least 60-million consumers at risk of spam and phishing attacks as a result, according to the Justice Department.
Two of the mean who have been charged are now in custody, while the third remains at large. Charged are two Vietnamese citizens, Viet Quoc Nguyen (aka Vandehiu, Peter Nguyen), 28, and Giang Hoang Vu (aka Lee Vu), 25, who were both residing in the Netherlands. Both have been charged with hacking into U.S. e-mail service providers. In addition, David-Manuel Santos Da Silva (aka Jake Lusitano), 33, of Montreal has been charged with helping the two men knowingly convert stolen e-mail addresses into $2 million in profits via his affiliate-marketing company, called 21 Celsius, which operated a site called Marketbay.com.
"These men – operating from Vietnam, the Netherlands, and Canada – are accused of carrying out the largest data breach of names and e-mail addresses in the history of the Internet," said Assistant Attorney General Leslie R. Caldwell in a statement. "The defendants allegedly made millions of dollars by stealing over a billion e-mail addresses from e-mail service providers."
Nguyen was allegedly involved in data breaches at a number of e-mail service providers, including Epsilon Data Management, which notified customers in 2011 that its networks had been breached. Exposed were e-mail addresses for customers of banks such as Capital One, Chase, Citi, U.S. Bank and Visa, as well as customers of businesses ranging from Kroger and Marriott International to Verizon and Walgreens. Ultimately, e-mail addresses from more than 100 companies were reportedly exposed by the breach, the Justice Department said.
According to a 29-count indictment against Nguyen and Vu, which was filed in 2012 but not fully unsealed until last week, Nguyen - who's described as a "computer hacker" - targeted at least eight ESPs via phishing attacks from February 2009 until June 2012. When employees at the targeted ESPs opened the messages, their PCs were potentially infected with malware that created a backdoor on the system, allegedly allowing Nguyen to gain direct, unauthorized access to the system and download any customer data being stored there.
In other cases, authorities say that the phishing attacks resulted in a keylogger being installed, which intercepted account log-in information and routed it to the attackers. In some cases, the court documents say, Nguyen commandeered the hacked ESPs' systems to launch follow-on phishing attacks against other ESPs, Justice said.
Nguyen allegedly used tens of millions of stolen e-mail addresses in e-mail marketing campaigns that were designed to direct recipients to sites with which he was associated, according to court documents.