{
	"id": "7e2d4def-92a4-46e7-98cf-a257ef60e21a",
	"created_at": "2026-04-06T00:09:51.153444Z",
	"updated_at": "2026-04-10T03:20:02.169721Z",
	"deleted_at": null,
	"sha1_hash": "0df8c6b4f8bca25a280f7e7556f8d1a043dee246",
	"title": "Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41356,
	"plain_text": "Data From The Emotet Malware is Now Searchable in Have I Been\r\nPwned, Courtesy of the FBI and NHTCU\r\nBy Troy Hunt\r\nPublished: 2021-04-26 · Archived: 2026-04-05 22:26:16 UTC\r\nEarlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German\r\nFederal Criminal Police Office (BKA) and other international law enforcement agencies brought down what\r\nEuropol rereferred to as the world's most dangerous malware: Emotet. This strain of malware dates back as far as\r\n2014 and it became a gateway into infected machines for other strains of malware ranging from banking trojans to\r\ncredential stealers to ransomware. Emotet was extremely destructive and wreaked havoc across the globe before\r\neventually being brought to a halt in February.\r\nFollowing the takedown, the FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of\r\nalerting impacted individuals and companies that their accounts had been affected by Emotet. This isn't the first\r\ntime HIBP has been used by law enforcement in the wake of criminal activity with the Estonian Central Police\r\nusing it for similar purposes a few years earlier.\r\nIn all, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses\r\nare actually sourced from 2 separate corpuses of data obtained by the agencies during the takedown:\r\n1. Email credentials stored by Emotet for sending spam via victims' mail providers\r\n2. Web credentials harvested from browsers that stored them to expedite subsequent logins\r\nWe discussed loading these into HIBP as 2 separate incidents so they could be individually identified, but given\r\nthe remediation is very similar they've been loaded in as a single \"breach\". Prepared in conjunction with the FBI,\r\nfollowing is the recommended guidance for those that find themselves in this collection of data:\r\n1. Keep security software such as antivirus up to date with current definitions. I personally use Microsoft\r\nDefender which is free, built into Windows 10 and updates automatically via Windows Update.\r\n2. Change your email account password. Also change passwords and security questions for any accounts you\r\nmay have stored in either your inbox or browser, especially those of higher value such as banking.\r\n3. For administrators with affected users, refer to the YARA rules released by DFN Cert, which include rules\r\npublished by the German BKA.\r\nIn addition, all the old security best practices are obviously still important whether you find yourself in this\r\nincident or not: Use a password manager and create strong, unique passwords. Turn on 2 factor authentication\r\nwherever available. Keep operating systems and software patched.\r\nI've flagged this incident as sensitive in HIBP which means it's not publicly searchable, rather individuals will\r\neither need to verify control of the address via the notification service or perform a domain search to see if they're\r\nhttps://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-have-i-been-pwned-courtesy-of-the-fbi-and-nhtcu/\r\nPage 1 of 2\n\nimpacted. I've taken this approach to avoid anyone being targeted as a result of their inclusion in Emotet. All\r\nimpacted HIBP subscribers have been sent notifications already.\r\nHave I Been Pwned\r\nTweet Post Update Email RSS\r\nTroy Hunt's Picture\r\nTroy Hunt\r\nHi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP\r\nwho travels the world speaking at events and training technology professionals\r\nSource: https://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-have-i-been-pwned-courtesy-of-the-fbi-and-nhtcu/\r\nhttps://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-have-i-been-pwned-courtesy-of-the-fbi-and-nhtcu/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-have-i-been-pwned-courtesy-of-the-fbi-and-nhtcu/"
	],
	"report_names": [
		"data-from-the-emotet-malware-is-now-searchable-in-have-i-been-pwned-courtesy-of-the-fbi-and-nhtcu"
	],
	"threat_actors": [],
	"ts_created_at": 1775434191,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0df8c6b4f8bca25a280f7e7556f8d1a043dee246.pdf",
		"text": "https://archive.orkl.eu/0df8c6b4f8bca25a280f7e7556f8d1a043dee246.txt",
		"img": "https://archive.orkl.eu/0df8c6b4f8bca25a280f7e7556f8d1a043dee246.jpg"
	}
}