It’s no accident that your inbox gets flooded with spam.
Spammers use armies of compromised computers and online accounts to disseminate malware, phishing lures, password-stealing webpages, knockoff drug ads, and social engineering attacks to prospective victims. Every additional infection or hijacked account grows the shady enterprise.
A security researcher based in Paris who goes by the online alias “Benkow” recently stumbled across a treasure trove of data—40 gigabytes worth—related to a notorious spambot, a computer program used to send spam, dubbed “Onliner.” The cache contains 711 email addresses and millions of hacked passwords, and it provides a glimpse inside the distribution channel of a vast cybercriminal operation.
In this case, “Benkow” uncovered the spambot’s command and control server, the machine that orchestrates a spam campaign’s activity, as ZDNet first reported on Tuesday. The server’s directory was open, meaning he was able to download all the data therein contained, as he explained in a post on his personal Google (GOOG) Blogspot website.
Benkow tipped off another well-known security researcher, Troy Hunt, who subsequently uploaded the information to his data breach aggregation site, haveibeenpwned.com. You can visit the site to see whether credentials related to your own email account were included in the dump. (Hunt’s were included.)
According to Hunt’s analysis, some portion of the 711 million email addresses were malformed, or invalid. He noted that all of the exposed passwords he tested originally leaked in an earlier breach of LinkedIn, meaning that the spammers were reusing data from past breaches—allowing them to take advantage of people who reuse login credentials or neglect to change their passwords after their exposure in security breaches—to fuel their operation.
Get Data Sheet, Fortune’s technology newsletter.
“Data breaches don’t end after the public disclosure,” said Jim Walter, senior research scientist at Cylance, an antivirus startup, in an email to Fortune. “Leaked/breached data can continue to live on and be used, reused, sold, re-sold, etc. for purposes just as described here.”
Phil Tully, principal data scientist at ZeroFOX, a social media security startup, concurred. “As users notoriously set identical or highly-similar passwords across different digital channels, attackers are able to use them to pivot to a victim’s other social, email, retail or banking accounts, compounding the initial damage,” he said in an email.
Some advice: Secure your online accounts using multi-factor authentication (security keys, random number generating apps, or phone messages, in descending order of security). Generate and store long, complex, unique passwords in password manager apps. And check to see whether you’ve been compromised in haveibeenpwned.com. (If you have, best to switch up your login credentials.)
“[F]inding yourself in this data set unfortunately doesn’t give you much insight into where your email address was obtained from nor what you can actually do about it,” wrote Hunt in a blog post on his website. “I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went ‘ah, this helps explain all the spam I get.'”