COMB: largest breach of all time leaked online with 3.2 billion records

It's being called the biggest breach of all time and the mother of all breaches: COMB, or the Compilation of Many Breaches, contains more than 3.2 billion unique pairs of cleartext emails and passwords. While many data breaches and leaks have plagued the internet in the past, this one is exceptional in the sheer size of it. To wit, the entire population of the planet is at roughly 7.8 billion, and this is about 40% of that.

However, when considering that only about 4.7 billion people are online, COMB would include the data of nearly 70% of global internet users (if each record was a unique person). For that reason, users are recommended to immediately check if their data was included in the leak. You can head over to the CyberNews personal data leak checker now.

CyberNews was the first leak database to include the COMB data. Since COMB was first released, nearly 1 million users have checked our personal data leak checker to see if their data was included in the biggest breach compilation of all time.

So how did the COMB data leak happen?

On Tuesday, February 2, COMB was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak is comparable to the Breach Compilation of 2017, in which 1.4 billion credentials were leaked.

However, the current breach, known as “Compilation of Many Breaches” (COMB), contains more than double the unique email and password pairs. The data is currently archived and put in an encrypted, password-protected container.

The leaked database includes a script named count_total.sh, which was also included in 2017’s Breach Compilation. This breach also includes two other scripts: query.sh, for querying emails, and sorter.sh for sorting the data.

After running the count_total.sh script, which is a simple bash script to count the total lines in each of the files and add them together, we can see there are more than 3.27 billion email and password pairs:

We are currently adding the new COMB emails to our Personal Data Leak Checker. The CyberNews Personal Data Leak Checker has the largest database of known breached accounts, helping users know if their data has possibly fallen into the hands of cybercriminals.

Check out our personal data leak checker now to see if your email address has been exposed in this or previous leaks.

This does not appear to be a new breach, but rather the largest compilation of multiple breaches. Much like 2017’s Breach Compilation, COMB’s data is organized by alphabetical order in a tree-like structure, and it contains the same scripts for querying emails and passwords.

In the screenshots attached with the leak, the organization of the data can be seen, as well as the type of data released. Below, the data has been blurred by CyberNews:

At the moment, it is unclear what previously leaked databases are collected in this breach. Samples seen by CyberNews contained emails and passwords for domains from around the world.

Netflix, Gmail, Hotmail logins included in COMB

Because COMB is a quick, searchable, well-organized database of past major leaks, it naturally contains past leaks. This includes major leaks from popular services such as Netflix, Gmail, Hotmail, Yahoo and more.

Based on our analysis of the breached data, there are approximately 200 million Gmail addresses and 450 million Yahoo email addresses in the COMB data leak.

In 2015, The Independent reported on an apparent "Netflix hack" where cybercriminals were able to log into Netflix users' accounts worldwide. However, Netflix has never admitted to being hacked, and this is more likely a casualty of the fact that users often use the same passwords for different accounts.

This is why it's important to use a unique password for each account you create. CyberNews has a strong password generator that you can use to create strong, unique passwords.

Similarly, Gmail never had a data breach of its own. Instead, this is most likely related to people using their Gmail email addresses on other breached websites or services.

On the other hand, Microsoft confirmed that between January and March 2019, hackers were able to access a number of consumer Outlook.com, Hotmail and MSN Mail email accounts.

But perhaps the biggest big-name data breach happened to Yahoo. While it was reported in 2016, the breach actually happened at the end of 2014. In that Yahoo breach, the company confirmed that all 3 billion of its users' accounts had been impacted.

It appears that not all data from past Yahoo and Hotmail/Microsoft breaches have been included in COMB. Nonetheless, it is possible that the list has been cleaned of dead credentials, which is why it's crucial that users check if their data has been leaked.

Similar to Breach Compilation

This current leaked database appears to build on 2017’s Breach Compilation. In that leak, intelligence analysts at 4iQ discovered a single file database with 1.4 billion email and password pairs, all in plaintext.

At the time, this was considered the largest credential breach exposure, almost two times larger than the previous largest credential exposure from Exploit.in which had nearly 800 million records.

2017’s Breach Compilation contained 252 previous breaches, including the aggregated ones from the previous Anti Public and Exploit.in dumps, as well as LinkedIn, Netflix, Minecraft, Badoo, Bitcoin and Pastebin. However, when they analyzed the data, they found that “14% of exposed username/passwords pairs had not previously been decrypted by the community and are now available in clear text.”

When 4iQ discovered the Breach Compilation, they tested a small subset of the passwords for verification, and most of the tested passwords worked. The intelligence analysts state that they found the 41GB dump on December 5, 2017, with the latest data updated on November 29, 2017.

They also remarked that the leak was not just a list, but rather an “interactive database” that allowed for “fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.”

It is unclear what the repercussions of the Breach Compilation have been.

Possible impact

The impact to consumers and businesses of this new breach may be unprecedented. Because the majority of people reuse their passwords and usernames across multiple accounts, credential stuffing attacks is the biggest threat.

If users use the same passwords for their LinkedIn or Netflix as they do their Gmail accounts, attackers can pivot to other more important accounts.

Beyond that, users whose data has been included in Compilation of Many Breaches may become victims of spear-phishing attacks, or they may receive high levels of spam emails.

In any case, users are normally recommended to change their passwords on a regular basis, and to use unique passwords for every account. Doing so – creating and remembering unique passwords – can be quite challenging, and we recommend users get password managers to help them create strong passwords.

And, of course, users should add multi-factor authentication, like Google Authenticator, on their more sensitive accounts. That way, even if an attacker has their username and password, they won't be able to get into their accounts.

We will continue to analyze the data as the story unfolds.

Update February 12: This article was updated to add new analysis of the Gmail and Yahoo domains contained within the COMB database, as well as how many users have checked their data on CyberNews' data leak checker.

Build your secure personal and business online presence