It’s being called the biggest breach of all time and the mother of all breaches: COMB, or the Compilation of Many Breaches, contains more than 3.2 billion unique pairs of cleartext emails and passwords. While many data breaches and leaks have plagued the internet in the past, this one is exceptional in the sheer size of it. To wit, the entire population of the planet is at roughly 7.8 billion, and this is about 40% of that.
However, when considering that only about 4.7 billion people are online, COMB would include the data of nearly 70% of global internet users (if each record was a unique person). For that reason, users are recommended to immediately check if their data was included in the leak. You can head over to the CyberNews personal data leak checker now.
CyberNews was the first leak database to include the COMB data. Since COMB was first released, nearly 1 million users have checked our personal data leak checker to see if their data was included in the biggest breach compilation of all time.
So how did the COMB data leak happen?
On Tuesday, February 2, COMB was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak is comparable to the Breach Compilation of 2017, in which 1.4 billion credentials were leaked.
However, the current breach, known as “Compilation of Many Breaches” (COMB), contains more than double the unique email and password pairs. The data is currently archived and put in an encrypted, password-protected container.
The leaked database includes a script named count_total.sh, which was also included in 2017’s Breach Compilation. This breach also includes two other scripts: query.sh, for querying emails, and sorter.sh for sorting the data.
After running the count_total.sh script, which is a simple bash script to count the total lines in each of the files and add them together, we can see there are more than 3.27 billion email and password pairs:
We are currently adding the new COMB emails to our Personal Data Leak Checker. The CyberNews Personal Data Leak Checker has the largest database of known breached accounts, helping users know if their data has possibly fallen into the hands of cybercriminals.
Check out our personal data leak checker now to see if your email address has been exposed in this or previous leaks.
This does not appear to be a new breach, but rather the largest compilation of multiple breaches. Much like 2017’s Breach Compilation, COMB’s data is organized by alphabetical order in a tree-like structure, and it contains the same scripts for querying emails and passwords.
In the screenshots attached with the leak, the organization of the data can be seen, as well as the type of data released. Below, the data has been blurred by CyberNews:
At the moment, it is unclear what previously leaked databases are collected in this breach. Samples seen by CyberNews contained emails and passwords for domains from around the world.
Netflix, Gmail, Hotmail logins included in COMB
Because COMB is a quick, searchable, well-organized database of past major leaks, it naturally contains past leaks. This includes major leaks from popular services such as Netflix, Gmail, Hotmail, Yahoo and more.
Based on our analysis of the breached data, there are approximately 200 million Gmail addresses and 450 million Yahoo email addresses in the COMB data leak.
In 2015, The Independent reported on an apparent “Netflix hack” where cybercriminals were able to log into Netflix users’ accounts worldwide. However, Netflix has never admitted to being hacked, and this is more likely a casualty of the fact that users often use the same passwords for different accounts.
This is why it’s important to use a unique password for each account you create. CyberNews has a strong password generator that you can use to create strong, unique passwords.
Don't let another data breach scare you. Password managers create not only strong and unique passwords, but they'll also alert you when your credentials have been leaked.
Learn more about password managers
Similarly, Gmail never had a data breach of its own. Instead, this is most likely related to people using their Gmail email addresses on other breached websites or services.
On the other hand, Microsoft confirmed that between January and March 2019, hackers were able to access a number of consumer Outlook.com, Hotmail and MSN Mail email accounts.
But perhaps the biggest big-name data breach happened to Yahoo. While it was reported in 2016, the breach actually happened at the end of 2014. In that Yahoo breach, the company confirmed that all 3 billion of its users’ accounts had been impacted.
It appears that not all data from past Yahoo and Hotmail/Microsoft breaches have been included in COMB. Nonetheless, it is possible that the list has been cleaned of dead credentials, which is why it’s crucial that users check if their data has been leaked.
Similar to Breach Compilation
This current leaked database appears to build on 2017’s Breach Compilation. In that leak, intelligence analysts at 4iQ discovered a single file database with 1.4 billion email and password pairs, all in plaintext.
At the time, this was considered the largest credential breach exposure, almost two times larger than the previous largest credential exposure from Exploit.in which had nearly 800 million records.
2017’s Breach Compilation contained 252 previous breaches, including the aggregated ones from the previous Anti Public and Exploit.in dumps, as well as LinkedIn, Netflix, Minecraft, Badoo, Bitcoin and Pastebin. However, when they analyzed the data, they found that “14% of exposed username/passwords pairs had not previously been decrypted by the community and are now available in clear text.”
When 4iQ discovered the Breach Compilation, they tested a small subset of the passwords for verification, and most of the tested passwords worked. The intelligence analysts state that they found the 41GB dump on December 5, 2017, with the latest data updated on November 29, 2017.
They also remarked that the leak was not just a list, but rather an “interactive database” that allowed for “fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.”
It is unclear what the repercussions of the Breach Compilation have been.
Possible impact
The impact to consumers and businesses of this new breach may be unprecedented. Because the majority of people reuse their passwords and usernames across multiple accounts, credential stuffing attacks is the biggest threat.
If users use the same passwords for their LinkedIn or Netflix as they do their Gmail accounts, attackers can pivot to other more important accounts.
Beyond that, users whose data has been included in Compilation of Many Breaches may become victims of spear-phishing attacks, or they may receive high levels of spam emails.
In any case, users are normally recommended to change their passwords on a regular basis, and to use unique passwords for every account. Doing so – creating and remembering unique passwords – can be quite challenging, and we recommend users get password managers to help them create strong passwords.
And, of course, users should add multi-factor authentication, like Google Authenticator, on their more sensitive accounts. That way, even if an attacker has their username and password, they won’t be able to get into their accounts.
We will continue to analyze the data as the story unfolds.
Update February 12: This article was updated to add new analysis of the Gmail and Yahoo domains contained within the COMB database, as well as how many users have checked their data on CyberNews’ data leak checker.
Hi. I did enter my email and it was pwned but my question is my email has been target to 6 breaches and no pastes found what does that mean and also on password checker of cybernews my password is showing 3 times leaked in database and in HIBP password checker my password is showing green sign. Can anyone please answer to my questions. It’s really important. Also I changed my passwords completely in the month of March. Again I changed recently. So I am safe right? Please do reply.
Shouldn’t Microsoft, Google and Netflix be notifying their customers if there was a breach of their data?
Seems like that should be required of them and in their best interest to inform their user’s
Microsoft did. I received that in the past.
That said, because people use their Hotmail amd gmail email address to connect to other services it is possible that one could find his email address in the database breach but this does mean it came from a breach of Hotmail or gmail but rather it came from a breach of another service where we used our email address to authenticate
Shouldn’t this data base be showing multiple passwords for many email addresses? Any chance you confirm that? Signify it?
Yes, depending on the data breach date, it is possible to see multiples passwords for the same email address.
I think anyone with an email address older than 3-4 years is likely in this COMPILATION of published breach addresses. Honestly, this kind of reporting is more fear-mongering than actual journalism.
I really don’t understand why every bank, department store, etc. thinks you should pay anywhere from $15 a month and up for security, when I have no idea where this money coming from! I would have to cancel my streaming, cancel my Internet, and even eat less food to pay all of it. It’s insane and when something does happen, you’re probably not even going to be responsible for all of it.
Isn´t biggest hacker NSA?
Yes and their discovery and “banking” of operating system and software vulnerabilities for their state sponsored hacking leaves every user of those software products vulnerable not only to NSA but to any other nation state and criminal hackers that reverse NSA hacks and then use them themselves. I bet NSA knew about all the Exchange vulnerabilities decades ago and probably did not even tell Microsoft of their use of it to spy on their allies and adversaries and citizens. Any US organisation care to try performing a freedom of information act request to ask when NSA first became aware of the Exchange Server vulnerabilities… bet they will hid behind national security instead of answering.
I entered my e-mail it said it was not found in the list, however next day I started to receive spam malicious e-mails next day which I have never received before, how come??
Hi,
Has anything changed in the leak database? I queried some addresses yesterday, and they were found among the compromised ones. Today I queried the same addresses again, and suddenly they came up “green”. How come?
Regards,
Frank
cela ne fait absolument rien lorsque je rentre mon email, ça veut dire que c’est ok pour moi ?
Hi, can we see which password is associated to the leaked email? Just to know if I do really need to change it?
Best,
Jocelyn
im haked
Hi, it’s not really clear, what is breachcomp2.0? is it the same that COMP? which are the sites concerned?
So that *they (the hashes) do not appear in the logs of proxies and other servers.
I am wondering how those hackers process these data without actual Hadoop Enterprise License?
pouvez vous me dire si mon compte est piraté afin que je change mon mail. Merci par avance.
Hi Vanhems. You can check if your email has been breached in our Data Leak Checker here: https://cybernews.com/personal-data-leak-check/
The problem is that you say if our addreses have been hacked, good…
But At least could you print out on which website…
One email addreess can be use for several account and it is annoying to check all…
Agreed
Where can I find this leak db for download?
Hi Cristian. Unfortunately, we can’t give you the link to the COMB leaked database. But it was posted on several hackers forums.
Use less programs of Chinese and Russian origin.
Check email
Okay. So my old email is included in that list. My new one is not. I dont even know where this old email is still in use. I need to know which accounts of mine got leaked in order to change the passwords or to delete those accounts.
Personal data leak checker is a trap to get your email adresse, less you provide your email less is the risk of leak.
Use double authentication and never trust anyone or any such tool who ask your email
Hi Ed. We only store hashed emails (bcrypt) and we do not store your emails, that you check. You can read about it on our FAQ for the Data Leak Checker https://cybernews.com/leak-check-faq/
And if you have concerns, you can email me personally, for any more details on how we anonymise the data.
Yeah, Ed. You can trust me xD
a bit more info on which site the logins where found would be vey helpfull .
Now it’s only spreading fear….
Hi Franklin. The COMB was leaked with just emails and passwords, no sources in the COMB itself were present. Our investigation team is working on including sources in the near future, by cross-referencing it with the previous independent breaches.
“More than 3.2 billion unique pairs of cleartext emails and passwords have just been leaked on a popular hacking forum…”
What hacking forum? Does it have a name?
They are vague so they don’t show it anywhere
raidforum
raidforums
xss is
or
xss as
How come your personal data leak checker is processing requests so fast (1 second approximately) while validating against 2+ billion unique email addresses
Database indexing
Bloom Filter
Binary search on ordered set data with 2 billion entities takes log2(2B) = 31 operations. A modern computer can do billions of operations per second. It’s actually quite slow.
Hahahaha! True dat!
Probably has something to do with mind mapping and/or neural networks. It’s a very lucrative industry with all the new technology capabilities coming out. These big companies are getting rich off of mind-raping unaware victims!