COMB: largest breach of all time leaked online with 3.2 billion records


It's being called the biggest breach of all time and the mother of all breaches: COMB, or the Compilation of Many Breaches, contains more than 3.2 billion unique pairs of cleartext emails and passwords. While many data breaches and leaks have plagued the internet in the past, this one is exceptional in the sheer size of it. To wit, the entire population of the planet is at roughly 7.8 billion, and this is about 40% of that.

However, when considering that only about 4.7 billion people are online, COMB would include the data of nearly 70% of global internet users (if each record was a unique person). For that reason, users are recommended to immediately check if their data was included in the leak. You can head over to the CyberNews personal data leak checker now.

CyberNews was the first leak database to include the COMB data. Since COMB was first released, nearly 1 million users have checked our personal data leak checker to see if their data was included in the biggest breach compilation of all time.

ADVERTISEMENT

So how did the COMB data leak happen?

On Tuesday, February 2, COMB was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak is comparable to the Breach Compilation of 2017, in which 1.4 billion credentials were leaked.

However, the current breach, known as “Compilation of Many Breaches” (COMB), contains more than double the unique email and password pairs. The data is currently archived and put in an encrypted, password-protected container.

The leaked database includes a script named count_total.sh, which was also included in 2017’s Breach Compilation. This breach also includes two other scripts: query.sh, for querying emails, and sorter.sh for sorting the data.

After running the count_total.sh script, which is a simple bash script to count the total lines in each of the files and add them together, we can see there are more than 3.27 billion email and password pairs:

We are currently adding the new COMB emails to our Personal Data Leak Checker. The CyberNews Personal Data Leak Checker has the largest database of known breached accounts, helping users know if their data has possibly fallen into the hands of cybercriminals.

ADVERTISEMENT

Check out our personal data leak checker now to see if your email address has been exposed in this or previous leaks.

Data Leaks and Their Effects: How to check if your data has been leaked? video screenshot

This does not appear to be a new breach, but rather the largest compilation of multiple breaches. Much like 2017’s Breach Compilation, COMB’s data is organized by alphabetical order in a tree-like structure, and it contains the same scripts for querying emails and passwords.

In the screenshots attached with the leak, the organization of the data can be seen, as well as the type of data released. Below, the data has been blurred by CyberNews:

At the moment, it is unclear what previously leaked databases are collected in this breach. Samples seen by CyberNews contained emails and passwords for domains from around the world.

Netflix, Gmail, Hotmail logins included in COMB

Because COMB is a quick, searchable, well-organized database of past major leaks, it naturally contains past leaks. This includes major leaks from popular services such as Netflix, Gmail, Hotmail, Yahoo and more.

Based on our analysis of the breached data, there are approximately 200 million Gmail addresses and 450 million Yahoo email addresses in the COMB data leak.

In 2015, The Independent reported on an apparent "Netflix hack" where cybercriminals were able to log into Netflix users' accounts worldwide. However, Netflix has never admitted to being hacked, and this is more likely a casualty of the fact that users often use the same passwords for different accounts.

ADVERTISEMENT

This is why it's important to use a unique password for each account you create. CyberNews has a strong password generator that you can use to create strong, unique passwords.

CyberNews Pro tip

Don't let another data breach scare you. Password managers create not only strong and unique passwords, but they'll also alert you when your credentials have been leaked.

Learn more about password managers

Similarly, Gmail never had a data breach of its own. Instead, this is most likely related to people using their Gmail email addresses on other breached websites or services.

On the other hand, Microsoft confirmed that between January and March 2019, hackers were able to access a number of consumer Outlook.com, Hotmail and MSN Mail email accounts.

But perhaps the biggest big-name data breach happened to Yahoo. While it was reported in 2016, the breach actually happened at the end of 2014. In that Yahoo breach, the company confirmed that all 3 billion of its users' accounts had been impacted.

It appears that not all data from past Yahoo and Hotmail/Microsoft breaches have been included in COMB. Nonetheless, it is possible that the list has been cleaned of dead credentials, which is why it's crucial that users check if their data has been leaked.

Similar to Breach Compilation

This current leaked database appears to build on 2017’s Breach Compilation. In that leak, intelligence analysts at 4iQ discovered a single file database with 1.4 billion email and password pairs, all in plaintext.

At the time, this was considered the largest credential breach exposure, almost two times larger than the previous largest credential exposure from Exploit.in which had nearly 800 million records.

2017’s Breach Compilation contained 252 previous breaches, including the aggregated ones from the previous Anti Public and Exploit.in dumps, as well as LinkedIn, Netflix, Minecraft, Badoo, Bitcoin and Pastebin. However, when they analyzed the data, they found that “14% of exposed username/passwords pairs had not previously been decrypted by the community and are now available in clear text.”

ADVERTISEMENT

When 4iQ discovered the Breach Compilation, they tested a small subset of the passwords for verification, and most of the tested passwords worked. The intelligence analysts state that they found the 41GB dump on December 5, 2017, with the latest data updated on November 29, 2017.

They also remarked that the leak was not just a list, but rather an “interactive database” that allowed for “fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.”

It is unclear what the repercussions of the Breach Compilation have been.

Possible impact

The impact to consumers and businesses of this new breach may be unprecedented. Because the majority of people reuse their passwords and usernames across multiple accounts, credential stuffing attacks is the biggest threat.

If users use the same passwords for their LinkedIn or Netflix as they do their Gmail accounts, attackers can pivot to other more important accounts.

Beyond that, users whose data has been included in Compilation of Many Breaches may become victims of spear-phishing attacks, or they may receive high levels of spam emails.

In any case, users are normally recommended to change their passwords on a regular basis, and to use unique passwords for every account. Doing so – creating and remembering unique passwords – can be quite challenging, and we recommend users get password managers to help them create strong passwords.

And, of course, users should add multi-factor authentication, like Google Authenticator, on their more sensitive accounts. That way, even if an attacker has their username and password, they won't be able to get into their accounts.

We will continue to analyze the data as the story unfolds.

ADVERTISEMENT

Update February 12: This article was updated to add new analysis of the Gmail and Yahoo domains contained within the COMB database, as well as how many users have checked their data on CyberNews' data leak checker.

  • Protect your data with a VPN. We have a page for NordVPN coupon codes that lists all the best deals.
  • Keep your passwords safe with a password manager. Check out our post for the best Dashlane coupon codes.

Build your secure personal and business online presence


ADVERTISEMENT

Comments

RiddickABSent
prefix 3 years ago
Who hacks my accounts easily? And this is when two-factor authentication is enabled.
Rose
prefix 3 years ago
Hi. I did enter my email and it was pwned but my question is my email has been target to 6 breaches and no pastes found what does that mean and also on password checker of cybernews my password is showing 3 times leaked in database and in HIBP password checker my password is showing green sign. Can anyone please answer to my questions. It’s really important. Also I changed my passwords completely in the month of March. Again I changed recently. So I am safe right? Please do reply.
Michael
prefix 3 years ago
Shouldn’t Microsoft, Google and Netflix be notifying their customers if there was a breach of their data?

Seems like that should be required of them and in their best interest to inform their user’s
Nasser
prefix 3 years ago
Microsoft did. I received that in the past.
That said, because people use their Hotmail amd gmail email address to connect to other services it is possible that one could find his email address in the database breach but this does mean it came from a breach of Hotmail or gmail but rather it came from a breach of another service where we used our email address to authenticate
vaughn
prefix 3 years ago
Shouldn’t this data base be showing multiple passwords for many email addresses? Any chance you confirm that? Signify it?
Luc St-Laurent
prefix 3 years ago
Yes, depending on the data breach date, it is possible to see multiples passwords for the same email address.
SteveB
prefix 3 years ago
I think anyone with an email address older than 3-4 years is likely in this COMPILATION of published breach addresses. Honestly, this kind of reporting is more fear-mongering than actual journalism.
Janet Patterson
prefix 3 years ago
I really don’t understand why every bank, department store, etc. thinks you should pay anywhere from $15 a month and up for security, when I have no idea where this money coming from! I would have to cancel my streaming, cancel my Internet, and even eat less food to pay all of it. It’s insane and when something does happen, you’re probably not even going to be responsible for all of it.
Risto Rinne
prefix 3 years ago
Isn´t biggest hacker NSA?
TK
prefix 3 years ago
Yes and their discovery and “banking” of operating system and software vulnerabilities for their state sponsored hacking leaves every user of those software products vulnerable not only to NSA but to any other nation state and criminal hackers that reverse NSA hacks and then use them themselves. I bet NSA knew about all the Exchange vulnerabilities decades ago and probably did not even tell Microsoft of their use of it to spy on their allies and adversaries and citizens. Any US organisation care to try performing a freedom of information act request to ask when NSA first became aware of the Exchange Server vulnerabilities… bet they will hid behind national security instead of answering.
Matthew
prefix 3 years ago
I entered my e-mail it said it was not found in the list, however next day I started to receive spam malicious e-mails next day which I have never received before, how come??
Frank
prefix 3 years ago
Hi,

Has anything changed in the leak database? I queried some addresses yesterday, and they were found among the compromised ones. Today I queried the same addresses again, and suddenly they came up “green”. How come?

Regards,
Frank
cindy
prefix 3 years ago
cela ne fait absolument rien lorsque je rentre mon email, ça veut dire que c’est ok pour moi ?
Gate Jocelyn
prefix 3 years ago
Hi, can we see which password is associated to the leaked email? Just to know if I do really need to change it?
Best,
Jocelyn
Julia
prefix 3 years ago
im haked
Bob
prefix 3 years ago
Hi, it’s not really clear, what is breachcomp2.0? is it the same that COMP? which are the sites concerned?
Bastien Flarion
prefix 3 years ago
So that *they (the hashes) do not appear in the logs of proxies and other servers.
Mohammad Salehi
prefix 3 years ago
I am wondering how those hackers process these data without actual Hadoop Enterprise License?
VANHEMS FENOLLAR
prefix 3 years ago
pouvez vous me dire si mon compte est piraté afin que je change mon mail. Merci par avance.
Mantas Sasnauskas
prefix 3 years ago
Hi Vanhems. You can check if your email has been breached in our Data Leak Checker here: https://cybernews.com/personal-data-leak-check/
re
prefix 3 years ago
The problem is that you say if our addreses have been hacked, good…
But At least could you print out on which website…
One email addreess can be use for several account and it is annoying to check all…
Greg
prefix 3 years ago
Agreed
Cristian
prefix 3 years ago
Where can I find this leak db for download?
Mantas Sasnauskas
prefix 3 years ago
Hi Cristian. Unfortunately, we can’t give you the link to the COMB leaked database. But it was posted on several hackers forums.
Vitalii
prefix 3 years ago
Use less programs of Chinese and Russian origin.
Otmani Yasmina
prefix 3 years ago
Check email
Andy
prefix 3 years ago
Okay. So my old email is included in that list. My new one is not. I dont even know where this old email is still in use. I need to know which accounts of mine got leaked in order to change the passwords or to delete those accounts.
Ed
prefix 3 years ago
Personal data leak checker is a trap to get your email adresse, less you provide your email less is the risk of leak.
Use double authentication and never trust anyone or any such tool who ask your email
Mantas Sasnauskas
prefix 3 years ago
Hi Ed. We only store hashed emails (bcrypt) and we do not store your emails, that you check. You can read about it on our FAQ for the Data Leak Checker https://cybernews.com/leak-check-faq/
And if you have concerns, you can email me personally, for any more details on how we anonymise the data.
Kocio
prefix 3 years ago
Yeah, Ed. You can trust me xD
franklin DR
prefix 3 years ago
a bit more info on which site the logins where found would be vey helpfull .
Now it’s only spreading fear….
Mantas Sasnauskas
prefix 3 years ago
Hi Franklin. The COMB was leaked with just emails and passwords, no sources in the COMB itself were present. Our investigation team is working on including sources in the near future, by cross-referencing it with the previous independent breaches.
John
prefix 3 years ago
“More than 3.2 billion unique pairs of cleartext emails and passwords have just been leaked on a popular hacking forum…”

What hacking forum? Does it have a name?
Ronald
prefix 3 years ago
raidforums
Victor Nunes
prefix 3 years ago
raidforum
Johnnny
prefix 3 years ago
They are vague so they don’t show it anywhere
Hfouad94
prefix 3 years ago
xss is
or
xss as
Raja
prefix 3 years ago
How come your personal data leak checker is processing requests so fast (1 second approximately) while validating against 2+ billion unique email addresses
Thrasos Thrasyvoulou
prefix 3 years ago
Database indexing
triangles
prefix 3 years ago
Binary search on ordered set data with 2 billion entities takes log2(2B) = 31 operations. A modern computer can do billions of operations per second. It’s actually quite slow.
Danielle Smith
prefix 3 years ago
Probably has something to do with mind mapping and/or neural networks. It’s a very lucrative industry with all the new technology capabilities coming out. These big companies are getting rich off of mind-raping unaware victims!
Bobait Log
prefix 3 years ago
Hahahaha! True dat!
Amine Raounak
prefix 3 years ago
Bloom Filter
Leave a Reply

Your email address will not be published. Required fields are markedmarked