On Tuesday, February 2, the largest compilation of breached usernames and passwords, known as COMB, was leaked online. COMB contains 3.2 billion unique email/password pairs. As we recently discovered, this includes the credentials for the Oldsmar water plant in Florida.
Three days after COMB was leaked, an unknown attacker entered Oldsmar’s computer systems and attempted to poison the water supply by increasing lye levels 100 times.
Fortunately, the attack was quickly recognized and the lye levels reversed.
Check out our personal data leak checker now to see if your email address has been exposed in COMB or previous leaks.
Government officials are still investigating how the attack occurred, although they believe the attacker was not state-sponsored. Instead, the attacker seems to have managed to get into Olsdmar’s systems via the plant’s software that allows supervisors to access the system remotely.
A Massachusetts advisory implied that the Oldsmar attacker entered through a remote-access program called TeamViewer that was installed on all computers used by plant personnel. All of the computers were connected to the plant’s control system and the plant staff all shared the same password.
Don't let another data breach scare you. Password managers create not only strong and unique passwords, but they'll also alert you when your credentials have been leaked.
Learn more about password managers
In July 2020, a CyberNews investigation highlighted how easy it would be for an attacker to get into critical US infrastructure via these types of unsecured industrial control systems (ICS). The Massachusetts advisory further stated that the Oldsmar water facility computers seemed to have been “connected directly to the Internet without any type of firewall protection installed.”
Attacks on ICS can be performed by attackers using search engines dedicated to scanning all open ports, or scanning the ports themselves, and remotely taking control of critical private and public US infrastructure. Our investigation discovered that water treatment and distribution systems were the most vulnerable, along with offshore and onshore oil wells.
However, a vulnerable ICS is only one of the many attack vectors that a threat actor could employ. Another vector would be a credential stuffing attack on the target facility.
COMB is a combination of past data leaks, so it is also possible that the attacker used past data breaches in their attack. We looked at both the first Breach Compilation from 2017 and COMB to search for credentials from the domain ci.oldsmar.fl.us.
We discovered that 2017’s Breach Compilation contained 11 Oldsmar credential pairs, while COMB contained 13 credential pairs.
It is within the realm of possibility that, if a credential stuffing attack was used, the attacker may have used either Breach Compilation or COMB to check for leaked credentials. On the other hand, COMB both contains more Oldsmar credentials and is closer to the date of attack than Breach Compilation.