COMB: The Big Password Leak (2024)

Paper by Felipe Daragon and Syhunt Icy Team. April 26. 2021

Our Analysis

Following customer and media requests, we now analyzed the COMB21, the biggest known compilation of password leaks published on Feb 2, 2021 by a hacker on the same Internet forum that last month hosted links and information about the mega leak of Brazilian data.

We concluded that not only the leak exposes current and past passwords, but gives insight on key password elements and patterns, and reuse and changing habits of individuals and organizations from all around the world in a dangerous and unprecedented way: in many cases, between 3 to 30 passwords linked to an unique email were exposed, which gives insight on a person's password changing habits. And when a password repeats with an identical username at multiple domains, someone with password reusing habit is exposed.

A staggering total of 3.28 billion of passwords were exposed, linked to 2.18 billion unique emails, compiled into a single file and published through a link on the forum. This time the leak was fully published for free and the archive is being actively shared among hackers and cybercriminals in the form of a single, 7zip compressed archive.

The Leak in Numbers

3.28 billion 2.18 billion 26 millions
Total of Passwords Exposed: 3279064312Total of Unique Emails in LeakTotal of Domains in Leak
100GB 1.5 million 625,505
Uncompressed Password Database SizeTotal of World Gov Passwords Exposed: 1502909Total of US Gov Passwords Exposed: 625505
18.6GB (7Z)
Compressed Password Database Size

#2017This compilation of leaks contains twice the amount of unique email and password pairs than the Breach Compilation from 2017, which exposed 1.4 billion credentials. It includes the script named count_total.sh, just like the 2017 compilation, and adds two new scripts: query.sh, for querying emails, and sorter.sh, for sorting the password leak data.

How World Government Is Affected

During our analysis, we concluded that the COMB leak includes millions of passwords linked to emails from government domains, which poses a major threat to government entities around the globe. Not only hackers and cybercriminals may exploit the COMB leak, but also hostile foreign actors.

Gov Email Passwords In The Leak (By Country) - Top 50 Countries

CountryTotal of Exposed Passwords
United States of America (*.gov)625,505
United Kingdom (*.gov.uk)205,099
Australia (*.gov.au)136,025
Brazil (*.gov.br)68,535
Canada (*.gc.ca)50,726
South Africa (*.gov.za)48,838
Mexico (*.gob.mx)31,995
France (*.gouv.fr)24,002
China (*.gov.cn)18,282
South Korea (*.go.kr)17,560
Taiwan (*.gov.tw)17,007
Argentina (*.gov.ar)15,604
New Zealand (*.govt.nz)15,488
Malaysia (*.gov.my)12,463
Turkey (*.gov.tr)11,469
Austria (*.gv.at)9,529
Colombia (*.gov.co)9,428
Thailand (*.go.th)7,913
Japan (*.go.jp)7,650
Ukraine (*.gov.ua)6,206
Peru (*.gob.pe)6,038
Chile (*.gob.cl)5,843
Singapore (*.gov.sg)5,470
Israel (*.gov.il)4,984
Costa Rica (*.go.cr)4,402
India (*.gov.in)4,253
Poland (*.gov.pl)4,194
Indonesia (*.go.id)4,040
United Arab Emirates (*.gov.ae)3,672
Switzerland (*.gov.ch)3,310
Ecuador (*.gov.ec)2,792
Italy (*.gov.it)2,593
Saudi Arabia (*.gov.sa)2,564
Hungary (*.gov.hu)2,166
Pakistan (*.gov.pk)2,123
Russia (*.gov.ru)1,964
Philippines (*.gov.ph)1,921
Hong Kong (*.gov.hk)1,795
Vietnam (*.go.vn)1,725
Latvia (*.gov.lv)1,647
El Salvador (*.gob.sv)1,640
Mozambique (*.gov.mz)1,493
Fiji (*.gov.fj)1,492
Venezuela (*.gob.ve)1,461
Kenya (*.go.ke)1,407
Namibia (*.gov.na)1,354
Jordan (*.gov.jo)1,340
Jamaica (*.gov.jm)1,298
Morocco (*.gov.ma)1,235
Uganda (*.gov.ug)1,228
All countries of the globe combined1,502,909

How we got to the above numbers: we scanned the entire 100GB COMB archive.

Note: Germany is not listed because the gov domain extension is not used in the country.

How USA Is Affected

2.78 millions 625,505
Total of .US Domain Passwords Exposed*: 2,780,342Total of GOV Passwords Exposed: 625,505

(*) Actual number is actually much bigger because international emails used by Americans. such as gmail.com. were not considered.

Top 20 USA Government Domains In The Leak (.GOV)

Rank Position, Domain, Number of Exposed Passwords (All names below have a .gov extension)

1. state: 29,144
2. va: 28,937
3. dhs: 21,575
4: nasa: 15,665
5. irs: 10,480
6: cdc: 8,904
7. usdoj: 8,857
8. ssa: 8,747
9. usps: 8,205
10: epa: 7,986

11. dc: 7,790
12. schools.nyc: 7,761
13: ky: 7,314
14: mail.nih: 7,302
15: faa: 7,159
16: michigan: 7,053
17: bop: 7,051
18: noaa: 6,682
19: gsa: 6,456
20: med.va: 6,345

How we got to the above numbers: we scanned the entire 100GB COMB archive.

Oldsmar Florida Water Facility Attack

According to an article by CyberNews, the COMB leak included 13 credentials linked to emails of the Oldsmar water plant in Florida, which, three days after the COMB was published, suffered a cyber attack that attempted to poison the water supply by boosting lye levels by 100 times. There is no confirmation, however, that the COMB leak was used during the cyber attack.

How Brazil Is Affected

9.78 millions 68,535 4,589
Total of .BR Passwords Exposed*: 9,785,714Total of GOV.BR Passwords Exposed: 68,535Total of JUS.BR Passwords Exposed: 4,589

(*) Actual number is actually much bigger because international emails used by Brazilians. such as gmail.com. were not considered.

Top 20 GOV.BR Domains In The Leak

Rank Position, Domain, Number of Exposed Passwords (All names below have a .gov.br extension)

1. caixa: 2,197
2. fatec.sp: 2,035
3. see.sp: 1,665
4: pbh: 1,008
5. macae.rj: 1,004
6. bcb: 999
7. camara: 985
8. previdencia: 870
9. policiamilitar.sp: 831
10: escola.ce: 805

11: etec.sp: 796
12: seed.pr: 796
13: prefeitura.sp: 787
14: tj.rs: 769
15: polmil.sp: 642
16: chesf: 593
17: dpf: 576
18: brigadamilitar.rs: 493
19: fazenda.sp: 466
20: agricultura: 451

How we got to the above numbers: we scanned the entire 100GB COMB archive.

Exploitation of Combined Mega Leaks for Brazil

The Big Brazil Data Leak that we recently analyzed contained millions of emails exposed, tied to individuals through CPF number and companies through their CNPJ numbers, but it did not include passwords. However, with the leaks being actively sold and shared online, cybercriminals and hackers, based on their known modus operandi, definitely will take advantage of the combination of both leaks.

As we mentioned above, the COMB password leak gives insight on past password elements, password patterns and password changing and reuse habits for individuals and organizations in an unprecedented way. The CPF/CNPJ data leak, on the other hand, gives insight on specific key details, such as email, birthday date, family member names and so on, that individuals can be using as part of their current passwords. When both leaks are exploited together, the chances of accurately guessing the current password of a target significantly increases.

Following a request by Estadão, we processed the hacker's catalog information of the Big Brazil Data Leak, and learned that 77.8 million individuals and 15.8 million companies have emails catalogued for sale by the hacker, all tied to their CPF and CNPJ numbers. This is the number of individuals and companies that are particularly vulnerable to the combined exploitation of both the COMB and the Brazil mega data leak.

The first leak also includes the date of inclusion of emails in the database, which gives insight on which year an email or multiple emails associated to a person or business were in use.

The Source of The Leak

We named this leak PWCOMB21 (PassWord Compilation Of Many Breaches Of 2021) and sometimes we refer to it as just COMB. The COMB leak is, like we explained in first section of this document, a compilation of leaks, and as such, the impressive number of leaked passwords comes from multiple leaks in different companies and organizations that happened over the years. The passwords were exposed through well-known techniques such as password hash cracking, after being stolen, and sometimes fishing attacks or eavesdropping on insecure, plaintext connections.

Conclusion

Despite the efforts over the recent years by the companies and organizations to monitor password leaks, harden the security of web applications, login mechanisms, switch to HTTPS and respond to password leaks, the publication and active sharing of this password leak compilation is a major blow to Internet security.

While some of the above listed domains, organizations, agencies and companies may have publicly acknowledged about breaches over the years and adopted appropriate response and countermeasure actions, a significant number of leaked passwords appear to originate from breaches that affected other companies and websites that simply allowed to create accounts linked to user emails. This means services like LinkedIn among other social networks, and multiple other Internet websites not referenced in the COMB archive.

Syhunt recommends, among other things, that:

  • Innovations in the field of authentication should be supported, pursued and put in place.
  • Multi-factor authentication (MFA) and tokens, more than ever, should be widely deployed and encouraged.
  • The replacement of broken password hashing (MD5, SHA1 etc) should be more aggressively pursued through source code analysis, deprecation (SAST) and additional means.
  • Users should be advised not only to change existing passwords, but to completely break with password naming habits and patterns when changing a password. They should be encouraged and assisted to adopt strong passwords more than ever.
  • Administrative and advanced users should use password managers that include strong, secure password generation feature.
  • Discuss, review and improve password policies and practices around the globe.
  • Discuss about the implications of deep learning applied to the COMB leak for password guessing.

Exploitation Through Deep Learning

If deep learning tools, such as PassGAN, are successfully applied to the COMB leak. the threat posed by the leak compilation increases - PassGAN applies a Generative Adversarial Network to password leaks in order to learn about the distribution of these passwords and, then, uses this knowledge to guess passwords.

References

  1. Oldsmar, Florida water facility credentials contained in COMB data leak, CyberNews, February 11, 2021
  2. Senhas de LinkedIn, Netfix e outros estão em maior vazamento da história, Canaltech, February 3, 2021
  3. More than three billion emails and passwords were just leaked online, TechRadar, February 3, 2021
  4. Generative Adversarial Networks can crack your password, March 31, 2020
COMB: The Big Password Leak (2024)

FAQs

What was the biggest password leak? ›

1 RockYou21, 2021, 8.4 billion records

RockYou2021, named after a leak in 2009, is a compilation revealed on a hacker forum of more than 8 billion passwords, which makes it the largest set of passwords to leak in the history of the internet.

What is the mother of all password leaks? ›

In January 2024, a security researcher uncovered a colossal database comprising 26 billion leaked records pertaining to millions, possible billions, of individuals. The breach is thought to be the largest in history and is being called the “mother of all breaches.”

Is the Apple data leak warning real? ›

Why did Apple send you a data leak notification? To enhance your security, Apple compares the passwords you store on your iPhone against known leaked passwords to try to find matches. The company does this using methods that don't reveal your passwords to Apple. All the processing happens on your device only.

What is the mother of all breaches? ›

What are the 26 billion records breached? The 2024 massive breach, known as the Mother of All Breaches (MOAB), encompasses many data types, including usernames, passwords, and sensitive personal information.

What is the 26 billion leaked data records? ›

A massive data breach leaked more than 26 billion records online, exposing information from some of the most-visited websites on the web. The team at CyberNews.com, along with cyber researcher Bob Dyachenko, discovered those records.

What is the number 1 most used password? ›

The world's most common online password is 123456, according to online password management company NordPass. This and the world's other most popular passwords are all simple, short and predictable, leaving people vulnerable to hacking and cybercrime.

What is the oldest password? ›

The 1st digital password

In 1961, MIT computer science professor Fernando Corbato created the first digital password as a project problem-solver. When he built a giant time-sharing computer, several users needed their own private access to the terminals. His solution? Give each user their own password.

What is the password related to God? ›

God's presence is like the WiFi but to connect to him you need a password. And that password is faith.

What is the hidden password? ›

Hidden passwords are a feature of most commercial password managers. The feature allows system administrators to change the appearance of shared read-only passwords so they display to end users as a series of dots or asterisks.

Should I be worried about Apple password data leak? ›

Yes, you should be concerned about leaked passwords. A compromised password means unauthorized individuals can access your personal information and accounts. This can lead to financial fraud and identity theft. So, taking online privacy into your own hands is essential.

Can you check if your password has been leaked? ›

How can you secure your passwords? Use Avast Hack Check to see what accounts have been compromised. If you find any, change their passwords immediately — use our password generator for the best results. Get Avast BreachGuard to monitor your personal data around the clock for potential data breaches, plus more.

Should I delete compromised passwords? ›

Learn about compromised passwords

Compromised passwords and username combinations are unsafe because they've been published online. We recommend that you change any compromised passwords as soon as you can.

What sites are affected by Mother of All breaches? ›

This breach involved user data (most of which is sensitive) from platforms such as:
  • Adobe: 153 million records.
  • AdultFriendFinder: 220 million records.
  • Canva: 143 million records.
  • Dailymotion: 86 million records.
  • Deezer: 258 million records.
  • Dropbox: 69 million records.
  • LinkedIn: 251 million records.
Mar 1, 2024

How did the Canva data breach happen? ›

Canva Data Breach 2019/2020

According to the platform's official Security Incident Report, a data breach affecting nearly 139 million users took place. The report declared that in May 2019, cyber attackers hacked into the platform's database and could view the users' profiles and access their protected passwords.

Why should I use a password manager? ›

A password manager (or a web browser) can store all your passwords securely, so you don't have to worry about remembering them. This allows you to use unique, strong passwords for all your important accounts (rather than using the same password for all of them, which you should never do).

What is the biggest hack ever caught? ›

The US-based mortgage settlement and real estate financial services company First American Financial Corp faced one of the biggest hacks in history in 2019. Ben Shoval, a real estate developer, had found that approximately 885 million files containing sensitive customer data from 2003 onwards were freely available.

What is the largest hack in history? ›

Biggest Cyber Attacks in History
  • Marriott Hotel Data Breach. ...
  • WannaCry Ransomware. ...
  • Ukraine Power Grid Attack. ...
  • The 2014 Yahoo Attack. ...
  • Adobe Cyber Attack. ...
  • The PlayStation Network Attack. ...
  • Estonia Cyber Attack. ...
  • The NASA Cyber Attack.
Jan 23, 2024

What is the 26 billion hack? ›

Security researchers have discovered a massive data breach containing more than 26 billion records — a hacker's trove of records compiled from LinkedIn, Twitter, Adobe, and thousands of other organizations. Likely the largest of its kind, researchers have dubbed it MOAB or the “Mother of All Breaches.”

Top Articles
Latest Posts
Article information

Author: Neely Ledner

Last Updated:

Views: 5389

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Neely Ledner

Birthday: 1998-06-09

Address: 443 Barrows Terrace, New Jodyberg, CO 57462-5329

Phone: +2433516856029

Job: Central Legal Facilitator

Hobby: Backpacking, Jogging, Magic, Driving, Macrame, Embroidery, Foraging

Introduction: My name is Neely Ledner, I am a bright, determined, beautiful, adventurous, adventurous, spotless, calm person who loves writing and wants to share my knowledge and understanding with you.