‘Combo list’ database of previously breached accounts contains over 560M credentials

May 18, 2017

An unknown individual has compiled a huge online data set comprised of approximately 560 million emails and their corresponding credentials, over 243 million of which are unique, according to Kromtech Security Research Center.

Most or perhaps all of the credentials have been leaked before, only now they have been gathered into a massive combo list, Kromtech reported in a blog post this week. Over 75 gigabytes in size, the database consists of data stolen from LinkedIn, Dropbox, Lastfm, MySpace, Adobe, Neopets, RiverCityMedia, 000webhost, Tumblr, Badoo, Lifeboat and other services.

"The lesson here is simple: most likely, your password is already there and somebody might be trying to use this just now. So isn't that a good time to change it now?" wrote blog post author Bob Diachenko, chief communication officer at Germany-based Kromtech, which is owns the MacKeeper computer security software brand.

In his blog post, Diachenko stated that he showed the data set to security researcher Troy Hunt, founder of the "Have I been pwned?" data breach website, who was able to identify the exact number of unique entries.

According to Kromtech, the database is hosted on a cloud-based IP, but it is not known who owns it. The research center has reportedly reported the site to its hosting provider in hopes of shutting it down.

On his own website, Hunt's number-one breach is another combo list of previously leaked credentials, referred to as Exploit.In. This list consists of over 593 million stolen credentials stolen, which were widely circulated and used for credential stuffing, meaning attackers attempt to find other websites where account owners may have reused the same stolen passwords.

"The fact that this data has been collected and compiled into a single database hints at one thing and one thing only: malicious actors are still attempting to leverage these credentials to gain access," said RJ Gazarek, product manager at Thycotic, in emailed comments. "Putting all of the compromised credentials into a single database allows for a single malicious application to quickly run through that database and attempt to try that email & password combination, not only at the site it was compromised, but also at other popular sites."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

‘Combo list’ database of previously breached accounts contains over 560M credentials

Related

Capita hack-related breaches reported by nearly 90 orgs

Why are 1.8M Apria patients just now being notified of a 2021 data breach?

Data breach confirmed by Luxottica after leak of over 70M customers’ records

Related Events

Stemming the rising tide of fraud with machine learning and AI

Part 2: Detection & Response Demo: Patrolling Every Packet & Process for Signs of Compromise

Part 1: The Telltale Signs of a Network Compromise: A Stage-by-Stage Attack Chronology

Get daily email updates