Breach, Threat Management, Data Security

‘Combo list’ database of previously breached accounts contains over 560M credentials


An unknown individual has compiled a huge online data set comprised of approximately 560 million emails and their corresponding credentials, over 243 million of which are unique, according to Kromtech Security Research Center.

Most or perhaps all of the credentials have been leaked before, only now they have been gathered into a massive combo list, Kromtech reported in a blog post this week. Over 75 gigabytes in size, the database consists of data stolen from LinkedIn, Dropbox, Lastfm, MySpace, Adobe, Neopets, RiverCityMedia, 000webhost, Tumblr, Badoo, Lifeboat and other services.

"The lesson here is simple: most likely, your password is already there and somebody might be trying to use this just now. So isn't that a good time to change it now?" wrote blog post author Bob Diachenko, chief communication officer at Germany-based Kromtech, which is owns the MacKeeper computer security software brand.

In his blog post, Diachenko stated that he showed the data set to security researcher Troy Hunt, founder of the "Have I been pwned?" data breach website, who was able to identify the exact number of unique entries.

According to Kromtech, the database is hosted on a cloud-based IP, but it is not known who owns it. The research center has reportedly reported the site to its hosting provider in hopes of shutting it down.

On his own website, Hunt's number-one breach is another combo list of previously leaked credentials, referred to as Exploit.In. This list consists of over 593 million stolen credentials stolen, which were widely circulated and used for credential stuffing, meaning attackers attempt to find other websites where account owners may have reused the same stolen passwords.

"The fact that this data has been collected and compiled into a single database hints at one thing and one thing only: malicious actors are still attempting to leverage these credentials to gain access," said RJ Gazarek, product manager at Thycotic, in emailed comments. "Putting all of the compromised credentials into a single database allows for a single malicious application to quickly run through that database and attempt to try that email & password combination, not only at the site it was compromised, but also at other popular sites."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.