Billions of Passwords Offered for $2 in Cyber-Underground

comb leaked database

About 3.27 billion stolen account logins have been posted to the RaidForums English-language cybercrime community in a ‘COMB’ collection.

A “compilation of many breaches” – COMB for short – has been leaked on the cyber-underground, according to researchers. The so-called COMB contains a staggering 3.27 billion unique combinations of cleartext email addresses and passwords.

The trove is an aggregate database that brings together older stolen data from breaches past – including credentials from Netflix, LinkedIn, Exploit and others. COMB – which was given that name by the person who posted it online – was first made public on Feb. 2 by a user dubbed “Singularity0x01,” a researcher told Threatpost.

“On February 2, 2020, user Singularity0x01 created a thread on the popular English-language cybercriminal forum RaidForums titled ‘Compilation of Many Breaches (COMB) 3.8Billion (Public),'” Ivan Righi, cyber-threat intelligence analyst at Digital Shadows, said.

He added, “Singularity0x01 stated that the collection was built on a previous breach compilation that contained 1.4 billion records, and that the contents were mostly publicly available. The user also said that the data was presented in an alphabetical order and in a tree-like structure.”

In order to view the download link for the password-protected .ZIP file containing the data, forum users were asked to spend 8 RaidForums credits (about $2), he added. Then, they can use the database’s built-in tool for querying and sorting the information to slice and dice the data.

How Serious is the COMB Data Dump?

The data itself was not that well-received by underground denizens, Righi noted.

“Some users claimed that files were corrupted, files were missing, the total number of credentials was smaller than advertised, and the data was of low quality,” he explained – all of which led to Singularity0x01 gaining a negative reputation rating on the criminal forum.

“Singularity0x01 had also created two identical threads on the forum, leading some users to spend their tokens twice,” the researcher said. “Singularity0x01 was permanently banned from RaidForums on 08 Feb 2021 for ‘leaking hidden content,’ although no further information was provided by the site’s moderators.”

Dustin Warren, senior security researcher at SpyCloud, also took a look at the data and determined that the login combos have been in Dark Web circulation for some time.

“The 3.2 billion number by itself looks staggering, but we have to remember ‘quality vs. quantity,'” he told Threatpost. “The data appears to be full of account credentials that had been part of previously known breaches. In fact, this one appears to be a re-release of the Collection Combos leak from 2019, the Anti Public Combo list from 2016 and potentially others, but released with some tools for deduping, sorting and parsing of the data to make it easier to use. In other words, there is nothing new here.”

Credential-Stuffing Attacks in the Offing

The data may be old, but it’s not without value. Thanks to password reuse, hackers can use the data to mount brute-force or credential-stuffing attacks in an effort to hijack any number of types of accounts. And from there, the potential fallout becomes notable.

“It is an important reminder that old passwords can come back to haunt users who reuse them across accounts, which is why even old data can be useful to criminals,” Warren said. “Threat actors are no doubt running credential-stuffing attacks with this data so any accounts using the same logins and passwords could still be in jeopardy.”

Online banking, social-media, patient portals, loyalty points accounts and others all contain reams of information that can be used for financial fraud or to mount convincing follow-on phishing attack, for instance. And, work log-ins and email accounts that are compromised can lead to espionage efforts or business email compromise (BEC).

How to Mitigate COMB and Password Attacks

As always, implementing multifactor authentication (MFA) and maintaining good password hygiene (strong, unique passwords for all accounts and regular password rotation) can prevent much of the potential fallout from being caught up in this incident.

“A significant number of hacking-related breaches are still tied to weak passwords and the absence of MFA,” Terence Jackson, CISO at Thycotic, told Threatpost. “Use of a password manager and MFA are still two of the best ways online accounts can be protected from brute-force and password-spraying attacks.  These ‘keys to the kingdom’ are what malicious actors covet because it gives them access to  wreak havoc.”

“While MFA can prevent direct use of the credentials on services such as Office 365, it’s important to remember that MFA is not a silver bullet.

“Simple credentials would still be useful in conjunction with some other compromised asset as that would allow the attacker to overcome MFA,” Oliver Tavakoli, CTO at Vectra, told Threatpost. “Of course, this points out the criticality of enabling (and requiring) MFA for all authentication – especially for services (such as Office 365) directly accessible from the internet.”

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!


Suggested articles