Dubbed COMB21, the data leak consists of 3.28 billion passwords connected to 2.18 million unique email addresses. Furthermore, the leak also includes 1,502,909 passwords linked to email addresses from government domains from around the world. The United States government “leads” with 625,505 of exposed passwords, followed by the U.K with 205,099, Australia with 136,025, Brazil with 68,535, and Canada with 50,726 passwords.
How was the COMB21 data leak discovered?
The exposed credentials stem from a colossal 100GB dataset known as COMB21, standing for Compilation of Many Breaches. The data was published for free on an underground forum earlier this year, exposing information from different leaks associated with various organizations over the years.
How were the passwords collected?
Techniques such as password hash cracking have been used. The passwords were likely obtained with the means of phishing and eavesdropping on exposed plaintext connections.
As reported by TheHackerNews, the government domains affected by the leak are the following:
State Department – state.gov (29,144)
Veterans Affairs Department – va.gov (28,937)
Department of Homeland Security – dhs.gov (21,575)
National Aeronautics and Space Administration – nasa.gov (15,665)
Internal Revenue Service – irs.gov (10,480)
Center for Disease Control and Prevention – cdc.gov (8,904)
Department of Justice – usdoj.gov (8,857)
Social Security Administration – ssa.gov (8,747)
U.S. Postal Service – usps.gov (8,205), and
Environmental Protection Agency – epa.gov (7,986)
This is not the first large-scale data leak affecting millions of users across the world. Earlier this month, the personal details of more than 533 million Facebook users were exposed, including individuals from 106 countries, with 32 million records of US users, 11 million records of UK users, and 6 million records of Indian users. The leaked information included phone numbers, Facebook IDs, full names, locations, biographies, birthdates, and in some cases email addresses.