On February 2nd, a user uploaded a database to a hacking forum of leaked credentials that contains 3.2 billion unique email and password pairs. That's 40% of the world's population!
The database goes by the name "Compilation of Many Breaches" or "COMB" for short. As of today, COMB is the largest known database of leaked passwords, over taking the previous largest database of 1.4 billion passwords from 2017.
Where did these passwords come from?
These passwords come from lots of different breaches from the last couple of years. Passwords from the Netflix, LinkedIn, Yahoo and more are all included in the database. Personal and business emails with their respective passwords are all now publicly available to anyone for download. Luckily, or unluckily, most of these passwords have been seen before from other breaches, only about 14% of COMB hasn't been seen before. That 14% may seem small but that is still 448 million new passwords being leaked.
(Small snippet of the COMB database showing personal Gmail accounts)
What does this mean to you?
This leak affects individuals and businesses alike as it opens them up to a popular attack known as credential stuffing. Credential stuffing is when an attacker will attempt to log into services and websites using passwords found in databases like COMB to find reused passwords. Credential stuffing has been seen in the past when attackers would use reused passwords to log into Ring cameras.
How can you prevent being a victim of credential stuffing?
You can lower your chances of being a victim of credential stuffing by:
Turn on Multifactor Authentication - By using multifactor authentication, a password wouldn't be the only thing needed to log in to your accounts. It would require a limited time code sent to your mobile device to login as well, putting a stop to a attacker reusing your password to login to your account.
Don't reuse passwords - As convenient as it may be to only need to remember a single password , you are putting yourself at high risk of a credential stuffing attack as if an attacker get a hold of one of your passwords, they get ahold of all your passwords. You can use password managers like Bitwarden help manage all your login information while making it easy to set unique passwords.
How can we help?
At Firestorm Cyber we offer bleeding edge protection and monitoring to prevent you and your company from falling victim to digital threats like credential stuffing. We monitor the dark web for data breaches so we can notify you about a leak before its too late. If you want to take the next steps to protect your company, contact us.