COMB Data Leak: Everything You Need to Know

In February 2021, a user on a popular hacker forum released the largest data leak of all time, the Compilation of Many Breaches, or COMB for short. This data breach contains approximately 3.2 billion unique emails and passwords from previous leaks and breaches. In some respects, it was similar to the RockYou2021 leak in that it was a compilation of existing data that had already been leaked online.

To put this into perspective, there are approximately 7.8 billion people in the world today, and by some estimates, 4.72 billion internet users. While the COMB leak did not quite contain as many unique emails and passwords as there are internet users, the next big breach may eclipse that number once and for all.

Background of the COMB leak

The COMB leak was posted by a user who goes by the name of “Singularity0x01” on the hacker forum. He stated that COMB was built on a Breach Compilation (1.4 Billion records), combined with other previous leaks and breaches. Furthermore, he stated that the data is ordered alphabetically in a tree-structure and that it also includes 3 scripts, count_total.sh for counting the total lines, sorter.sh for sorting the data and query.sh, for querying emails.

To access this database users of the hacker forum could purchase it for just $2 in forum credits.

Although the COMB contained many records, it was not so well-received by the other forum users. Many found that the data was ‘Nothing new’ and that the ‘Data was of low quality’. Singularity0x01 got a lot of negative feedback and even got banned for leaking hidden content, thus the post got removed.

Despite the ban, we are still seeing members of the hacking community sharing the data, with this recent post from just last week:

Now let’s put the COMB leak into more perspective and examine the consequences and ramifications.

How serious is COMB (Compilation of Many Breaches)?

After analyzing the COMB data, we noticed that a total of 3.28 billion passwords, combined with 2.18 billion unique emails. Out of that group of emails, there were approximately 450 million from Yahoo and 200 million from Gmail. (And if you are still using Gmail, and now want to consider alternatives, see our guide on the best Gmail alternatives.)

If you analyze the COMB data even further, you can find that a lot of these emails are linked to government domains (.gov). This makes the list even more potentially damaging, with government officials being put at risk of hacking, phishing, and possible identity theft risk.

The numbers might sound scary, but we have to remember it is about quality vs. quantity. If you look at the COMB, there are no new stolen credentials in this list. Most credentials come from the Breach Compilation 2017 (1.4 Billion records), Collection Combos leak from 2019 (773 Million), and others. In other words, there is nothing new, exactly like we saw in the RockYou2021 password leak.

Possible impact of the COMB breach

Even though the COMB does not contain any new records, it is not worthless. We still have to keep in mind that 3.2 billion is a staggering amount. And since many people still reuse their passwords across multiple accounts, hackers will be able to launch credential attacks and use brute-force tools to hijack accounts and gain access.(See our guide on how to create strong passwords.)

The hacker can set up a bot to automatically try and login onto multiple websites. It will check if the credentials from the COMB data work, and when it succeeds, the bot automatically copies any personal information, credit card info, addresses, emails, and all other available data. This information will be stored and is now able to be used for other attacks, which can result in identity theft, phishing, financial fraud, and more. Additionally, the newly acquired data could be re-sold to other hackers at a profit.

In any case, to be safe online you must use a different password each time and change your password on a regular basis. It can be challenging creating and remembering unique passwords. That is why you will need a reliable password manager.