In Hacking News: 3.2 Billion Leaked Passwords Contain 1.5 Million Records and Ties to Government Emails

The News: Findings from Syhunt, an application security assessment firm that helps organizations actively guard their mobile and web apps, reported recently on the biggest known compilation of password leaks by a hacker on an internet form. The 100GB data set, called COMB21 (a/k/a Compilation of Many Breaches) was published on an online forum on February 2, 2021 and the ties to government emails are, at best, alarming. Read more at Syhunt.

In Hacking News: 3.2 Billion Leaked Passwords Contain 1.5 Million Records and Ties to Government Emails

Analyst Take: Online cybercrime forums are where hackers post passwords, links, and other information related to data breaches, and the COMB21 data set is one gigantic data set. This particular data set is the result of data pulled together from a variety of sources and comes from leaks and breaches of a variety of organizations (and government entities) over a fairly significant period of time. The potential impact is — significant. For starters, there were some 3.2 billion passwords from 2.18 million unique emails and 26 million email domains in the COMB21 data. This includes some 1.5 million world government emails and 625,000-ish U.S. government passwords. Gets your attention, doesn’t it?

My colleague and fellow analyst here at Futurum Fred McClimans, and I covered this leak in a recent episode of our Futurum Tech Webcast Cybersecurity Shorts series. You can watch the video conversation here:

Or grab the audio here:

A Look at the Numbers in this Data Compilation

Want to see the numbers? Of course you do. The bulk of the exposed passwords were from .gov email addresses in the United States (625,505 email addresses), email addresses in the U.K. (205,099 email addresses) and email addresses in Australia (136,025 email addresses).

The top domains impacted by this leak? All U.S. government agencies, including the following:

In Hacking News. 3.2 Billion Leaked Passwords Contain 1.5 Million Records and Ties to Government Emails
Image credit: The Hacker News


Password Leaks Are Window Into Easily Exploitable Human Behavior for Threat Actors

One of the most alarming things about the massive availability of passwords and email addresses, and which we covered in this conversation is that this likely shows hackers a lot about human behavior as it relates to passwords, providing insight on current and past passwords. For instance, one entry in the email/password database might be:
password: 47Fr#8%xyP!

And that same email could be in there again (remember, this is covering a period of perhaps a number of years) like this:
password: 47Fr#8%xyP!1

and again
password: 47Fr#8%xyP!2

People are creatures of habits and are annoyed by password changes. They are predictable and they like the easy button. For threat actors, it would not be hard to break into skramer’s email after just a few attempts once they are able to easily see her password habits/behavior. This is also true for the thousands of people who insist on using the same password across multiple sites. Once a hacker has one iteration of a user name/password, it’s not at all difficult to try it in multiple places. This is bad enough at the enterprise level (or in any organization) but we’re talking about government entities, and the problem is a big one.

In its coverage of this breach, Syhunt pointed out the danger of deep learning tools being applied to the COMB leak, which increases the risk exponentially. Bottom line, 100 gigs of 3.2 billion leaked passwords, leading directly to government entities across the world is about as serious as it gets.

If cybersecurity is your thing, make sure to subscribe to our webcast. You’ll find us on YouTube and can easily subscribe to the Cybersecurity Shorts playlist here.

You can grab the podcast on your podcast channel of choice and also subscribe.

Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.

More Insights from Futurum Research:

China-Linked VPN Hack, Bipartisan Cybersecurity Efforts, New Study From HP On Nation-State Cyber Incidents And More 

SAP Cyberattack Currently Underway Exploits Known Security Vulnerabilities

Bipartisan Lawmakers Work Toward Disclosure Bill For Cybersecurity Breaches 

Author Information

Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”


Latest Insights:

From Digital Transformations To Periodic Software Reviews, Increased Visibility Can Help Reduce Costs and Improve Application Utilization
Keith Kirkpatrick, Research Director at The Futurum Group, covers WalkMe’s Digital Adoption Platform and discusses why the tool is useful for organizations that are expanding or consolidating their software tech stacks.
Are Consulting Firms Best Positioned To Lead Enterprise AI Transformation?
Mark Beccue, Research Director at The Futurum Group, examines the EY and BCG announcements about major AI initiatives and how these offerings will affect the market.
In this episode of the Futurum Tech Webcast-Interview Series, the Futurum Group’s Dave Raffo is joined by Greg White of Nutanix and Pritish Nilangi of AMD to talk technologies required to run modern applications in hybrid and multi clouds.
The Futurum Group's Steven Dickens and AWS's Ajay Nair delve into key topics pertaining to serverless architectures and the role that AWS has played in bringing serverless services to the market.