The News: Findings from Syhunt, an application security assessment firm that helps organizations actively guard their mobile and web apps, reported recently on the biggest known compilation of password leaks by a hacker on an internet form. The 100GB data set, called COMB21 (a/k/a Compilation of Many Breaches) was published on an online forum on February 2, 2021 and the ties to government emails are, at best, alarming. Read more at Syhunt.
In Hacking News: 3.2 Billion Leaked Passwords Contain 1.5 Million Records and Ties to Government Emails
Analyst Take: Online cybercrime forums are where hackers post passwords, links, and other information related to data breaches, and the COMB21 data set is one gigantic data set. This particular data set is the result of data pulled together from a variety of sources and comes from leaks and breaches of a variety of organizations (and government entities) over a fairly significant period of time. The potential impact is — significant. For starters, there were some 3.2 billion passwords from 2.18 million unique emails and 26 million email domains in the COMB21 data. This includes some 1.5 million world government emails and 625,000-ish U.S. government passwords. Gets your attention, doesn’t it?
My colleague and fellow analyst here at Futurum Fred McClimans, and I covered this leak in a recent episode of our Futurum Tech Webcast Cybersecurity Shorts series. You can watch the video conversation here:
Or grab the audio here:
A Look at the Numbers in this Data Compilation
Want to see the numbers? Of course you do. The bulk of the exposed passwords were from .gov email addresses in the United States (625,505 email addresses), .gov.uk email addresses in the U.K. (205,099 email addresses) and .gov.au email addresses in Australia (136,025 email addresses).
The top domains impacted by this leak? All U.S. government agencies, including the following:
Password Leaks Are Window Into Easily Exploitable Human Behavior for Threat Actors
One of the most alarming things about the massive availability of passwords and email addresses, and which we covered in this conversation is that this likely shows hackers a lot about human behavior as it relates to passwords, providing insight on current and past passwords. For instance, one entry in the email/password database might be:
And that same email could be in there again (remember, this is covering a period of perhaps a number of years) like this:
People are creatures of habits and are annoyed by password changes. They are predictable and they like the easy button. For threat actors, it would not be hard to break into skramer’s email after just a few attempts once they are able to easily see her password habits/behavior. This is also true for the thousands of people who insist on using the same password across multiple sites. Once a hacker has one iteration of a user name/password, it’s not at all difficult to try it in multiple places. This is bad enough at the enterprise level (or in any organization) but we’re talking about government entities, and the problem is a big one.
In its coverage of this breach, Syhunt pointed out the danger of deep learning tools being applied to the COMB leak, which increases the risk exponentially. Bottom line, 100 gigs of 3.2 billion leaked passwords, leading directly to government entities across the world is about as serious as it gets.
If cybersecurity is your thing, make sure to subscribe to our webcast. You’ll find us on YouTube and can easily subscribe to the Cybersecurity Shorts playlist here.
You can grab the podcast on your podcast channel of choice and also subscribe.
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.