Search
Close this search box.

Our Perspective on the “Collection” Combo Lists

The SpyCloud Perspective on the Collection #1 lists

February 2021 Update: What is Combolist 3.2b? A few major combolists have been re-released as the COMB (Combination of Many Breaches) combolist. This appears to be a sorted and deduped version of previously leaked combolists, not new information. That said, this is a good reminder that old data can still be useful to criminals; threat actors are no doubt running credential stuffing attacks with the COMB list, so any accounts using the same logins and passwords could still be in jeopardy.

There’s been a lot of buzz over a recent so-called “superbreach” collectively referred to as Collection #1. Containing over 772,904,991 unique email addresses and over 21 million passwords, this incident already stands out in terms of its sheer magnitude of exposure. It certainly doesn’t help that the data was reportedly posted to a publicly-accessible online forum. A sampling of a few news articles about the combolist breach gives you an idea how this event spread like wildfire through both social media and mainstream news outlets:

Was this really a new “Monster” breach?

In short, no. This collection was comprised of “combolists.” In other words, a rehash of old breaches.

What is a combolist?

The proliferation of stolen or leaked databases has given rise to credential stuffing, a fairly simple technique in which criminals load lists of previously breached credentials (from Linkedin, MyFitnessPal, MySpace, etc.), called combolists, into automated brute-forcing tools to test credentials en masse. These tools test stolen passwords against thousands of targeted websites and applications until there is a match.

To understand it better, check out this step-by-step and video demo of a successful credential stuffing attack that we put together: The Anatomy of Credential Stuffing

Combolists are usually not that interesting from a security standpoint because they are full of duplicate records. In many cases, duplicates of duplicates of duplicates. It’s also important to note that these old passwords still matter. SpyCloud analysts published content on this subject in light of the epidemic of password reuse. As increasingly more websites and applications require account creation, people simply can’t recall the many unique passwords they use between accounts. To make things easier, they reuse passwords amongst multiple sites, recycle old passwords and/or make only slight modifications to existing passwords. For criminals, this makes account takeover easier than ever – especially with the help of massive combolists such as the one recently disclosed.

What was actually shared?

The combolists were initially shared via the hosting service MEGA. The “Collection #1” list was actually only part 1 of 7 totaling more than 8B username and password records:

  • Collection #1 1,013,050,906
  • Collection #2 3,040,689,677
  • Collection #3 69,747,990
  • Collection #4 1,835,141,695
  • Collection #5 540,972,614
  • AntiPublic #1 1,737,991,372
  • AntiPublic #2 517,524,658

Combined List Totals:

  • 19,144,865,944
    Total non-unique & non-deduplicated records
  • 8,755,118,912
    Total unique per file, non-deduplicated records
  • 3,051,257,458
    Total unique, deduplicated records
  • 114,993
    Files

TOTALING 1043.42GB

Collection #1

87.16GB of data, located in 40 folders across 12,368 files totaling 2,692,818,238 credentials, 1,013,050,906 of them unique.

TOP SOURCED BREACHES
Source of Breached Data Frequency Number of Records
Combolist of 1.4 Billion Credentials 54.6% 557,033,337
Exploit.in combolist 33.54% 342,242,366
Anti-Public Combolist 26.61% 271,487,883
Jadid List from Pemiblanc.com 11.02% 112,428,204
MySpace 10.99% 112,129,808
Pemiblanc.com 8.14% 83,072,632
Badoo 5.95% 60,739,773
Zoosk 5.00% 51,001,545
Evony 2.73% 27,837,949
LinkedIn 2.48% 25,311,057
Gmail Combolist 1.80% 18,380,128
Last.fm 1.46% 14,892,975
Chinese/Japanese Combolist 1.36% 13,922,272
NetEase 1.33% 13,568,773
Fling 1.31% 13,350,260
Twitter 1.20% 12,196,329
Mate1 1.19% 12,128,369
Russian Bitcoin Security Forum Account Dump 0.93% 9,495,814
Neopets 0.88% 8,958,608
LifeBoat Network 0.83% 8,505,854
LSGB.net 0.83% 8,417,669
000webhost 0.82% 8,338,620
VK 0.82% 8,316,066
Gamigo AG 0.79% 8,090,839
Online Shopping Combolist 0.70% 7,136,783
Gaming Account Combolist 0.70% 7,104,830
Onliner Spambot Credentials 0.70% 7,101,327
BTC-E 0.65% 6,638,226
Gaming Combolist 0.65% 6,605,114
Netlog 0.63% 6,5,165
Youku 0.62% 6,33,283
Aipai 0.49% 4,953,090

Top affected email domains
Source of Breached Data Frequency Number of Records
yahoo.com 20.58% 209,948,106
hotmail.com 13.23% 135,005,359
mail.ru 11.470% 117,027,547
gmail.com 10.31% 105,207,188
aol.com 2.34% 23,898,357
bk.ru 1.76% 17,967,891
yahoo.co.uk 1.55% 15,843,691
hotmail.co.uk 1.51% 15,416,948
hotmail.fr 1.31% 13,368,990
list.ru 1.21% 12,387,052
live.com 1.11% 11,322,952
qq.com 1.04% 10,557,793

Collection #2

528.1GB of data, located in 127 folders across 24,921 files totalling 7,442,265,404 credentials, 3,040,689,677 of them unique.

TOP SOURCED BREACHES
Source of Breached DataFrequencyNumber of Records
Combolist of 1.4 Billion Credentials39.00%1,198,031,731
Collection #1 Combolist32.12%986,733,705
Exploit.in combolist18.20%558,943,984
Anti-Public Combolist16.43%504,813,202
Jadid List from Pemiblanc.com10.81%331,973,029
MySpace9.16%281,312,439
Pemiblanc.com3.36%103,165,531
Badoo3.07%94,240,322
Rambler.ru2.94%90,365,488
VK2.62%80,376,623
LinkedIn1.97%60,429,960
Zoosk1.67%51,375,989
Fling1.30%39,896,635
Last.fm1.06%32,478,455
Active Account Cracking List1.02%32,329,128
NetEase0.98%29,982,806
Neopets0.92%28,347,001
Evony0.91%28,041,079
Mate10.86%26,550,966
Twitter0.81%24,990,114
Tianya0.77%23,662,666
Gmail Combolist0.63%19,226,272
Chinese/Japanese Combolist0.45%13,917,735
Onliner Spambot Credentials0.39%12,000,260
000webhost0.39%11,990,669
Russian Bitcoin Security Forum Account Dump0.31%9,501,017
Netlog0.31%9,396,206
Youku0.30%9,063,630
Online Shopping Combolist0.29%8,815,288
LifeBoat Network0.28%8,500,595
LSGB.net0.27%8,422,575
BTC-E0.27%8,256,465
Gamigo AG0.26%8,094,050
Top sourced email domains
Source of Breached Data Frequency Number of Records
mail.ru 13.464% 413,616,269
yahoo.com 12.63% 387,858,799
hotmail.com 9.82% 301,642,370
gmail.com 8.41% 258,332,308
rambler.ru 6.27% 192,601,652
yandex.ru 5.17% 158,735,410
bk.ru 2.59% 79,497,252
aol.com 2.39% 73,499,662
list.ru 2.14% 65,773,840
inbox.ru 2.08% 64,027,090
qip.ru 1.02% 31,462,518

Collection #3

37.18GB of data, located in 11 folders across 1,284 files totalling 276,931,143 credentials, 69,963,948 of them unique.

TOP SOURCED BREACHES
Source of Breached DataFrequencyNumber of Records
Combolist of 1.4 Billion Credentials40.63%56,682,114
Collection #1 Combolist27.06%37,747,154
Exploit.in combolist26.37%36,790,546
LinkedIn24.06%33,564,270
Anti-Public Combolist14.91%20,795,029
Jadid List from Pemiblanc.com7.89%10,998,869
Russian Bitcoin Security Forum Account Dump6.80%9,487,226
Gmail Combolist4.66%6,503,302
Pemiblanc.com3.33%4,642,283
Active Account Cracking List2.01%2,801,989
VK1.94%2,705,590
Origin1.84%2,568,187
MySpace1.75%2,447,194
Gaming Account Combolist1.33%1,860,541
Onliner Spambot Credentials1.33%1,857,224
Yandex0.85%1,186,528
Twitter0.83%1,156,535
Last.fm0.82%1,141,550
Zoosk0.74%1,033,159
Mate10.74%1,026,261
Nulled.io Combolist0.73%1,021,460
Gaming Combolist0.73%1,016,470
Netlog0.55%772,050
Brazzers0.55%765,190
Active Combolist0.53%739,118
Online Shopping Combolist0.49%684,280
Badoo0.47%661,366
700K PayPal Combolist0.47%653,926
Evony0.45%620,595
Comcast0.42%590,235
ClixSense0.41%575,221
Top email domains
Source of Breached Data Frequency Number of Records
gmail.com 9.69% 13,520,737
yahoo.com 6.26% 8,727,610
hotmail.com 5.98% 8,335,071
mail.ru 3.82% 5,332,807
rambler.ru 3.06% 4,263,833
yandex.ru 1.95% 2,719,125
aol.com 1.026% 1,431,043
outlook.com 0.86% 1,202,887
comcast.net 0.77% 1,068,243
msn.com 0.35% 481,349
yahoo.co.uk 0.34% 474,243

Collection #4

228.89GB of data, located in 16 folders across 57,255 files totalling 3,425,900,836 credentials, 1,835,141,695 of them unique.

TOP SOURCED BREACHES
Source of Breached DataFrequencyNumber of Records
Combolist of 1.4 Billion Credentials45.56%836,160,449
Collection #1 Combolist43.20%792,790,090
Exploit.in combolist26.72%490,429,612
Anti-Public Combolist17.41%319,429,445
Jadid List from Pemiblanc.com8.84%162,152,918
MySpace7.44%136,532,696
Pemiblanc.com4.96%91,028,726
Badoo3.80%69,761,461
VK3.45%63,351,699
Zoosk2.79%51,198,843
LinkedIn2.22%40,690,000
Last.fm1.67%30,665,474
Evony1.53%28,025,404
Mate11.38%25,300,197
Twitter1.30%23,823,952
Tianya1.27%23,306,957
Active Account Cracking List1.21%22,295,540
NetEase1.02%18,781,188
Gmail Combolist0.76%14,017,298
Chinese/Japanese Combolist0.76%13,912,430
Neopets0.72%13,277,226
Fling0.66%12,170,227
Russian Bitcoin Security Forum Account Dump0.52%9,444,118
000webhost0.46%8,908,367
LifeBoat Network0.46%8,466,485
LSGB.net0.46%8,394,233
Gamigo AG0.44%8,093,098
Online Shopping Combolist0.44%8,086,511
Netlog0.43%7,929,149
Onliner Spambot Credentials0.43%7,921,993
Gaming Account Combolist0.43%7,895,059
BTC-E0.40%7,377,639
Youku0.38%7,032,534
Top email domains
Source of Breached Data Frequency Number of Records
mail.ru 17.75% 325,775,839
yahoo.com 13.40% 245,808,067
hotmail.com 11.07% 203,067,172
gmail.com 9.63% 176,701,801
yandex.ru 2.91% 53,452,417
bk.ru 2.90% 53,264,022
aol.com 2.49% 45,656,931
list.ru 2.41% 44,233,972
rambler.ru 2.34% 42,962,356
inbox.ru 2.17% 39,747,932
web.de 1.03% 18,982,748
hotmail.fr 0.88% 16,181,028

Collection #5

40.56GB of data, located in 45 folders across 16,022 files totalling 1,282,149,565 credentials, 546,046,140 of them unique.

TOP SOURCED BREACHES
Source of Breached DataFrequencyNumber of Records
Collection #1 Combolist62.29%336,950,930
Combolist of 1.4 Billion Credentials44.79%242,320,804
Exploit.in combolist24.14%130,607,874
Anti-Public Combolist24.09%130,300,314
Jadid List from Pemiblanc.com11.73%63,439,994
MySpace8.93%48,301,150
Pemiblanc.com7.09%38,337,691
Badoo5.87%31,745,354
Evony5.13%27,743,386
Active Account Cracking List2.93%15,837,166
LinkedIn2.43%13,167,364
Chinese/Japanese Combolist2.36%12,756,046
Zoosk2.14%11,587,605
Last.fm1.88%10,153,099
LifeBoat Network1.53%8,285,221
LSGB.net1.52%8,233,652
Gamigo AG1.50%8,090,443
Twitter1.41%7,614,039
Gaming Combolist1.212%6,577,747
Fling1.15%6,210,287
NetEase1.13%6,088,551
Onliner Spambot Credentials1.11%5,995,176
VK1.05%5,679,875
BTC-E1.05%5,675,719
Youku1.02%5,509,458
Gmail Combolist0.91%4,916,990
Aipai0.89%4,825,959
Russian Bitcoin Security Forum Account Dump0.85%4,574,582
Neopets0.80%4,329,638
Gaming Account Combolist0.77%4,185,604
Cupid Media0.65%3,500,595
Mate10.64%3,463,105
Top email domains
Source of Breached Data Frequency Number of Records
yahoo.com 16.23% 87,774,653
gmail.com 11.05% 59,756,314
hotmail.com 10.321% 55,835,653
mail.ru 7.55% 40,853,067
yandex.ru 4.24% 22,936,274
aol.com 2.79% 15,112,001
rambler.ru 2.06% 11,137,254
hotmail.fr 1.07% 5,766,713
qq.com 1.07% 5,761,870
web.de 1.00% 5,429,255
bk.ru 0.97% 5,241,275

Antipublic #1

102.04GB of data, located in 1 folders across 303 files totalling 3,357,024,659 credentials, 1,750,879,665 of them unique.

TOP SOURCED BREACHES
Source of Breached Data Frequency Number of Records
Combolist of 1.4 Billion Credentials 61.34% 1,066,113,758
Collection #2 Combo List 53.18% 924,311,303
Collection #1 Combo List 37.91% 658,901,716
Exploit.in combolist 30.02% 521,733,918
Anti-Public Combolist 28.90% 502,337,232
MySpace 15.89% 276,147,474
Jadid List from Pemiblanc.com 11.23% 195,139,016
Rambler.ru 5.18% 90,098,886
Badoo 5.15% 89,495,410
Pemiblanc.com 4.92% 85,515,628
VK 4.418% 76,791,789
LinkedIn 3.10% 53,947,214
Zoosk 2.94% 51,029,988
Active Account Cracking List 1.85% 32,134,781
Fling 1.56% 27,018,773
Mate1 1.50% 26,063,474
Neopets 1.48% 25,745,619
Twitter 1.34% 23,244,569
Last.fm 1.20% 20,784,007
Gmail Combolist 1.06% 18,413,499
000webhost 0.61% 10,540,792
NetEase 0.583% 10,136,099
Onliner Spambot Credentials 0.58% 10,030,475
Russian Bitcoin Security Forum Account Dump 0.55% 9,496,887
Gaming Account Combolist 0.44% 7,575,398
Netlog 0.43% 7,566,811
Online Shopping Combolist 0.43% 7,550,468
Evony 0.42% 7,354,689
BTC-E 0.36% 6,237,555
Gamigo AG 0.34% 5,817,239
Tianya 0.33% 5,807,534
Top email domains
     
Source of Breached Data Frequency Number of Records
yahoo.com 16.53% 287,355,806
hotmail.com 11.54% 200,627,856
mail.ru 9.49% 164,910,297
rambler.ru 8.35% 145,191,716
gmail.com 8.08% 140,346,073
yandex.ru 5.93% 103,122,437
aol.com 2.89% 50,157,274
bk.ru 1.52% 26,456,441
list.ru 1.34% 23,247,075
inbox.ru 1.24% 21,580,101
hotmail.fr 1.08% 18,742,062
web.de 0.92% 15,996,159

Antipublic MYR and Zabagor #2

19.49GB of data, located in 1 folders across 2,840 files totalling 667,776,099 credentials, 532,975,653 of them unique.

TOP SOURCED BREACHES
Source of Breached DataFrequencyNumber of Records
Jadid List from Pemiblanc.com63.10%326,572,962
Collection #2 Combolist40.22%208,169,675
Combolist of 1.4 Billion Credentials38.13%197,328,290
Collection #1 Combolist30.72%158,980,550
Exploit.in combolist17.35%89,794,881
Anti-Public Combolist12.24%63,349,482
Fling7.19%37,232,553
Pemiblanc.com6.98%36,130,489
MySpace2.80%14,465,565
NetEase2.28%11,775,608
VK2.19%11,308,046
Neopets1.22%6,333,700
Russian Bitcoin Security Forum Account Dump1.2%6,236,377
Taobao1.17%6,064,128
171731.16%6,002,891
Badoo0.96%4,983,317
LinkedIn0.96%4,970,450
Active Account Cracking List0.88%4,565,422
Zoosk0.87%4,494,328
Twitter0.84%4,342,875
Last.fm0.82%4,266,588
LifeBoat Network0.76%3,940,683
LSGB.net0.76%3,925,897
Dodonew0.70%3,611,533
Gmail Combolist0.69%3,559,567
7k7k0.65%3,360,341
Gaming Account Combolist0.60%3,107,004
UUU90.58%2,981,890
Gaming Combolist0.52%2,672,002
Yue0.46%2,354,049
000webhost0.45%2,314,054
Sprashivai0.44%2,279,753
Ask RU0.44%2,279,441
Youku0.41%2,095,699
Mate10.41%2,093,663
Top email domains
Source of Breached Data Frequency Number of Records
mail.ru 23.11% 119,604,468
yahoo.com 9.60% 49,686,353
rambler.ru 8.75% 45,267,319
gmail.com 6.89% 35,666,828
hotmail.com 6.75% 34,935,775
yandex.ru 6.68% 34,576,801
bk.ru 5.53% 28,590,872
inbox.ru 5.08% 26,291,251
list.ru 4.72% 24,443,179
aol.com 2.36% 12,193,502
qq.com 1.41% 7,297,787
comcast.net 1.39% 7,194,809

Each of these files were hosted on popular hosting site MEGA, which allows anyone to download ephemeral files for short time periods These lists have since been copied and shared across numerous public forums and downloaded through numerous torrents.

Screenshot of files as shown on “MEGA.”

How can I determine if my email and password was in Collection 1-5 and the two new Antipublic lists?

If you would like to see if your credentials are in a user/pass combolist, you can activate a free individual account on our website. SpyCloud provides free, fully-automated and secure subscriptions to individuals.

In addition, SpyCloud empowers you with the ability to click on “sightings” so you can see just how many times the credentials have been sighted in prior breaches and where they more than likely originated from.

Screenshot of SpyCloud dashboard showing sightings of example credentials in our database.

Screenshot of SpyCloud dashboard showing sightings of example credentials in our database.

What are best practices for protecting my individual passwords?

We highly recommend the use of a password manager so that all of your passwords are unique and easily managed. We also recommend that you enable two factor authentication (2FA) for all of your accounts – both professional and personal.

How can I protect my employees from credential stuffing?

At SpyCloud, we aim to empower our customers through actionable and proactive solutions by automating ATO prevention and letting them know their exposure so that they can remediate potential problems before they occur. Our researchers have deep expertise in the tactics, techniques and procedures (TTP’s) leveraged by criminals dealing in account takeover. We routinely see credentials along with a victim’s PII for sale on dark net markets and within private communities. This information translates directly to account takeover, which can be automated to scale attacks to massive levels.

How SpyCloud analyzes credential theft attempts in near real-time

It’s easy to integrate SpyCloud’s API into your current application orActive Directory, to identify when your users’ credentials have been exposed and reset their passwords proactively when there is a match. Additionally, our solutions can empower your employees and users not to pick a password that has already been exposed with our NIST password screening capabilities.

In light of this news about the Collections combolist and the COMB combolist 3.2b dark web release, it’s important to remember that, regardless of the size of any active combolist, the prescription is the same: 1) don’t reuse passwords and 2) enable multi-factor authentication. For organizations, remember that behavioral changes across organizations take time. A safety net such as SpyCloud can, if anything, provide peace of mind for business leaders and individuals alike.

Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

The 2024 Malware & Ransomware Defense Report is here. Read it now

X
Search
Close this search box.