Our Perspective on the "Collection" Combo Lists

Our Perspective on the “Collection” Combo lists
February 6, 2019 Nate Pruitt
The SpyCloud Perspective on the Collection #1 lists

There’s been a lot of buzz over a recent so-called “superbreach” collectively referred to as Collection #1. Containing over 772,904,991 unique email addresses and over 21 million passwords, this incident already stands out in terms of its sheer magnitude of exposure. It certainly doesn’t help that the data was reportedly posted to a publicly-accessible online forum. A sampling of a few news articles gives you an idea how this event spread like wildfire through both social media and mainstream news outlets.

Wired – “An Astonishing 773 Million Records Exposed in Monster Breach

The Guardian – “Largest Collection Ever of Breached Data Found

Gizmodo – “Mother of All Breaches Exposes 773 Million Emails, 21 Million Passwords

Was this is really a new “Monster” breach?

In short, no. This collection was comprised as what is known as “combo lists”. In other words, a rehash of old breaches.

What are combo lists?

The proliferation of stolen or leaked databases has given rise to credential stuffing, a fairly simple technique in which criminals load lists of previously breached credentials (from Linkedin, MySpace, etc.), called combo lists, into automated brute-forcing tools to test credentials en masse. These tools test stolen passwords against thousands of targeted websites and applications until there is a match.

To understand it better, check out this step-by-step and video demo of a successful credential stuffing attack that we recently put together: The Anatomy of Credential Stuffing
Combo lists are usually not that interesting from a security standpoint because they are full of duplicate records. In many cases, duplicates of duplicates of duplicates. It’s also important to note that these old passwords still matter. SpyCloud analysts published content on this subject in light of the epidemic of password reuse. As increasingly more websites and applications request login registration, people simply can’t recall the many unique passwords they use between accounts. To make things easier, they reuse passwords amongst multiple sites, recycle old passwords and/or make only slight modifications to existing passwords. For criminals, this makes account takeover easier than ever–especially with the help of massive combo lists such as the one recently disclosed.

What was actually shared?

The combo lists were initially shared via the hosting service MEGA. The so-named “Collection #1” list was actually only part 1 of 7 totalling more than 8B username and password records:

Combined List Totals:

19,144,865,944

Total non-unique & non-deduplicated records

8,755,118,912

Total unique per file,
non-deduplicated records

3,051,257,458

Total unique,
deduplicated records

114,993
FILES

TOTALLING 1043.42GB

1

Collection #1

87.16GB of data, located in 40 folders across 12,368 files totalling 2,692,818,238 credentials, 1,013,050,906 of them unique.

TOP SOURCED BREACHES

     
Source of Breached Data Frequency Number of Records
Combolist of 1.4 Billion Credentials 54.6% 557,033,337
Exploit.in combolist 33.54% 342,242,366
Anti-Public Combolist 26.61% 271,487,883
Jadid List from Pemiblanc.com 11.02% 112,428,204
MySpace 10.99% 112,129,808
Pemiblanc.com 8.14% 83,072,632
Badoo 5.95% 60,739,773
Zoosk 5.00% 51,001,545
Evony 2.73% 27,837,949
LinkedIn 2.48% 25,311,057
Gmail Combolist 1.80% 18,380,128
Last.fm 1.46% 14,892,975
Chinese/Japanese Combolist 1.36% 13,922,272
NetEase 1.33% 13,568,773
Fling 1.31% 13,350,260
Twitter 1.20% 12,196,329
Mate1 1.19% 12,128,369
Russian Bitcoin Security Forum Account Dump 0.93% 9,495,814
Neopets 0.88% 8,958,608
LifeBoat Network 0.83% 8,505,854
LSGB.net 0.83% 8,417,669
000webhost 0.82% 8,338,620
VK 0.82% 8,316,066
Gamigo AG 0.79% 8,090,839
Online Shopping Combolist 0.70% 7,136,783
Gaming Account Combolist 0.70% 7,104,830
Onliner Spambot Credentials 0.70% 7,101,327
BTC-E 0.65% 6,638,226
Gaming Combolist 0.65% 6,605,114
Netlog 0.63% 6,5,165
Youku 0.62% 6,33,283
Aipai 0.49% 4,953,090

Top affected email domains

     
Source of Breached Data Frequency Number of Records
yahoo.com 20.58% 209,948,106
hotmail.com 13.23% 135,005,359
mail.ru 11.470% 117,027,547
gmail.com 10.31% 105,207,188
aol.com 2.34% 23,898,357
bk.ru 1.76% 17,967,891
yahoo.co.uk 1.55% 15,843,691
hotmail.co.uk 1.51% 15,416,948
hotmail.fr 1.31% 13,368,990
list.ru 1.21% 12,387,052
live.com 1.11% 11,322,952
qq.com 1.04% 10,557,793
2

Collection #2

528.1GB of data, located in 127 folders across 24,921 files totalling 7,442,265,404 credentials, 3,040,689,677 of them unique.

TOP SOURCED BREACHES

     
Source of Breached Data Frequency Number of Records
Combolist of 1.4 Billion Credentials 39.00% 1,198,031,731
Collection #1 Combo List 32.12% 986,733,705
Exploit.in combolist 18.20% 558,943,984
Anti-Public Combolist 16.43% 504,813,202
Jadid List from Pemiblanc.com 10.81% 331,973,029
MySpace 9.16% 281,312,439
Pemiblanc.com 3.36% 103,165,531
Badoo 3.07% 94,240,322
Rambler.ru 2.94% 90,365,488
VK 2.62% 80,376,623
LinkedIn 1.97% 60,429,960
Zoosk 1.67% 51,375,989
Fling 1.30% 39,896,635
Last.fm 1.06% 32,478,455
Active Account Cracking List 1.02% 32,329,128
NetEase 0.98% 29,982,806
Neopets 0.92% 28,347,001
Evony 0.91% 28,041,079
Mate1 0.86% 26,550,966
Twitter 0.81% 24,990,114
Tianya 0.77% 23,662,666
Gmail Combolist 0.63% 19,226,272
Chinese/Japanese Combolist 0.45% 13,917,735
Onliner Spambot Credentials 0.39% 12,000,260
000webhost 0.39% 11,990,669
Russian Bitcoin Security Forum Account Dump 0.31% 9,501,017
Netlog 0.31% 9,396,206
Youku 0.30% 9,063,630
Online Shopping Combolist 0.29% 8,815,288
LifeBoat Network 0.28% 8,500,595
LSGB.net 0.27% 8,422,575
BTC-E 0.27% 8,256,465
Gamigo AG 0.26% 8,094,050

Top sourced email domains

     
Source of Breached Data Frequency Number of Records
mail.ru 13.464% 413,616,269
yahoo.com 12.63% 387,858,799
hotmail.com 9.82% 301,642,370
gmail.com 8.41% 258,332,308
rambler.ru 6.27% 192,601,652
yandex.ru 5.17% 158,735,410
bk.ru 2.59% 79,497,252
aol.com 2.39% 73,499,662
list.ru 2.14% 65,773,840
inbox.ru 2.08% 64,027,090
qip.ru 1.02% 31,462,518
3

Collection #3

37.18GB of data, located in 11 folders across 1,284 files totalling 276,931,143 credentials, 69,963,948 of them unique.

TOP SOURCED BREACHES

     
Source of Breached Data Frequency Number of Records
Combolist of 1.4 Billion Credentials 40.63% 56,682,114
Collection #1 Combo List 27.06% 37,747,154
Exploit.in combolist 26.37% 36,790,546
LinkedIn 24.06% 33,564,270
Anti-Public Combolist 14.91% 20,795,029
Jadid List from Pemiblanc.com 7.89% 10,998,869
Russian Bitcoin Security Forum Account Dump 6.80% 9,487,226
Gmail Combolist 4.66% 6,503,302
Pemiblanc.com 3.33% 4,642,283
Active Account Cracking List 2.01% 2,801,989
VK 1.94% 2,705,590
Origin 1.84% 2,568,187
MySpace 1.75% 2,447,194
Gaming Account Combolist 1.33% 1,860,541
Onliner Spambot Credentials 1.33% 1,857,224
Yandex 0.85% 1,186,528
Twitter 0.83% 1,156,535
Last.fm 0.82% 1,141,550
Zoosk 0.74% 1,033,159
Mate1 0.74% 1,026,261
Nulled.io Combolist 0.73% 1,021,460
Gaming Combolist 0.73% 1,016,470
Netlog 0.55% 772,050
Brazzers 0.55% 765,190
Active Combolist 0.53% 739,118
Online Shopping Combolist 0.49% 684,280
Badoo 0.47% 661,366
700K PayPal Combolist 0.47% 653,926
Evony 0.45% 620,595
Comcast 0.42% 590,235
ClixSense 0.41% 575,221

Top email domains

     
Source of Breached Data Frequency Number of Records
gmail.com 9.69% 13,520,737
yahoo.com 6.26% 8,727,610
hotmail.com 5.98% 8,335,071
mail.ru 3.82% 5,332,807
rambler.ru 3.06% 4,263,833
yandex.ru 1.95% 2,719,125
aol.com 1.026% 1,431,043
outlook.com 0.86% 1,202,887
comcast.net 0.77% 1,068,243
msn.com 0.35% 481,349
yahoo.co.uk 0.34% 474,243
4

Collection #4

228.89GB of data, located in 16 folders across 57,255 files totalling 3,425,900,836 credentials, 1,835,141,695 of them unique.

TOP SOURCED BREACHES

     
Source of Breached Data Frequency Number of Records
Combolist of 1.4 Billion Credentials 45.56% 836,160,449
Collection #1 Combo List 43.20% 792,790,090
Exploit.in combolist 26.72% 490,429,612
Anti-Public Combolist 17.41% 319,429,445
Jadid List from Pemiblanc.com 8.84% 162,152,918
MySpace 7.44% 136,532,696
Pemiblanc.com 4.96% 91,028,726
Badoo 3.80% 69,761,461
VK 3.45% 63,351,699
Zoosk 2.79% 51,198,843
LinkedIn 2.22% 40,690,000
Last.fm 1.67% 30,665,474
Evony 1.53% 28,025,404
Mate1 1.38% 25,300,197
Twitter 1.30% 23,823,952
Tianya 1.27% 23,306,957
Active Account Cracking List 1.21% 22,295,540
NetEase 1.02% 18,781,188
Gmail Combolist 0.76% 14,017,298
Chinese/Japanese Combolist 0.76% 13,912,430
Neopets 0.72% 13,277,226
Fling 0.66% 12,170,227
Russian Bitcoin Security Forum Account Dump 0.52% 9,444,118
000webhost 0.46% 8,908,367
LifeBoat Network 0.46% 8,466,485
LSGB.net 0.46% 8,394,233
Gamigo AG 0.44% 8,093,098
Online Shopping Combolist 0.44% 8,086,511
Netlog 0.43% 7,929,149
Onliner Spambot Credentials 0.43% 7,921,993
Gaming Account Combolist 0.43% 7,895,059
BTC-E 0.40% 7,377,639
Youku 0.38% 7,032,534

Top email domains

     
Source of Breached Data Frequency Number of Records
mail.ru 17.75% 325,775,839
yahoo.com 13.40% 245,808,067
hotmail.com 11.07% 203,067,172
gmail.com 9.63% 176,701,801
yandex.ru 2.91% 53,452,417
bk.ru 2.90% 53,264,022
aol.com 2.49% 45,656,931
list.ru 2.41% 44,233,972
rambler.ru 2.34% 42,962,356
inbox.ru 2.17% 39,747,932
web.de 1.03% 18,982,748
hotmail.fr 0.88% 16,181,028
5

Collection #5

40.56GB of data, located in 45 folders across 16,022 files totalling 1,282,149,565 credentials, 546,046,140 of them unique.

TOP SOURCED BREACHES

     
Source of Breached Data Frequency Number of Records
Collection #1 Combo List 62.29% 336,950,930
Combolist of 1.4 Billion Credentials 44.79% 242,320,804
Exploit.in combolist 24.14% 130,607,874
Anti-Public Combolist 24.09% 130,300,314
Jadid List from Pemiblanc.com 11.73% 63,439,994
MySpace 8.93% 48,301,150
Pemiblanc.com 7.09% 38,337,691
Badoo 5.87% 31,745,354
Evony 5.13% 27,743,386
Active Account Cracking List 2.93% 15,837,166
LinkedIn 2.43% 13,167,364
Chinese/Japanese Combolist 2.36% 12,756,046
Zoosk 2.14% 11,587,605
Last.fm 1.88% 10,153,099
LifeBoat Network 1.53% 8,285,221
LSGB.net 1.52% 8,233,652
Gamigo AG 1.50% 8,090,443
Twitter 1.41% 7,614,039
Gaming Combolist 1.212% 6,577,747
Fling 1.15% 6,210,287
NetEase 1.13% 6,088,551
Onliner Spambot Credentials 1.11% 5,995,176
VK 1.05% 5,679,875
BTC-E 1.05% 5,675,719
Youku 1.02% 5,509,458
Gmail Combolist 0.91% 4,916,990
Aipai 0.89% 4,825,959
Russian Bitcoin Security Forum Account Dump 0.85% 4,574,582
Neopets 0.80% 4,329,638
Gaming Account Combolist 0.77% 4,185,604
Cupid Media 0.65% 3,500,595
Mate1 0.64% 3,463,105

Top email domains

     
Source of Breached Data Frequency Number of Records
yahoo.com 16.23% 87,774,653
gmail.com 11.05% 59,756,314
hotmail.com 10.321% 55,835,653
mail.ru 7.55% 40,853,067
yandex.ru 4.24% 22,936,274
aol.com 2.79% 15,112,001
rambler.ru 2.06% 11,137,254
hotmail.fr 1.07% 5,766,713
qq.com 1.07% 5,761,870
web.de 1.00% 5,429,255
bk.ru 0.97% 5,241,275
1

Antipublic #1

102.04GB of data, located in 1 folders across 303 files totalling 3,357,024,659 credentials, 1,750,879,665 of them unique.

Top sourced breaches

     
Source of Breached Data Frequency Number of Records
Combolist of 1.4 Billion Credentials 61.34% 1,066,113,758
Collection #2 Combo List 53.18% 924,311,303
Collection #1 Combo List 37.91% 658,901,716
Exploit.in combolist 30.02% 521,733,918
Anti-Public Combolist 28.90% 502,337,232
MySpace 15.89% 276,147,474
Jadid List from Pemiblanc.com 11.23% 195,139,016
Rambler.ru 5.18% 90,098,886
Badoo 5.15% 89,495,410
Pemiblanc.com 4.92% 85,515,628
VK 4.418% 76,791,789
LinkedIn 3.10% 53,947,214
Zoosk 2.94% 51,029,988
Active Account Cracking List 1.85% 32,134,781
Fling 1.56% 27,018,773
Mate1 1.50% 26,063,474
Neopets 1.48% 25,745,619
Twitter 1.34% 23,244,569
Last.fm 1.20% 20,784,007
Gmail Combolist 1.06% 18,413,499
000webhost 0.61% 10,540,792
NetEase 0.583% 10,136,099
Onliner Spambot Credentials 0.58% 10,030,475
Russian Bitcoin Security Forum Account Dump 0.55% 9,496,887
Gaming Account Combolist 0.44% 7,575,398
Netlog 0.43% 7,566,811
Online Shopping Combolist 0.43% 7,550,468
Evony 0.42% 7,354,689
BTC-E 0.36% 6,237,555
Gamigo AG 0.34% 5,817,239
Tianya 0.33% 5,807,534

Top email domains

     
Source of Breached Data Frequency Number of Records
yahoo.com 16.53% 287,355,806
hotmail.com 11.54% 200,627,856
mail.ru 9.49% 164,910,297
rambler.ru 8.35% 145,191,716
gmail.com 8.08% 140,346,073
yandex.ru 5.93% 103,122,437
aol.com 2.89% 50,157,274
bk.ru 1.52% 26,456,441
list.ru 1.34% 23,247,075
inbox.ru 1.24% 21,580,101
hotmail.fr 1.08% 18,742,062
web.de 0.92% 15,996,159
2

Antipublic MYR and Zabagor #2

19.49GB of data, located in 1 folders across 2,840 files totalling 667,776,099 credentials, 532,975,653 of them unique.

TOP SOURCED BREACHES

     
Source of Breached Data Frequency Number of Records
Jadid List from Pemiblanc.com 63.10% 326,572,962
Collection #2 Combo List 40.22% 208,169,675
Combolist of 1.4 Billion Credentials 38.13% 197,328,290
Collection #1 Combo List 30.72% 158,980,550
Exploit.in combolist 17.35% 89,794,881
Anti-Public Combolist 12.24% 63,349,482
Fling 7.19% 37,232,553
Pemiblanc.com 6.98% 36,130,489
MySpace 2.80% 14,465,565
NetEase 2.28% 11,775,608
VK 2.19% 11,308,046
Neopets 1.22% 6,333,700
Russian Bitcoin Security Forum Account Dump 1.2% 6,236,377
Taobao 1.17% 6,064,128
17173 1.16% 6,002,891
Badoo 0.96% 4,983,317
LinkedIn 0.96% 4,970,450
Active Account Cracking List 0.88% 4,565,422
Zoosk 0.87% 4,494,328
Twitter 0.84% 4,342,875
Last.fm 0.82% 4,266,588
LifeBoat Network 0.76% 3,940,683
LSGB.net 0.76% 3,925,897
Dodonew 0.70% 3,611,533
Gmail Combolist 0.69% 3,559,567
7k7k 0.65% 3,360,341
Gaming Account Combolist 0.60% 3,107,004
UUU9 0.58% 2,981,890
Gaming Combolist 0.52% 2,672,002
Yue 0.46% 2,354,049
000webhost 0.45% 2,314,054
Sprashivai 0.44% 2,279,753
Ask RU 0.44% 2,279,441
Youku 0.41% 2,095,699
Mate1 0.41% 2,093,663

Top email domains

     
Source of Breached Data Frequency Number of Records
mail.ru 23.11% 119,604,468
yahoo.com 9.60% 49,686,353
rambler.ru 8.75% 45,267,319
gmail.com 6.89% 35,666,828
hotmail.com 6.75% 34,935,775
yandex.ru 6.68% 34,576,801
bk.ru 5.53% 28,590,872
inbox.ru 5.08% 26,291,251
list.ru 4.72% 24,443,179
aol.com 2.36% 12,193,502
qq.com 1.41% 7,297,787
comcast.net 1.39% 7,194,809

Each of these files were hosted on popular hosting site MEGA, which allows anyone to download ephemeral files for short time periods These lists have since been copied and shared across numerous public forums and downloaded through numerous torrents.


Screenshot of files as shown on “MEGA”.

How can I determine if my email and password was in Collection 1 -5 and the two new Antipublic lists?

If you would like to see if your credentials are in these combo lists, you can activate a free individual account on our website. SpyCloud provides free, fully-automated and secure subscriptions to individuals.

In addition, SpyCloud empowers you with the ability to click on “sightings” so you can see just how many times the credentials have been sighted in prior breaches and where they more than likely originated from.


Screenshot of SpyCloud dashboard showing sightings of example credentials in our database.

What are best practices for protecting my individual passwords?

We highly recommend the use of a password manager so that all of your passwords are unique and easily managed. We also recommend that you enable two factor authentication (2FA) for all of your accounts–both professional and personal.

How can I protect my employees from credential stuffing?

At SpyCloud, we aim to empower our customers through actionable and proactive solutions by automating ATO prevention and letting them know their exposure so that they can remediate potential problems before they occur. Our researchers have deep expertise in the tactics, techniques and procedures (TTP’s) leveraged by criminals dealing in account takeover. We routinely see credentials along with a victim’s PII for sale on dark net markets and within private communities. This information translates directly to account takeover, which can be automated to scale attacks to massive levels.


How SpyCloud analyzes credential theft attempts in near real-time.

It’s easy to integrate SpyCloud’s API into your current application or Active Directory, to identify when your users’ credentials have been exposed and reset their passwords proactively when there is a match. Additionally, our solutions can empower your employees and users not to pick a password that has already been exposed with our NIST password screening capabilities.

In light of this news it’s important to remember that, regardless of the size of any combo list, the prescription is the same: 1) don’t reuse passwords and 2) enable multi-factor authentication. For organizations, remember that behavioral changes across organizations take time. A safety net such as SpyCloud can, if anything, provide peace of mind for business leaders and individuals alike.