The internet loves acronyms and here’s a new one that demands your attention. COMB, which stands for compilation of many breaches, refers to 3.2 billion pairs of user credentials from past data thefts, including Netflix, LinkedIn, Gmail, Hotmail, Bitcoin and others. This astoundingly large dataset was posted on a popular hacking forum called RaidForum earlier this month as an encrypted container.
To access this searchable database, users were asked to pay eight RaidForums credits, about $2. Then they could download a zipped file with all of the emails and associated passwords, along with some tools for deduping, sorting and parsing of the data to make it easier to use. While there are no new stolen credentials in this batch, the tools and the number of credentials all in one place offer criminals an efficient source for their data-stealing activities.
While the data is old, it is not worthless. Why? Because people reuse passwords and criminals know that. With COMB data, hackers will launch credential-stuffing attacks to hijack any number of types of accounts.
Here’s how it works: The attacker sets up a bot that is able to automatically log in to multiple user accounts at the same time, while faking different IP addresses to not trigger a company’s security measures. The bot checks to see if stolen credentials, such as the COMB data, work on many websites. By running the process in parallel across multiple sites, this tactic reduces the need to repeatedly log in to a single service, which again circumvents a common security measure. The bot is programmed to look for successful logins and then copies personally identifiable information, credit card numbers and other valuable data. This information is then stored for future use such as data for a phishing attack or for transactions that can now be performed with the stolen credentials.
Note that credential-stuffing attacks are impervious to strong — long, nonsensical — passwords. No one is guessing common passwords like “iloveyou” and “123456” as is the case with brute force attacks. Criminals are simply copying your password from a data breach and trying it against many online services. This is why you should never reuse your passwords.
It is highly likely that an email and password pair that belongs to you is part of COMB. It is easy to check. CyberNews offers a searchable database where you can check to see if your email and password have been stolen. Go to https://cybernews.com/personal-data-leak-check/ and type your email in the box at the top of the page. If you use more than one email address, check them all.
Hopefully, your email has not turned up in a data breach. But if it has, the next thing you need to know is what accounts are associated with your compromised email. Gmail users can click on their photo or initial in the top right corner, select “Manage your Google Account” and then choose “Security” from the left menu. You can also see a list of all of the sites that you use your Gmail address to sign in. Scroll to the bottom and choose “Password Manager.” As you’re reviewing your accounts, keep an eye out for accounts you no longer use and then close them. Your best strategy in protecting yourself online is to use as few accounts as possible, each with a unique password and activate two-factor authentication whenever possible, which means you’ll receive a code to your phone before you can type in your credentials. This prevents anyone else from accessing your account without also having access to your phone.