Anti Public Combo List with Billions of Accounts Leaked

Check if your account is in this leak and change its password right now.

There are so many data breaches these days that it’s almost impossible to keep a track of them. From billions of Yahoo accounts to millions of LinkedIn and MySpace accounts the whole thing is out of control.

But then there are people dedicating time to track large-scale breaches. One of them is Troy Hunt from Australia whose running Have I been pwned (HIBP) platform and has recently discovered two different “combo lists” containing 593,427,119 and 457,962,538 = 1,051,389,657 user login credentials.

According to Hunt blog post,

  • “In December 2016, a huge list of email address and password pairs appeared in a “combo list” referred to as “Anti-Public”. The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for “credential stuffing”, that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. The information was just recently released and I was one of the victims, so I thought I would share with everyone. Stay safe online everyone. Change your passwords often!”
Screenshot shows the leaked data Hunt got his hands on

While discussing the second list Hunt said that: 

  • “It’s a collection of 111 text files totaling just over 24GB. It’s the same deal as Anti-Public in that it’s just masses of email address and password pairs. By virtue of my own unfortunate inclusion there, I also know that it absolutely, positively contains accurate credentials (I’m sure mine is not the only correct one). Furthermore, it contains data that’s not in either the Anti-Public list or in HIBP. It also has 593,427,119 unique email addresses. Crikey. I was conscious that there could be a great deal of crossover between the two lists so I joined them together and found that “only” 222 million of the accounts were common so in other words, 63% of the accounts in Exploit.In were not in Anti-Public (I’ll know how many were already in breaches in HIBP once I load the data). So between the two lists, that’s a total of 1,051,389,657 accounts which means a size increase in HIBP of 39% by record count and brings the service up to 3.75 billion records in total.”

For now, Hunt has uploaded over 1 billion breached accounts on HIBP containing collections of email addresses and passwords from around the world, the authentication of which has been confirmed by Hunt himself. Although unconfirmed yet, it seems like the hackers, scammers, and cybercriminals developed these lists from various systems and previous large-scale data breaches including VerticalScope, MySpace, LinkedIn, Twitter, Dropbox, YahooTumblr and Adobe Systems etc.

Hunt has also revealed, “75.78% of the leaked addresses were already in HIBP database.” This means the lists were defiantly developed with the help of previous data breaches. As a security journalist, I can confirm my personal email account is also on the list.

Meanwhile, we highly recommend visiting Hunt’s post here and his Have I been pwned (HIBP) platform to check whether your email is on the list. If it is, change its password right now and also use a password manager to get hold of a strong password. Furthermore, make sure you are not using the same password on other sites but if you are; make sure to change all passwords before it’s too late. 

Written by Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.