Anti Public Combo List with Billions of Accounts Leaked

There are so many data breaches these days that it’s almost impossible to keep a track of them. From billions of Yahoo accounts to millions of LinkedIn and MySpace accounts the whole thing is out of control.

But then there are people dedicating time to track large-scale breaches. One of them is Troy Hunt from Australia whose running Have I been pwned (HIBP) platform and has recently discovered two different “combo lists” containing 593,427,119 and 457,962,538 = 1,051,389,657 user login credentials.

According to Hunt blog post,

• “In December 2016, a huge list of email address and password pairs appeared in a “combo list” referred to as “Anti-Public”. The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for “credential stuffing”, that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. The information was just recently released and I was one of the victims, so I thought I would share with everyone. Stay safe online everyone. Change your passwords often!”

While discussing the second list Hunt said that: 

• “It’s a collection of 111 text files totaling just over 24GB. It’s the same deal as Anti-Public in that it’s just masses of email address and password pairs. By virtue of my own unfortunate inclusion there, I also know that it absolutely, positively contains accurate credentials (I’m sure mine is not the only correct one). Furthermore, it contains data that’s not in either the Anti-Public list or in HIBP. It also has 593,427,119 unique email addresses. Crikey. I was conscious that there could be a great deal of crossover between the two lists so I joined them together and found that “only” 222 million of the accounts were common so in other words, 63% of the accounts in Exploit.In were not in Anti-Public (I’ll know how many were already in breaches in HIBP once I load the data). So between the two lists, that’s a total of 1,051,389,657 accounts which means a size increase in HIBP of 39% by record count and brings the service up to 3.75 billion records in total.”

For now, Hunt has uploaded over 1 billion breached accounts on HIBP containing collections of email addresses and passwords from around the world, the authentication of which has been confirmed by Hunt himself. Although unconfirmed yet, it seems like the hackers, scammers, and cybercriminals developed these lists from various systems and previous large-scale data breaches including VerticalScope, MySpace, LinkedIn, Twitter, Dropbox, Yahoo, Tumblr and Adobe Systems etc.

Hunt has also revealed, “75.78% of the leaked addresses were already in HIBP database.” This means the lists were defiantly developed with the help of previous data breaches. As a security journalist, I can confirm my personal email account is also on the list.

1 billion new records in @haveibeenpwned from different unknown sources.Lot of people will be notified they're pwned https://t.co/qDkz7t3IbR

— John Opdenakker (@j_opdenakker) May 5, 2017

Meanwhile, we highly recommend visiting Hunt’s post here and his Have I been pwned (HIBP) platform to check whether your email is on the list. If it is, change its password right now and also use a password manager to get hold of a strong password. Furthermore, make sure you are not using the same password on other sites but if you are; make sure to change all passwords before it’s too late.