A massive Data Leak exposes over 3.2 billion passwords including 1.5 million Government Emails

One of the biggest data dumps with leaked usernames and passwords was revealed, with 3.28 billion passwords linked to 2.18 billion unique email addresses.


Furthermore, the leak contains 1,502,909 passwords associated with email addresses from government domains around the world, with the United States accounting for 625,505 of the leaked passwords, followed by the United Kingdom (205,099), Australia (136,025), Brazil (68,535), and Canada (50,726).


The results were based on an analysis of a huge 100 GB data set named “COMB21” — aka Compilation of Many Breaches — that was released for free in an online hacker forum earlier this February by combining data from numerous leaks in various companies and organizations over the years.


The leak does not indicate a security breach in government systems.


Also read: These Billing Fraud Apps have infected over 700,000 Android Users


After being stolen, the passwords were allegedly obtained through techniques such as password hash cracking, phishing attacks, and spying on vulnerable, plaintext connections.


The top ten U.S. government domains that have been exploited include:

  • State Department – state.gov (29,144)
  • Veterans Affairs Department – va.gov (28,937)
  • Department of Homeland Security – dhs.gov (21,575)
  • National Aeronautics and Space Administration – nasa.gov (15,665)
  • Internal Revenue Service – irs.gov (10,480)
  • Center for Disease Control and Prevention – cdc.gov (8,904)
  • Department of Justice – usdoj.gov (8,857)
  • Social Security Administration – ssa.gov (8,747)
  • S. Postal Service – usps.gov (8,205), and
  • Environmental Protection Agency – epa.gov (7,986)


There are also 13 credentials linked to emails from the Oldsmar water plant in Florida in this leak.


However, there is no proof that the compromised passwords were used in the February cyberattack.


In comparison, only 18,282 passwords from Chinese government domains and 1,964 passwords from Russian government domains were revealed.


You might also like: Beware: Passwordstate Password manager update hijacked


According to Syhunt Founder and Chief Visionary Officer (CVO) Felipe Daragon, states that hackers are less interested in passwords made up of local alphabets in these countries.


In terms of the Roman alphabet, it adds an unexpected layer of protection.