A major data breach has been discovered involving a combolist containing 122GB of data with 361 million unique email addresses scraped from thousands of Telegram channels.
This extensive dataset includes passwords and associated websites, revealing a substantial portion of previously unseen data, which has now been added onto the breach alerting service Have I Been Pwned (HIBP).
The discovery was reported by Troy Hunt, the creator of HIBP, who received the data last week by an anonymous researcher. The dataset, comprising 1,748 files and 2 billion lines, exposed 151 million email addresses not previously listed in the service. This vast trove of information highlights the widespread use of Telegram for sharing sensitive and illicit data.
Massive new combolist
Telegram, a messaging platform known for its privacy-minded features, allows users to create channels for sharing information anonymously. This capability has attracted individuals and groups seeking to distribute data from breaches. Hunt noted that many data breaches previously loaded into HIBP were initially shared via Telegram channels. These data collections, often referred to as “combolists,” contain combinations of email addresses or usernames and passwords, which are used in credential stuffing attacks to gain unauthorized access to accounts.
The data sent to Hunt originated from 518 different Telegram channels and varied widely in size, with some files containing tens of millions of rows. The largest files appeared to be the result of info stealer malware, capturing credentials as they were entered into websites on compromised machines. Hunt verified the data's legitimacy by contacting HIBP subscribers and confirming the accuracy of the stolen credentials.
Troy Hunt
Among the subscribers contacted, responses varied from recognizing old and previously exposed passwords to confirming new and previously unseen data. One subscriber, for example, recognized passwords used on various services over the past five years, while another identified credentials related to their daughter's old Epic Games account. These verifications underscored the data's legitimacy and the ongoing threat of credential theft.
Implications and protection tips
The implications of this breach are far-reaching.
Credential stuffing attacks leverage these combolists to access accounts en masse, posing a significant threat to users. Websites, including Nike, Footlocker, and even an Italian tire retailer, confirmed the presence of email addresses listed in the stolen data, indicating the widespread impact.
Given the severity of this breach, users are advised to take immediate action to secure their accounts:
- Change passwords for all accounts, especially those using the same credentials across multiple services.
- Use a good password manager to generate and store complex passwords.
- Enable two-factor authentication (2FA) where possible.
- Regularly check accounts for unusual activity and enable alerts for unauthorized access attempts.
- Ensure all your devices are running the latest security patches and updates.
Millions of Cox Communications Customers Left Exposed to Modem Flaws
I am aware that my email address and password my have been included in the breach, but how I do know for which account/website this was? I have hundreds of different accounts in my password manager, and it is just not feasible to change the password for all of them. Luckily, every account in my password manger has a different complex random password, so whatever has been pwned is likely only limited to that account, So where Is the combolist?
What is wrong under all news and media???
no one write down or asks where coming the data!?
where are the breaches!?
over the only told, there would be FOUND at Telegram!
all people msut get informed by the industry of this leaks / Data breach, but i didn´t get a email of this that they have a data breach.
so how i know to changfe the mail and password?!
and i should know it overall all.
this infoimration i get from pnwd not help, the list under “Breach” “Telegram” but there was not the breach!
there the data only found!
so please inform the people of they breaches correct and talk the right way, where did have the breaches?!
how work to indentify it?
would be worked to indentify?
alarming ,what going on and why it goging wrong to get 361 million people correct and right informed.
and why this isnt on tv news in all of the world?!
anyone have pc, laptop, smartphones!
sorry for my badn english.
english is not my main language.