Security experts are once again exhorting users to improve their password practices after nearly 3.3 billion usernames and passwords were published online this month in the single largest incident of its kind.

The Compilation of Many Breaches (COMB) database came to light after an encrypted, password-protected data container was first offered for sale, then leaked for free.

A CyberNews analysis confirmed the database contains 3.279bop plaintext logon credentials and passwords from a range of breached sites including Netflix, LinkedIn, Bitcoin, and others.

Most of the stolen passwords have been made available through other mega-breaches, including the 1.4b credentials in 2017’s Breach Compilation and the Collection #1 through Collection #5 breaches from 2019.

The scale of the database is a reminder of the prevalence of credential stuffing – in which cyber criminals attempt to breach systems using stolen user ID-password combinations.

One recent study found that 53 per cent of users use the same passwords for personal and business systems, opening up a dangerous vector for attack.

Use of credentials “has been on a meteoric rise”, Verizon security researchers noted in that company’s Data Breach Investigations Report 2020 (DBIR), which found that the average breached organisation was hit by 922,331 credential-stuffing attempts during 2019 alone – and that 77 per cent of cloud data breaches involved stolen credentials.

Furthermore, more than 60 per cent of data stolen during other data breaches are credentials – by far the most commonly taken type of data – highlighting the ongoing value that cybercriminals see in collecting and reusing legitimate access details.

“Criminals are clearly in love with credentials,” the report’s authors note, “and why not, since they make their jobs much easier?”

Password hygiene still wanting

Users aren’t helping the situation, since issues of password reuse could be eliminated if each user made a new and secure password for every site they visit.

Yet without careful use of a password manager, this approach quickly becomes burdensome and problematic for users – which is why so many people still use the same password, often guessable, across both personal and business-related sites.

The problem became even more pointed during the COVID-19 pandemic, when tens of millions of workers switched to home working – often logging back into their work systems using nothing more than a password.

Many companies adopted two-factor authentication (2FA) systems to compensate, but ongoing poor security practices and overconfidence among users is still leaving many companies exposed.

Fully 83 per cent of users said they are making up their own passwords, according to one recent Kaspersky study, and 55 per cent claim to be able to remember all of their passwords – implying that they are using, or reusing, passwords simple enough to be able to remember.

Even more problematic for companies was the finding that 54 per cent of users were unaware of how to check whether their passwords had been compromised.

Sites like Have I Been Pwned? And CyberNews’s Personal Data Leak checker let users cross-check their email address against databases of compromised passwords, and the services are busy integrating the COMB list into their own databases.

Aiming to reduce the cost and risk of their dependence on users to create, remember or manage their passwords, some companies are embracing passwordless authentication – which replaces the password with a one-time password generator, mobile device, or biometrics like fingerprint or face scanning.

“When these kinds of breaches occur, the message is always the same: use unique passwords, change your passwords and use a password manager,” said Matias Woloski, co-founder and CTO of Auth0 – which last year expanded its authentication system with a tool to detect credential-stuffing bots – “however, every year we see another study showing that people aren’t listening.”

“There are two truths here that we need to accept: we’re never going to prevent all data breaches, and the password hygiene message isn’t getting through. Businesses now need to force the issue to protect themselves and their customers.”