Telegram combolists show that we are all hacked

Telegram combolists have unveiled a staggering data breach, revealing that millions of accounts have been compromised.

A massive collection of 361 million email addresses, sourced from credentials stolen by password-stealing malware, in credential stuffing attacks, and from data breaches, has been added to the Have I Been Pwned data breach notification service. This addition enables individuals to check if their accounts have been compromised through the use of Telegram combolists.

What are Telegram combolists?

Cybersecurity experts gathered these credentials from various Telegram cybercrime channels, where such stolen data is frequently leaked to enhance the reputation and subscriber count of the channels.

The leaked data typically consists of username and password combinations (often stolen via credential stuffing attacks or data breaches), usernames and passwords along with associated URLs (exfiltrated via password-stealing malware), and raw cookies (also stolen via password-stealing malware).

The researchers shared 122 GB of credentials with Troy Hunt, the founder of Have I Been Pwned, sourced from numerous Telegram channels.

According to Hunt, this dataset is extensive, encompassing 361 million unique email addresses, with 151 million of these never previously seen by the data breach notification service.

“It contained 1.7k files with 2B lines and 361M unique email addresses of which 151M had never been seen in HIBP before. Alongside those addresses were passwords and, in many cases, the website the data pertains to,” stated Hunt.

Telegram, a widely-used messaging platform, facilitates the creation of “channels” where users can share information with visitors easily. Described by Telegram as a simple, private, and secure service, it has gained popularity among those wishing to share content anonymously, including data breach information. Many of the breaches previously uploaded to Have I Been Pwned have been disseminated via Telegram, as it provides an effortless means to publish this type of data.

What is a combolist?

A combolist is a compilation of email addresses and corresponding passwords that have been gathered, often illicitly, from various data breaches, credential stuffing attacks, and other hacking activities. These lists are typically used by cybercriminals to attempt to access accounts by trying these combinations across multiple services.

Below is an example of how data posted to Telegram typically appears:

(Image credit)

These are known as “combolists,” which are combinations of email addresses or usernames paired with passwords. These combinations are crucial for authenticating access to various services, and attackers frequently use them to conduct “credential stuffing” attacks, where they attempt to access multiple accounts en masse using the lists. The example provided above breaks the combos down by their respective email service providers. For instance, the last example from Gmail includes over a quarter of a million rows formatted like this:

(Image credit)

This is just one example among numerous files spread across various Telegram channels. The data forwarded to me last week originated from 518 different channels and comprised 1,748 separate files similar to the one above. While some files contained no data (0kb), others were several gigabytes in size with tens of millions of rows. For instance, the largest file begins as follows:

This appears to be the result of info stealer malware, which captures credentials as they are entered into websites on compromised devices. For instance, the initial record seems to have been intercepted when an individual attempted to log in to Nike. To gauge the accuracy of this data, simply visit the Nike homepage and click on the login link, which will display the following screen:

(Image credit)

By examining the login screen, one can infer the validity of the captured credentials, as the data matches the format of typical login attempts. This method provides a straightforward way to verify the integrity and relevance of the leaked information found in Telegram combolists.

Is this a Telegram data breach we are witnessing in 2024?

Yes, it is, but Telegram is not responsible for that. Telegram itself hasn’t been breached. Instead, Telegram is being used as a channel by cybercriminals to share and distribute stolen data. This data, which includes email addresses and passwords, comes from various sources like password-stealing malware, credential stuffing attacks, and other data breaches. Cybersecurity experts have gathered this data from numerous Telegram channels to add to Have I Been Pwned, allowing people to check if their accounts are compromised.

How to delete your Telegram account?

Deleting your Telegram account won’t help with the security issue at hand since the breach involves data shared on the platform, not Telegram itself.

However, if you still wish to delete your Telegram account, here’s how you can do it:

• Open the Telegram deactivation page: Visit my.telegram.org/auth from your browser.
• Log in: Enter the phone number associated with your Telegram account.
• Confirmation code: You will receive a confirmation code via Telegram. Enter this code on the website.
• Delete account: After logging in, select the option “Delete Account” and follow the prompts to permanently remove your account

Editor’s note: I visited the Have I Been Pwned site and checked my personal email. To my surprise, it turned out that my email was also compromised.

You can see the result in the image below:

Screenshot taken from Have I Been Pwned

Featured image credit: Kerem Gülen/Midjourney