A significant cybersecurity event involved the release of a massive database of usernames and passwords on a dark web forum, placing a spotlight on the security of countless online accounts, including those on Google’s Gmail service. The incident was not a direct breach of Google’s servers but rather the result of a large-scale data compilation from numerous previous breaches across various online services.

The published data set, known as the “Compilation of Many Breaches” (COMB), contained billions of credential pairs. This collection aggregated login information that had been stolen from other companies and websites over several years. The risk to Gmail users originated from the common practice of password reuse, where an individual uses the same password for their email account as they do for other, less secure websites.

The Nature of the Data Exposure

Cybersecurity researchers identified the leak as a meticulously organized collection of previously compromised data. The compilation combined credentials from breaches at numerous companies, creating one of the largest credential dumps ever made publicly available. The data was structured for ease of use, making it a significant resource for credential stuffing attacks. In such attacks, automated tools are used to try stolen username and password combinations across many different websites, including Gmail, to find accounts that reuse passwords.

Scale of the Published Credentials

The scale of the exposure was immense, with reports indicating the “COMB” list contained 3.2 billion unique email and password pairs. Another related and even larger data set called “RockYou2021” was also discovered, reportedly containing 8.4 billion password entries. These figures highlight the widespread nature of password compromises from third-party websites and the subsequent risk to major platforms like Gmail when users do not practice unique password security. Google’s own security tools, such as the integrated Password Checkup feature, are designed to alert users when their saved credentials appear in known public data breaches of this nature.