Have you noticed suspicious activity on your online accounts? People trying to log-in using your credentials, attempting to access your private information?

Your credentials were probably leaked in the enormous Telegram combolists, huge lists of stolen data containing username and password combinations, given to hackers around the world.

What Is the Telegram Combolist Password Leak?

The Telegram combolist password leak is a massive data leak that security researchers first reported in early 2024. The data is spread across numerous combolists and Telegram chats, making it unclear just how far the stolen credentials have spread.

Combined, the combolists contain 361 million email addresses. Have I Been Pwned, a website that analyzes data leaks and allows users to check whether they've been impacted, reported that 151 million of these email addresses had never been seen before by the service.

Many of the email addresses included in the leaks had several, or even dozens, of unique passwords included in the combolists. The leaked data doesn't come from any one source, but it's clear that many of the users impacted may have keyloggers or other malware installed on their systems.

How Do I Know if My Password Is on a Telegram Combolist?

Because security researchers shared the data with Have I Been Pwned, checking whether you're on the list is simple: you just need to search for your email address on haveibeenpwned.com.

After loading the website, you can search for your email address to check whether you've been included on a Telegram combolist. You'll also see if you've been impacted by any other breaches in the past.

Unfortunately, Have I Been Pwned doesn't provide insight into which of your passwords are compromised. But using the Pwned Passwords page, you can check whether your password has ever appeared in a leak before.

If your password is flagged, that doesn't necessarily mean it came from one of your accounts. It will also flag your password if someone else who uses the same password was hacked. Even so, you'll need to take action to secure your account.

How to Secure Your Accounts After a Password Leak

If you believe that your email address or password has appeared in a leak, you'll need to take action. Changing your passwords, using MFA, clearing your log in sessions, and using a password manager can help you stay safer online.

Change Your Passwords Immediately

First and foremost, it's important to change your passwords whenever you find a leak. This is doubly important if you reuse your passwords across different websites (a big security and privacy issue!).

You don't have to change all of your passwords. You can check whether each of your passwords has appeared in a data leak before using Have I Been Pwned's password checking tool. Change each and every flagged password.

Use Unique Passwords

If you haven't already, you should also ensure that the passwords you use are unique. It's hard to remember different passwords, but password managers, password manager apps, and even portable programs like KeePass can help.

Reusing passwords isn't a good idea, but if you plan to do so anyways, make sure that your email, banking accounts, and other important accounts all have unique passwords. That will minimize the potential damage if you're hacked.

Secure Your Account With MFA

You should also secure your accounts with some form of Multi-Factor Authentication (MFA). SMS 2FA, using your phone number, is an excellent option. You can also use authenticator apps or your phone's built-in biometrics.

If you want to be especially secure, the best option is a hardware authentication device (like a Yubikey). These devices are more secure and nearly impossible for hackers to bypass or access and are thus fantastic for protecting your accounts.

Save Everything in a Password Manager

There's no point in securing your accounts and using unique passwords if you lack the ability to remember your passwords and login. As a result, you probably need to use a password manager, but you have many great options to choose from.

Local applications like KeePass are excellent if you're especially security-minded. If you prefer convenience, built-in browser password managers (such as those in Firefox and Chrome) suffice. Subscription apps, like 1Password, are also good options.

Clear Your Login Sessions Regularly

Last, but not least, it's vital to clear your log-in sessions regularly. There's no point in allowing your lost phone to maintain access to your Gmail or Facebook account, and removing these sessions might also allow you to remove hackers.

The process for clearing your log-in sessions varies, but you can usually view your active sessions through your privacy or security tab in Settings. If you notice any sessions on devices or in locations you don't recognize, you may need to change your password.

And remember: security is an active process. You can't completely prevent hacking, but by remaining proactive and maintaining good digital hygiene, you can avoid becoming a target and keep your finances and personal information secure.