A data breach is stolen data taken from one hacked service. A combolist is recycled email-and-password pairs aggregated from many old breaches. A stealer log is the full haul from a single malware-infected device, captured live. The three differ in freshness and danger, and stealer logs are the worst: Recorded Future indexed 1.95 billion malware combolist credential exposures in 2025.
- A data breach is one service's stolen records, often months or years old and frequently hashed. Verizon's 2025 DBIR tied compromised credentials to 22% of breaches.
- Combolists are recycled aggregations of prior breaches: of 19 billion passwords analyzed in 2025, only 6% were unique (Cybernews study, via Forbes).
- Stealer logs are fresh, device-scoped captures. Recorded Future indexed 1.95 billion malware combolist credential exposures in 2025 versus just 36 million from database combolists.
- Only stealer logs routinely carry live session cookies: 276 million did in 2025, or 31% of malware-sourced credentials (Recorded Future).
- SpyCloud recaptured 17 billion stolen cookies in 2024, the raw material behind MFA-bypass session hijacking.
What's the difference between stealer logs, data breaches and combolists?
They sit at different points in the credential supply chain. A data breach is the source event: attackers steal a table of records from one service. A combolist is downstream recycling, where old breach data gets cleaned, merged and resold as email-and-password pairs. A stealer log is a separate origin entirely, the live output of malware on one device. Recorded Future indexed 1.95 billion credentials from stealer-log combolists in 2025, against only 36 million from database combolists (Recorded Future).
| Dimension | Data breach | Combolist | Stealer log |
|---|---|---|---|
| Origin | One hacked service | Recycled from many breaches | Live capture from one device |
| Freshness | May be old, often hashed | 94% reused, mostly stale | Freshest |
| What it carries | Records, often hashed passwords | Email and password pairs only | Passwords plus session cookies |
| Risk | The source event | Passwords only, low novelty | Most dangerous |
For a defender, the distinction is operational, not academic. Each type ages differently, carries different data, and demands a different response. Confuse a stale combolist hit with a fresh stealer-log exposure and you either burn hours chasing a dead password or miss a live session an attacker is already replaying.
Data breaches: the source event
A data breach is the theft of data from a single organization's systems, usually a backend database or application store. The stolen records can be credentials, but often they are hashed passwords, personal data or payment fields, and they reflect that one service at the moment it was hit. IBM put the global average cost of a breach at 4.44 million dollars in 2025 (IBM).
Breach data has two defender-relevant traits: it is single-service, and it can be old by the time you see it. Credentials may be hashed, salted or already rotated, so validity is uncertain. Where the credential is the way in, the damage still lands hard. Breaches driven by compromised credentials cost 4.67 million dollars each and took 246 days on average to identify and contain (IBM Cost of a Data Breach 2025).
What is a combolist, and why is it often stale?
A combolist is a compiled file of username-and-password or email-and-password pairs, aggregated and deduplicated from many prior breaches and leaks. It is recycling, not fresh theft. The 2024 RockYou2024 compilation alone bundled 9.9 billion plaintext passwords drawn from thousands of old breaches (Malwarebytes). The scale is enormous but the novelty is low: of 19 billion passwords analyzed across roughly 200 incidents in 2025, only 6% were unique, meaning 94% were reused or duplicated (Forbes).
That is why combolists mostly power brute-force credential stuffing rather than precision targeting. Attackers replay the pairs at scale and let password reuse do the work. Verizon found credential stuffing made up a median 19% of all authentication attempts in 2025 (Verizon 2025 DBIR), and Cloudflare observed that 41% of successful logins used a compromised password, with 95% of those attempts coming from bots (Cloudflare).
What is a stealer log, and why is it the most dangerous?
A stealer log is the complete bundle exfiltrated from one device by infostealer malware, captured in a single live sweep. Unlike a breach table or a recycled combolist, it is fresh and scoped to a real machine that was working when it was hit. Flashpoint counted more than 11.1 million infected devices spilling over 3.3 billion credentials, session cookies and tokens in the most recent year (Flashpoint).
Open one log and the difference from a combolist is obvious. A single log typically carries:
- Saved browser passwords paired with their exact login URLs, including SSO and VPN portals
- Active session cookies and refresh tokens that represent already-authenticated sessions
- A device fingerprint: hostname, operating system, installed apps and local IP
- Autofill data and, on developer machines, API keys and .env secrets
The session cookie is what makes stealer logs uniquely dangerous. Replaying a valid cookie skips the password and the MFA prompt entirely. Recorded Future found 276 million indexed credentials carried live session cookies in 2025, 31% of all malware-sourced records (Recorded Future), and SpyCloud recaptured 17 billion stolen cookies in 2024 (SpyCloud). Combolists and breach dumps rarely carry that.
How do the three compare on freshness and validity?
Freshness decides whether a leaked credential still opens a door. Breach data may be stale or hashed by the time it circulates. Combolists are the stalest of all, since they are recycled aggregations where 94% of passwords are reused copies (Forbes). Stealer logs are the freshest, and only they routinely include a live session cookie an attacker can replay before it expires.
Validity tracks with origin too. A combolist hit tells you a password once leaked somewhere; it may have been rotated years ago. A stealer-log hit tells you a specific device was compromised recently and its saved corporate logins, and quite possibly a live session, are in criminal hands right now. Same email in the file, very different urgency.
What each leak type means for defenders
Match by type, then triage by freshness. A combolist match usually means confirm whether the password is still in use and enforce reset or a passkey. A breach match means check reuse across your estate. A stealer-log match is the alarm: assume the device is compromised, revoke live sessions, and rotate every credential that device could reach. Stolen credentials were the second most common initial infection vector in 2025, at 16% (Mandiant M-Trends 2025).
This is where source classification earns its keep. Monitoring that lumps every leak into one bucket buries the fresh stealer-log exposures under mountains of recycled combolist noise. Ashetrace is built to separate them: you verify a domain you control, and it surfaces the stealer-log exposures that carry live sessions, so containment starts with the identities that can still be replayed, not the ones that leaked years ago.
So the useful question is not whether your users appear in a leak. At these volumes, some do, across all three types. The question is which leak they appear in, how fresh it is, and whether a live session is still riding on it.
What is the difference between a stealer log and a data breach?
A data breach is data stolen from one hacked service, often old and sometimes hashed. A stealer log is the live haul from one malware-infected device, including saved passwords and active session cookies. Recorded Future indexed 1.95 billion stealer-log credential exposures in 2025.
How is a combolist different from a stealer log?
A combolist is recycled email-and-password pairs aggregated from many old breaches, mostly stale. Of 19 billion passwords analyzed in 2025, only 6% were unique (Forbes). A stealer log is fresh, device-scoped malware output that also carries session cookies a combolist almost never includes.
Why are stealer logs more dangerous than combolists?
Because they are fresh and carry live session cookies that bypass MFA. Recorded Future found 276 million indexed credentials, 31% of malware-sourced records, included active session cookies in 2025. Combolists are recycled password pairs with no session, so they mostly enable brute-force credential stuffing.
Are combolist credentials still a threat if they are stale?
Yes, because password reuse keeps them viable. Cloudflare observed 41% of successful logins used a compromised password, and Verizon put credential stuffing at a median 19% of authentication attempts in 2025. Old pairs still open doors wherever users recycled the same password.
How should defenders respond differently to each leak type?
Triage by freshness. A combolist or breach match means check reuse and enforce reset. A stealer-log match means assume device compromise, revoke live sessions and rotate reachable credentials. IBM found credential-based breaches took 246 days on average to identify and contain in 2025.
- Recorded Future, 2025 Identity Threat Landscape Report (2025)
- SpyCloud, 2025 Identity Exposure Report (2025)
- Verizon, 2025 DBIR: Credential Stuffing Research (2025)
- IBM, Cost of a Data Breach Report 2025 (2025)
- SpyCloud, 6 Takeaways from the IBM Cost of a Data Breach Report 2025 (2025)
- Mandiant (Google), M-Trends 2025 (2025)
- Flashpoint, The Proactive Defender's Guide to Infostealers (2025)
- Cloudflare, Password reuse is rampant: nearly half of observed user logins are compromised (2025)
- Forbes, 19 Billion Compromised Passwords Create Hacking Arsenal (2025)
- Malwarebytes, RockYou2024: Nearly 10 billion passwords leaked online (2024)
Start here
See what is still exposed in your environment
Verify a corporate domain and get a scoped exposure assessment. No passwords, cookies or tokens handed over.
Request an exposure assessment