AshetraceGet assessment
Rows of structured data records on a dark surface, representing distinct categories of leaked credential data.

Threat Intelligence

Stealer Logs vs. Data Breaches vs. Combolists: What Is the Difference?

A data breach is stolen data taken from one hacked service. A combolist is recycled email-and-password pairs aggregated from many old breaches. A stealer log is the full haul from a single malware-infected device, captured live. The three differ in freshness and danger, and stealer logs are the worst: Recorded Future indexed 1.95 billion malware combolist credential exposures in 2025.

Key takeaways
  • A data breach is one service's stolen records, often months or years old and frequently hashed. Verizon's 2025 DBIR tied compromised credentials to 22% of breaches.
  • Combolists are recycled aggregations of prior breaches: of 19 billion passwords analyzed in 2025, only 6% were unique (Cybernews study, via Forbes).
  • Stealer logs are fresh, device-scoped captures. Recorded Future indexed 1.95 billion malware combolist credential exposures in 2025 versus just 36 million from database combolists.
  • Only stealer logs routinely carry live session cookies: 276 million did in 2025, or 31% of malware-sourced credentials (Recorded Future).
  • SpyCloud recaptured 17 billion stolen cookies in 2024, the raw material behind MFA-bypass session hijacking.

What's the difference between stealer logs, data breaches and combolists?

They sit at different points in the credential supply chain. A data breach is the source event: attackers steal a table of records from one service. A combolist is downstream recycling, where old breach data gets cleaned, merged and resold as email-and-password pairs. A stealer log is a separate origin entirely, the live output of malware on one device. Recorded Future indexed 1.95 billion credentials from stealer-log combolists in 2025, against only 36 million from database combolists (Recorded Future).

SIDE BY SIDE
DimensionData breachCombolistStealer log
OriginOne hacked serviceRecycled from many breachesLive capture from one device
FreshnessMay be old, often hashed94% reused, mostly staleFreshest
What it carriesRecords, often hashed passwordsEmail and password pairs onlyPasswords plus session cookies
RiskThe source eventPasswords only, low noveltyMost dangerous
Three credential-leak types at a glance
Data breach One hacked service May be old, often hashed The source event Combolist Recycled from many breaches 94% reused, mostly stale Passwords only Stealer log Live capture, one device Passwords + session cookies Freshest, most dangerous
The three sources differ in origin, freshness and what they carry. Stealer logs are the freshest and most dangerous.

For a defender, the distinction is operational, not academic. Each type ages differently, carries different data, and demands a different response. Confuse a stale combolist hit with a fresh stealer-log exposure and you either burn hours chasing a dead password or miss a live session an attacker is already replaying.

Data breaches: the source event

A data breach is the theft of data from a single organization's systems, usually a backend database or application store. The stolen records can be credentials, but often they are hashed passwords, personal data or payment fields, and they reflect that one service at the moment it was hit. IBM put the global average cost of a breach at 4.44 million dollars in 2025 (IBM).

Breach data has two defender-relevant traits: it is single-service, and it can be old by the time you see it. Credentials may be hashed, salted or already rotated, so validity is uncertain. Where the credential is the way in, the damage still lands hard. Breaches driven by compromised credentials cost 4.67 million dollars each and took 246 days on average to identify and contain (IBM Cost of a Data Breach 2025).

$4.44MGlobal average cost of a data breach in 2025 (IBM)
$4.67MAverage cost when compromised credentials were the way in (IBM)
246Average days to identify and contain a credential-based breach (IBM)

What is a combolist, and why is it often stale?

A combolist is a compiled file of username-and-password or email-and-password pairs, aggregated and deduplicated from many prior breaches and leaks. It is recycling, not fresh theft. The 2024 RockYou2024 compilation alone bundled 9.9 billion plaintext passwords drawn from thousands of old breaches (Malwarebytes). The scale is enormous but the novelty is low: of 19 billion passwords analyzed across roughly 200 incidents in 2025, only 6% were unique, meaning 94% were reused or duplicated (Forbes).

Reused versus unique passwords in a 19-billion-password study
94% reused Reused or duplicated, 94% Unique, 6%
Across 19 billion analyzed passwords, only 6% were unique. Combolists are largely recycled. Source: Cybernews study, via Forbes, 2025.

That is why combolists mostly power brute-force credential stuffing rather than precision targeting. Attackers replay the pairs at scale and let password reuse do the work. Verizon found credential stuffing made up a median 19% of all authentication attempts in 2025 (Verizon 2025 DBIR), and Cloudflare observed that 41% of successful logins used a compromised password, with 95% of those attempts coming from bots (Cloudflare).

What is a stealer log, and why is it the most dangerous?

A stealer log is the complete bundle exfiltrated from one device by infostealer malware, captured in a single live sweep. Unlike a breach table or a recycled combolist, it is fresh and scoped to a real machine that was working when it was hit. Flashpoint counted more than 11.1 million infected devices spilling over 3.3 billion credentials, session cookies and tokens in the most recent year (Flashpoint).

Open one log and the difference from a combolist is obvious. A single log typically carries:

  • Saved browser passwords paired with their exact login URLs, including SSO and VPN portals
  • Active session cookies and refresh tokens that represent already-authenticated sessions
  • A device fingerprint: hostname, operating system, installed apps and local IP
  • Autofill data and, on developer machines, API keys and .env secrets

The session cookie is what makes stealer logs uniquely dangerous. Replaying a valid cookie skips the password and the MFA prompt entirely. Recorded Future found 276 million indexed credentials carried live session cookies in 2025, 31% of all malware-sourced records (Recorded Future), and SpyCloud recaptured 17 billion stolen cookies in 2024 (SpyCloud). Combolists and breach dumps rarely carry that.

1.95BStealer-log credential exposures indexed in 2025 (Recorded Future)
276MOf those carried live session cookies, 31% of malware records (Recorded Future)
17BStolen cookies recaptured from infected devices in 2024 (SpyCloud)

How do the three compare on freshness and validity?

Freshness decides whether a leaked credential still opens a door. Breach data may be stale or hashed by the time it circulates. Combolists are the stalest of all, since they are recycled aggregations where 94% of passwords are reused copies (Forbes). Stealer logs are the freshest, and only they routinely include a live session cookie an attacker can replay before it expires.

Which leak type carries a live session cookie
Stealer logs 31% Combolists ~0% Data breaches ~0%
Share of records carrying a live session cookie, by source. Stealer logs stand alone. Source: Recorded Future, 2025.

Validity tracks with origin too. A combolist hit tells you a password once leaked somewhere; it may have been rotated years ago. A stealer-log hit tells you a specific device was compromised recently and its saved corporate logins, and quite possibly a live session, are in criminal hands right now. Same email in the file, very different urgency.

What each leak type means for defenders

Match by type, then triage by freshness. A combolist match usually means confirm whether the password is still in use and enforce reset or a passkey. A breach match means check reuse across your estate. A stealer-log match is the alarm: assume the device is compromised, revoke live sessions, and rotate every credential that device could reach. Stolen credentials were the second most common initial infection vector in 2025, at 16% (Mandiant M-Trends 2025).

This is where source classification earns its keep. Monitoring that lumps every leak into one bucket buries the fresh stealer-log exposures under mountains of recycled combolist noise. Ashetrace is built to separate them: you verify a domain you control, and it surfaces the stealer-log exposures that carry live sessions, so containment starts with the identities that can still be replayed, not the ones that leaked years ago.

So the useful question is not whether your users appear in a leak. At these volumes, some do, across all three types. The question is which leak they appear in, how fresh it is, and whether a live session is still riding on it.

Frequently asked

What is the difference between a stealer log and a data breach?

A data breach is data stolen from one hacked service, often old and sometimes hashed. A stealer log is the live haul from one malware-infected device, including saved passwords and active session cookies. Recorded Future indexed 1.95 billion stealer-log credential exposures in 2025.

How is a combolist different from a stealer log?

A combolist is recycled email-and-password pairs aggregated from many old breaches, mostly stale. Of 19 billion passwords analyzed in 2025, only 6% were unique (Forbes). A stealer log is fresh, device-scoped malware output that also carries session cookies a combolist almost never includes.

Why are stealer logs more dangerous than combolists?

Because they are fresh and carry live session cookies that bypass MFA. Recorded Future found 276 million indexed credentials, 31% of malware-sourced records, included active session cookies in 2025. Combolists are recycled password pairs with no session, so they mostly enable brute-force credential stuffing.

Are combolist credentials still a threat if they are stale?

Yes, because password reuse keeps them viable. Cloudflare observed 41% of successful logins used a compromised password, and Verizon put credential stuffing at a median 19% of authentication attempts in 2025. Old pairs still open doors wherever users recycled the same password.

How should defenders respond differently to each leak type?

Triage by freshness. A combolist or breach match means check reuse and enforce reset. A stealer-log match means assume device compromise, revoke live sessions and rotate reachable credentials. IBM found credential-based breaches took 246 days on average to identify and contain in 2025.

Sources
  1. Recorded Future, 2025 Identity Threat Landscape Report (2025)
  2. SpyCloud, 2025 Identity Exposure Report (2025)
  3. Verizon, 2025 DBIR: Credential Stuffing Research (2025)
  4. IBM, Cost of a Data Breach Report 2025 (2025)
  5. SpyCloud, 6 Takeaways from the IBM Cost of a Data Breach Report 2025 (2025)
  6. Mandiant (Google), M-Trends 2025 (2025)
  7. Flashpoint, The Proactive Defender's Guide to Infostealers (2025)
  8. Cloudflare, Password reuse is rampant: nearly half of observed user logins are compromised (2025)
  9. Forbes, 19 Billion Compromised Passwords Create Hacking Arsenal (2025)
  10. Malwarebytes, RockYou2024: Nearly 10 billion passwords leaked online (2024)
Share

Start here

See what is still exposed in your environment

Verify a corporate domain and get a scoped exposure assessment. No passwords, cookies or tokens handed over.

Request an exposure assessment