When the XSS.IS Combolist surfaced in February 2019 with 2.47 billion records, security professionals worldwide shook their heads in dismay. Not because of the breach's massive scale—though that was staggering—but because every single password was stored in plaintext.
These weren't encrypted. They weren't hashed. They were sitting in databases as readable text: "Password123," "iloveyou," "qwerty." Anyone with access could read them instantly, no decryption required.
The most troubling revelation? This wasn't an anomaly. It's the norm.
The Plaintext Epidemic: By the Numbers
Our analysis of 12,774 confirmed data breaches reveals a disturbing pattern. Plaintext passwords appear in 8,733 breaches—making them the single most commonly exposed data type in our entire database. That represents 68% of all tracked breaches containing passwords stored in a format that security experts universally condemn as negligent.
Consider the scale of exposure:
- XSS.IS Combolist: 2.47 billion records with plaintext passwords
- Misc Combolists: 1.93 billion records with plaintext passwords
- Ga$$Pacc Collection: 518 million records with plaintext passwords
- AntiPublic: 348 million records with plaintext passwords
- Pemiblanc: 344 million records with plaintext passwords
These aren't small startups or hobby projects. These massive breach collections represent thousands of services, from e-commerce platforms to social networks, all making the same catastrophic decision.
Why Organizations Still Store Plaintext Passwords
You might wonder: if storing plaintext passwords is universally recognized as terrible practice, why does it keep happening? The reasons range from incompetence to intentional negligence:
Legacy systems nobody wants to touch. Older platforms built before modern security standards often store passwords in plaintext. Migrating to hashed passwords requires system overhauls that organizations continuously postpone.
Developers who don't know better. Not every software engineer receives formal security training. Some genuinely don't understand why plaintext storage is dangerous, especially in smaller companies without dedicated security teams.
Intentional design choices. Some services store plaintext passwords deliberately because they need to authenticate with third-party systems or want the ability to email passwords to users. This reveals a fundamental misunderstanding of security architecture.
Database breaches vs. stealer logs. Our data shows 7,005 breaches classified as stealer logs—malware that captures credentials as users type them. While these aren't storage issues, they demonstrate another vector where passwords appear in plaintext before they're even hashed.
The Real-World Impact on You
When your password exists in plaintext somewhere, the damage from a breach is immediate and total. Unlike hashed passwords (which require computational effort to crack), plaintext passwords are instantly usable.
Here's what happens the moment a plaintext password database leaks:
Credential stuffing attacks begin within hours. Attackers upload email-password pairs to automated tools that test them across thousands of websites. If you reused that password anywhere, every account becomes vulnerable.
Your password enters permanent circulation. The massive combolists in our database—collections aggregating credentials from multiple breaches—grow with each new leak. Your plaintext password becomes part of attackers' permanent reference libraries.
Password reset emails become attack vectors. Some companies still email passwords instead of reset links. If attackers breach that email provider and find your credentials in plaintext, they can access your other accounts.
The Contrast: Properly Hashed Passwords
Compare plaintext storage to proper hashing. MySpace's 2008 breach exposed 301 million accounts, but passwords were hashed. While not invincible, hashed passwords require significant computational resources to crack. Many remain uncracked years after exposure.
The difference in risk is astronomical. A properly hashed password using modern algorithms (bcrypt, scrypt, Argon2) might take years to crack. A plaintext password is compromised the instant the database leaks.
Yet only 2,458 breaches in our database used password hashing—less than 20% of the total. The proportion should be 100%.
Three Actions to Protect Yourself Today
Given that plaintext password storage shows no signs of disappearing, you need defensive strategies:
1. Assume every password will eventually leak. Use a unique password for every account. Password managers make this practical. When a breach occurs, only one account is compromised.
2. Check if your credentials are already exposed. Our database tracks over 18.9 billion leaked records across 12,774 breaches. Discovering your passwords in plaintext databases allows you to change them before attackers exploit them.
3. Enable multi-factor authentication everywhere possible. Even if attackers obtain your plaintext password, MFA creates an additional barrier they can't easily bypass.
The plaintext password problem isn't going away. Between legacy systems, inadequate development practices, and plain negligence, billions of credentials will continue leaking in readable format. Organizations that store your passwords in plaintext are gambling with your security—and the house always loses eventually.
Don't wait for the next massive combolist to surface with your credentials. Check if your email addresses and passwords are already circulating in plaintext databases at LeakedSource—because if 8,733 breaches have taught us anything, it's that hoping for proper security practices isn't a strategy.