When you search your email on LeakedSource and see your credentials in multiple breaches, one critical detail often goes unnoticed: whether that breach is verified or unverified. Across our database of 15,415 tracked incidents affecting 18.9 billion records, 10,276 breaches carry verified status—meaning roughly one-third exist in an uncertain state that requires a different response strategy.
What Makes a Breach "Verified"?
A verified breach means security researchers have confirmed the data's authenticity through multiple validation methods: cross-referencing with legitimate user accounts, analyzing database structures that match known company schemas, or obtaining direct confirmation from affected organizations. When you see your password from the 2019 Verifications.io leak (722 million records), that's verified—researchers confirmed those 722,745,807 records came from legitimate marketing databases.
Unverified breaches occupy murkier territory. These often surface through underground forums, Telegram channels, or criminal marketplaces where provenance cannot be immediately confirmed. Looking at our most recently dated incidents, all five are labeled as "uploaded by a Telegram User"—these require additional scrutiny before declaring them authentic corporate breaches versus fabricated or recycled data.
The Combolist Problem: Real Data, Unclear Origins
Here's where verification becomes genuinely complex: combolists. The XSS.IS Combolist tops our database with 2.47 billion records, while the Misc Combolists collection contains 1.93 billion entries. These massive aggregations combine credentials from hundreds or thousands of separate incidents, making source verification nearly impossible for individual records.
Your email and password might appear in a combolist for three reasons: it came from a legitimate breach years ago, it was obtained through malware on your device, or it's recycled from another combolist. The credential itself may be real—it might actually unlock your account—but labeling it "verified" would require confirming each individual record's origin, an impossibility at billion-record scale.
This matters because 1,717 incidents in our database carry the dual classification "Database,Combolist," representing this verification challenge. Your response shouldn't change based on verification status when your actual password appears, but understanding the source helps you assess whether the breach represents a new corporate failure or recycled historical data.
Stealer Logs: The Unverified Majority
The breach type distribution reveals a telling pattern: 9,608 incidents—62% of all tracked breaches—are categorized as stealer logs. These come from malware infections that harvest credentials directly from browsers, applications, and system files, then upload the data to criminal infrastructure.
Stealer logs present the ultimate verification paradox. The credentials are undeniably real (they were extracted from actual devices), but they're rarely "verified" in the traditional sense because there's no single corporate source to confirm. When LogsPlanet ProjectLogsPlanet appears with 13,742 records uploaded via Telegram, that data likely came from malware victims—real people with real passwords—but lacks the corporate paper trail that would enable traditional verification.
This is why 11,345 breaches in our database contain plaintext passwords despite only 1,822 being formally categorized that way—stealer logs capture passwords exactly as you typed them, without the corporate database layer that might hash or encrypt them.
Your Action Plan: Verification Shouldn't Determine Urgency
If you find your credentials in an unverified breach:
- Change the password immediately if you still use it anywhere
- Assume the data is real until proven otherwise—criminals don't traffic in fake credentials
- Enable two-factor authentication on the affected account, which protects you regardless of verification status
- Check if you've reused that password elsewhere using a password manager's audit feature
If you find your credentials in a verified breach:
- Follow the exact same steps above—verification confirms the source, not the risk level
Understanding the distinction helps you prioritize:
Verified breaches often include context (company name, breach date, exposed data types) that helps you remember if you actually had an account there. The 503 million Weibo records are verified, so if you've never used that Chinese social platform, you can deprioritize that particular exposure. Unverified combolists require you to assume the worst and act accordingly.
The bottom line: whether facing the verified MySpace breach from 2008 (301 million records) or an unverified Telegram upload from last week, your password's appearance in any database accessible to criminals demands the same response—change it, secure the account, and never reuse that credential again.
Check Your Exposure Now
With nearly 19 billion records spanning both verified corporate breaches and unverified criminal marketplaces, your credentials likely appear somewhere in our database. Verification status helps you understand the source, but shouldn't change your urgency to protect yourself.
Search your email address at LeakedSource to see exactly which breaches—verified or not—contain your information, then take action before criminals do.