When you search your email on a breach monitoring service, you're trusting that the data behind those results is legitimate. But here's something most people don't realize: more than one-third of all tracked data breaches remain unverified.
Out of 14,355 breaches in our database containing 18,973,032,475 records, only 9,216 have been confirmed as legitimate. That leaves 5,139 breaches—and potentially billions of records—in an uncertain state. Understanding this distinction isn't just technical trivia; it's critical to knowing how seriously you should take a breach notification.
What Makes a Breach "Verified"?
A verified breach means cybersecurity researchers have confirmed the data is authentic and tied to a specific security incident. This confirmation typically involves:
- Cross-referencing data patterns against known service architectures
- Direct confirmation from affected companies (though many never publicly acknowledge breaches)
- Validation through multiple independent sources
- Analysis of data freshness and uniqueness
When you see massive collections like the XSS.IS Combolist (2.47 billion records) or Verifications.io (722 million records), these have been vetted by security professionals. The data types, leak dates, and sources have been confirmed as legitimate.
Unverified breaches, on the other hand, may be:
- Duplicate data repackaged under new names
- Fabricated credentials created for fraud
- Legitimate breaches that haven't been independently confirmed yet
- Partial or corrupted datasets from unclear sources
The Combolist Problem
Look closely at the largest breaches in our database, and you'll notice something revealing: many are labeled as "combolists." The XSS.IS Combolist alone contains over 2.4 billion records, while the Misc Combolists collection includes nearly 2 billion more.
Combolists are aggregations of credentials from multiple breaches, often compiled by cybercriminals and shared on underground forums. They're valuable to attackers because they enable credential stuffing attacks—automated attempts to reuse stolen passwords across multiple services.
Here's the verification challenge: a combolist might contain legitimate credentials from 50 different breaches, but without the original source context, it's difficult to verify which specific companies were compromised. You know the email and password combination leaked somewhere, but the exact origin may remain unclear.
This is why 1,717 breaches in our database are categorized as "Database,Combolist"—they're confirmed data leaks, but their provenance is complex.
Why Verification Status Matters to You
If you appear in a verified breach, you can take specific action. For example, if the 2019 Verifications.io breach exposed your email and phone number, you know exactly what information leaked and can watch for targeted phishing attempts using that data.
If you appear in an unverified breach, the situation is murkier. Your credentials might be:
- Legitimately compromised, just not yet traced to a specific incident
- Part of a credential testing database that criminals use but may not work
- Included due to password reuse from an older, unrelated breach
The smart approach? Treat all breach notifications seriously, but prioritize verified breaches for immediate action.
The Stealer Log Surge
One reason for the verification challenge: the explosion of stealer log breaches. Our database now tracks 8,548 stealer log incidents—malware-harvested credentials from infected devices. These are overwhelmingly real and dangerous, but their distributed nature makes traditional verification difficult.
Notice the recent breach dates? Multiple incidents from March and April 2026 show small collections (6,831 to 52,169 records) uploaded by Telegram users. These are likely fresh stealer log dumps—legitimate credentials, but from targeted malware campaigns rather than company database breaches.
The data types tell the story: "Plaintext Password" appears in 10,285 breaches, often alongside URLs and email addresses—the classic fingerprint of info-stealing malware that captures browser-saved credentials.
Your Action Plan
Whether a breach is verified or not, finding your credentials in any database requires immediate response:
-
For verified breaches with plaintext passwords (1,822 in our database): Change those passwords immediately, starting with email and financial accounts
-
For unverified breaches: Still change the password, but prioritize based on account sensitivity
-
For stealer log appearances: Run a full malware scan—if your credentials were harvested by malware, password changes won't help if the infection remains
-
For combolist appearances: Audit everywhere you reused that password combination
Check Your Exposure Now
With nearly 19 billion records across 14,355 breaches, the question isn't whether your data has leaked—it's where and how many times. Verification status helps you prioritize your response, but every appearance is a risk.
Don't wait for the next mega-breach headline. Search your email, phone number, or username now at LeakedSource to see your complete exposure profile across both verified and unverified breaches. Our database updates continuously with new intelligence, giving you the complete picture of your digital footprint in the breach ecosystem.
Your credentials are already out there. The only question is whether you know about it.