When the XSS.IS Combolist surfaced in February 2019 with 2.47 billion email-password pairs, most victims had no idea their credentials were already being bought, sold, and weaponized across dozens of criminal marketplaces. This wasn't an isolated incident—it was a product catalog.
The cybercrime economy runs on stolen data, and business is booming. With over 20 billion breach records now indexed and circulating in underground markets, your personal information has likely been packaged, priced, and sold multiple times over. Here's how that economy actually works.
The Supply Chain of Stolen Data
Breach data doesn't simply appear on the dark web. It flows through a sophisticated supply chain with distinct roles and profit margins at every level.
Initial Access Brokers are the wholesalers. They compromise databases, deploy info-stealing malware, or purchase access to already-compromised systems. The 13,795 stealer log breaches in our database represent the most common source material—malware that silently harvests passwords, cookies, and autofill data from infected devices.
These logs get bundled and sold to data aggregators who compile massive collections. Notice the pattern in our top breaches: "Combolists," "Collections," and aggregations like Verifications.io (722 million records) that merge multiple sources. Aggregators don't just resell raw data—they clean it, deduplicate it, and organize it by value.
Retail distributors then break these collections into specialized products: healthcare databases, financial credentials, social media accounts, or streaming service logins. Each category commands different prices based on monetization potential.
What Your Data Is Worth
The economics are brutally efficient. A single email-password combination typically sells for $0.50 to $2 in bulk. Premium credentials—verified banking logins, cryptocurrency exchange accounts, or corporate email access—can fetch $50 to $500 each.
But volume is where real money gets made. The Ga$$Pacc Collection contained 518 million email-password pairs. Even at wholesale prices of $0.03 per credential, that represents potential revenue exceeding $15 million for the aggregator, with minimal operating costs beyond server hosting.
This explains why 1,822 breaches in our database contain plaintext passwords rather than hashes. Criminals know plaintext credentials are immediately monetizable through credential stuffing attacks, while hashed passwords require expensive cracking operations that reduce profit margins.
The Combolist Business Model
Combolists—amalgamated credential lists from multiple breaches—represent the most sophisticated product in this economy. The top three breaches by volume are all combolists, totaling over 5 billion records combined.
These collections serve a specific criminal need: credential stuffing automation. Because people reuse passwords across an average of 13 accounts, a combolist dramatically increases the success rate of automated account takeover attacks. A criminal pays once for the Misc Combolists collection (1.9 billion records from December 2015) and can test those credentials against thousands of websites indefinitely.
The profit model is straightforward:
- Purchase combolist access: $50-$500 depending on freshness and size
- Run automated credential stuffing tools against target websites
- Successfully compromise 0.1%-2% of accounts (industry average)
- Monetize compromised accounts through fraud, resale, or ransom
On a combolist with 100 million credentials, even a 0.5% success rate yields 500,000 working account logins.
The Stealer Log Explosion
Recent breach patterns reveal a concerning shift in the supply chain. Notice that the five most recent breaches are all "uploaded by a Telegram User"—stealer logs shared through instant messaging platforms rather than traditional dark web markets.
This represents the democratization of cybercrime. Info-stealing malware has become so widespread and user-friendly that low-level criminals now harvest credentials directly rather than purchasing them from established vendors. The 13,795 stealer log breaches tracked in our database dwarf the 4,084 traditional database breaches, indicating that malware-based harvesting has become the primary collection method.
These stealer logs are particularly dangerous because they contain fresh credentials that victims haven't yet changed, along with session cookies that bypass two-factor authentication.
Why This Economy Persists
The breach data marketplace thrives because of one fundamental reality: password reuse. Our database contains 15,709 breaches with plaintext passwords—billions of credentials that criminals can test across the internet.
When Pemiblanc exposed 344 million email-password combinations in April 2018, the immediate concern wasn't just those specific accounts. It was the cascade effect: how many victims used the same password for their email, banking, social media, and work accounts?
Criminals bet on that reuse, and the math works in their favor. Even after accounting for defunct accounts, changed passwords, and detection systems, the ROI on purchased breach data remains extraordinarily high.
Protecting Yourself in This Economy
You cannot prevent breaches, but you can make your data worthless to the criminals who purchase it:
Use unique passwords for every account. Password managers eliminate the reuse that makes combolists profitable. If your credentials appear in a breach, the impact is isolated to that single service.
Enable two-factor authentication everywhere possible. While stealer logs can capture session cookies, time-based codes significantly reduce the window for exploitation.
Check your exposure regularly. Understanding which breaches contain your information helps you prioritize password changes and monitor for fraud. You might be surprised to discover your credentials in breaches you've never heard of.
Your email address likely appears in multiple breaches among the 20+ billion records circulating in underground markets. The question isn't whether your data has been stolen—it's whether criminals can still profit from it.
Check which breaches have exposed your information and take action before your credentials reach the next combolist. Visit LeakedSource to search our database of over 20 billion breach records and discover your real exposure.