The Hotmail Combolist: 21 Million Passwords Exposed. Yours Might Be One.

In January 2022, a massive combolist targeting Hotmail users was compiled and later posted on a popular hacking forum in January 2024. The dataset contained over 21 million records consisting of Hotmail email addresses paired with their corresponding plaintext passwords. Because the passwords are stored in plaintext, every single credential in this collection is immediately usable by any attacker who downloads it, with no decryption or cracking required. This breach occured at a scale that puts millions of Microsoft account holders at direct and ongoing risk.

What Attackers Can Do With 21 Million Hotmail Credentials

A combolist of this size gives attackers an enormous ready-to-use arsenal for credential stuffing. Automated tools can test all 21 million email and password pairs against Outlook, OneDrive, Microsoft 365, LinkedIn, banking portals, and thousands of other services within days. Because Hotmail addresses are frequently used as recovery emails or linked to business accounts, a single compromised credential can cascade into access to corporate email, cloud storage, and financial accounts. Attackers also use large combolists to build targeted phishing campaigns, as a verified working credential is far more partcularly convincing than a generic approach.

What Was Exposed in the Hotmail Combolist Breach

• Email Address
• Plaintext Password

Why 21 Million Leaked Credentials Is a Mass-Scale Threat

Combolists aggregated from multiple sources and distributed on public hacking forums represent one of the most accessable forms of attack material available to cybercriminals. Unlike targeted breaches, combolists are shared freely or sold cheaply, meaning low-skill actors can participate in large-scale account takeover operations. The Hotmail Combolist is especially dangerous because Hotmail and Outlook addresses are widely used not only for personal communication but as the primary identity layer for Microsoft services including Xbox, Azure, and enterprise Office 365 environments. When a personal account falls, it often takes corporate accounts with it.

How Database Breaches Work

A database breach or combolist compilation occurs when an attacker aggregates credentials from multiple sources, including prior breaches, phishing campaigns, and credential stuffing results. The resulting dataset is cleaned, deduplicated, and packaged for distribution. Combolists targeting specific email providers like Hotmail are particularly valuable because they can be used to directly attack the email service itself, giving attackers access to password reset flows for every other account the victim has registered with that address. Once posted on a hacking forum, the data spreads rapidly and is downloaded by thousands of actors worldwide.

Check If Your Data Was Exposed

HEROIC's DarkWatch database indexes over 400 billion breached records, including data from the Hotmail Combolist. Visit HEROIC.com to run a free scan on your email address and find out immediately if your credentials are in circulation. If your Hotmail or Outlook address appears in this dataset, change your Microsoft account password now, review all accounts using that email as a login or recovery address, and enable two-factor authentication across every service you can.