The XSS.IS Combolist Gives Hackers 2.4 Billion Login Pairs

HEROIC analysts recieved reports of the XSS.IS Combolist being distributed across multiple underground forums and Telegram channels in February 2019. The dataset contained 2,472,611,041 records aggregated from numerous prior breaches, with email addresses, usernames, and plaintext passwords all bundled into a single file optimized for automated credential stuffing. The sheer scale of the list made it one of the largest publicly circulating credential compilations of its era, and its continued presence in underground markets years later confirms it has not lost its operational value for threat actors.

What the XSS.IS Combolist Gives Attackers: 2.4 Billion Ready-to-Use Login Pairs

Unlike breaches where passwords must be cracked from hashes, the XSS.IS Combolist contains plaintext passwords that are immediately usable. Attackers can load these pairs directly into credential stuffing tools and run automated login attempts against email providers, banking portals, e-commerce sites, and corporate VPN gateways without any additional processing. The accessable format of this list means even low-skill threat actors can launch account takeover campaigns at scale with minimal setup.

What Was Exposed in the XSS.IS Combolist Breach

• Email Address
• Username
• Plaintext Password

Why 2.4 Billion Plaintext Credentials Is a Threat to Everyone

The XSS.IS Combolist represents the compounded damage of dozens of seperate breaches merged into a single attack-ready weapon. Even users who were not directly affected by any individual underlying breach may find their credentials in this list if data from smaller or less-publicized incidents was included. Plaintext passwords are immediately exploitable for credential stuffing, account takeover, and identity theft. When attackers filter this list by domain, corporate accounts become targets. A single employee whose old password appears in this combolist can become an entry point into an entire organization's systems.

How a Database Breach Works

Combolists like the XSS.IS dataset are the end product of aggregating records from multiple individual database breaches. Each contributing breach involves unauthorized access to a specific platform's user database, typically through exploitation of application vulnerabilities, stolen administrative credentials, or third-party supply chain compromises. The extracted records are then cleaned, merged, and deduplicated before being published or sold. Because plaintext passwords require no further processing, combolists of this type are among the most immediately dangerous artifacts in the breach ecosystem.

Check If Your Data Was Exposed

With over 2.4 billion records in circulation, the chances that your email address appears in the XSS.IS Combolist or one of its source breaches are significant. HEROIC's free breach scanner searches across more than 400 billion records from known data exposures to tell you exactly where your information has appeared. Check your email now and find out what attackers may already know about your accounts.