Database Leaks? Compilations? Infostealer Malware? Combolists? Oh my!
The credential economy has evolved dramatically. What began with opportunistic database breaches in the late 2000s has transformed into a sophisticated supply chain where credentials are harvested, aggregated, and weaponized at industrial scale.
Today's threat landscape doesn't wait for companies to get breached. Infostealers silently extract credentials from endpoints. Combolists automate credential stuffing across thousands of targets simultaneously. And somewhere in an underground market, your employee's reused password from 2012 is being tested against your VPN right now.
The problem isn't just that credentials leak - it's that security teams are drowning in alerts about decade-old breaches while fresh, actively exploitable credentials slip through unnoticed.
1. Database Leaks -- The OG
A database leak is exactly what it sounds like: a compromised application or service exposes its user database. That database often contains emails, usernames, and passwords - sometimes hashed, sometimes poorly hashed, and occasionally stored in plaintext (because 2009 was a wild time).
RockYou (2009)
Over 32 million plaintext passwords. To this day, rockyou.txt remains a rite of passage in penetration testing labs everywhere.
Sony PSN (2011)
77 million accounts exposed. The network went dark for 23 days. It showed how authentication failures cascade into operational disasters.
Database leaks are static. They represent a moment in time: a snapshot of poor password hygiene and inadequate security controls. They are the fossils of the credential leak landscape.
2. Compilations -- The Franken-Lists
Imagine someone took dozens (or hundreds) of database leaks and stitched them together into one massive credential monster. That's a "compilation."
Compilations aggregate breached credentials from multiple incidents into unified searchable datasets. They're often deduplicated, reformatted, and enriched. It's like a Spotify playlist but for identity theft.
"Unlike single database leaks, compilations create scale. If database leaks are fossils, compilations are the museum gift shop."
A famous example is COMB 2021 (Compilation of Many Breaches) - a mega-compilation claiming over 3.2 billion credentials.
3. Infostealer Malware -- The Future Is Now
Here's where things get modern. And uncomfortable. Infostealers are malware families designed specifically to extract credentials, session tokens, browser data, and crypto wallets from infected endpoints.
Unlike database leaks, these aren't server-side breaches. They're client-side harvests. An employee clicks a malicious attachment, or a contractor installs a "free" video converter, and suddenly:
- Browser-stored passwords
- Autofill data
- Session cookies
- Saved VPN credentials
- SSH keys
- Desktop wallet files
Modern families like RedLine, Raccoon, Vidar, and META have turned credential theft into an automated assembly line. Infostealers don't wait for companies to get breached; they turn individuals into breach vectors.
4. Combolists -- Automation's Favorite Snack
A combolist is a structured list of email:password pairs, often harvested from database leaks and infostealer logs. These lists are designed for one purpose: automation and unauthorized access at massive scale.
Tools like OpenBullet and SilverBullet allow attackers to load combolists and test credentials against specific websites using configurable "configs." Attackers don't care where the credentials came from - only whether they still work.
The Whiteintel Approach
Most threat intelligence platforms ingest everything. Every ancient database leak. Every recycled compilation. The result? Alert Fatigue.
Traditional Vendor
Whiteintel Workflow
In 2026, the question isn't whether your credentials will leak. It's whether you'll identify the actively exploitable ones in time to respond.