Massive “Combo List 93M” Surfaces on Dark Web, Exposing Millions of Emails

WEST PALM BEACH, FL – A newly circulated credential database called Combo List 93M has emerged on underground forums, raising concerns for millions of email account holders. The massive compilation – reportedly containing over 93 million records – is being distributed within cybercriminal communities for use in credential-stuffing and phishing campaigns.

What Is Combo List 93M?

Unlike a traditional “data breach” tied to a single company, Combo List 93M appears to be an aggregation of previously leaked credentials pulled from multiple sources. These so-called combo lists package together vast numbers of usernames and passwords, often filtered by domain (for example, targeting Hotmail or Outlook users), and then resold or shared among attackers.

Security researchers note that these lists typically contain:

• Email addresses
• Passwords (plaintext or hashed, depending on the source)
• Other login credentials collected by infostealer malware

Even though the data may be old, criminals leverage it in automated credential-stuffing attacks, where bots test the combinations across banking sites, e-commerce portals, and email providers. Since password reuse is still common, many of these combos remain valid.

Exposure Alerts Already Being Sent

Subscribers to identity-protection services such as LifeLock have begun receiving alerts tied to Combo List 93M. In some cases, only the email address is flagged; in others, both email and passwords are included. The exposure date most often cited is July 8, 2025, which corresponds with when the list first appeared for sale on underground forums.

No Evidence of a New Microsoft Breach

Despite the list’s heavy focus on Hotmail and Outlook addresses, there is no indication that Microsoft’s systems were hacked in 2025. Instead, Combo List 93M is best understood as a repurposed dataset of credentials stolen in older breaches, now reassembled and branded with a new name to attract buyers.

What Users Should Do

Cybersecurity experts recommend:

1. Change your password immediately for any account where the same login was reused.
2. Enable two-factor authentication (2FA) wherever available.
3. Check HaveIBeenPwned.com or similar monitoring services to see if your email appears in other known breaches.
4. Be alert for phishing emails that may use your address to appear more convincing.

The Bigger Picture

Combo lists like this one demonstrate how long-lasting the fallout of a breach can be. Even years after the original leaks, recycled credential dumps resurface with new labels, giving cybercriminals fresh opportunities to exploit human habits like password reuse.

---

Snapshot Summary

• Status: No evidence of new corporate breach (Microsoft or otherwise)
• Name: Combo List 93M
• Records: ~93 million
• First Circulation: July 2025
• Data Type: Aggregated email addresses and login credentials from older leaks
• Risk: Credential stuffing, phishing, identity theft

Frequently Asked Questions (FAQ) About Combo List 93M

Was Microsoft or Hotmail hacked in 2025?
No. There is no evidence of a new Microsoft or Hotmail breach. Combo List 93M is an aggregation of older leaked data, not the result of a fresh intrusion into Microsoft systems.

Why is it called “Combo List 93M”?
The “combo list” label refers to combined username/password pairs, and “93M” indicates the approximate number of records in the dump – 93 million.

Does this mean my account was hacked?
Not necessarily. Your email may simply appear in the dataset. However, if you reused passwords across services, attackers could still attempt to access your accounts.

What’s the risk if only my email was exposed?
Even without a password, exposed emails can be targeted in phishing campaigns, spam runs, or paired with other breaches where your password was leaked.

How can I check if my data is included?
Use free tools like HaveIBeenPwned.com to check your email address against known breach databases.

Can LifeLock or similar services remove my information from the dark web?
No. Once data is exposed, it cannot be removed. Monitoring services simply alert you when your information is spotted so you can take protective steps.

What should I do right now?
Change your passwords, enable 2FA, avoid reusing credentials, and stay alert for suspicious emails.