New Report Finds Billions of Leaked Credentials and ULP Files on Dark Web Are Outdated

A recent in-depth analysis by threat intelligence experts sheds critical light on the pervasive issue of outdated and unreliable data circulating on the dark web.

The report, spanning a comprehensive 26-minute read, delves into the world of combolists text files containing username-password pairs and URL-Login-Password (ULP) files, which include associated website URLs alongside credentials.

Despite frequent claims of containing billions of fresh, exploitable records, the study reveals that these datasets are often recycled from historical breaches, autogenerated, or falsely marketed as new leaks.

Secondary Nature of Combolists

This secondary nature significantly diminishes their value as actionable indicators of compromise, posing challenges for cybersecurity defenders who rely on timely and accurate threat intelligence to mitigate risks.

The report uncovers a troubling trend of mislabeling within underground markets, where combolists and ULP files are often advertised as “infostealer logs” datasets directly extracted from infected devices via malware, containing rich contextual data like cookies, system information, and session tokens.

In reality, these files lack such depth and are frequently repackaged from older leaks, with marketing tags like “FRESH” or “2025 PRIVATE LEAK” used to inflate their perceived value.

Misleading Marketing Tactics

A prominent case highlighted in the analysis involves the AlienTXT Telegram channel, which gained notoriety in February 2025 for allegedly leaking 23 billion lines of user data.

Upon closer examination, much of this “AlienTXT Collection” consisted of old, duplicated, or fabricated credentials, with some lines failing to adhere to standard formats like URL:LOGIN:PASSWORD, further undermining their integrity.

The operator behind AlienTXT, who briefly rebranded as GalacticGhost on BreachForums before reverting, admitted to reselling publicly available data, reinforcing the report’s assertion that such distributors are rarely the original sources of compromise.

Further investigation by analysts, including direct communication with AlienTXT and other similar Telegram channels like Plutonium and JoghodTeam Cloud, revealed a consistent refusal to provide samples of supposedly “fresh” private data without payment.

Publicly available files from these channels, touted as previews of premium content, often traced back to breaches as early as 2022 or 2024, as evidenced by cross-referencing with threat intelligence platforms.

For instance, credentials posted by Plutonium on April 1, 2025, were linked to a compromise from September 2024, despite being presented as recent.

This pattern of recycling old data illustrates the inherent lag in secondary sources, which cannot match the real-time nature of primary infostealer logs.

The report also warns of the broader impact of this “information noise” sensationalized headlines about massive leaks desensitize users and organizations, leading to alert fatigue and diminished response to genuine, current threats.

In conclusion, while combolists and ULP files remain a staple of the cybercrime ecosystem, their reliability as indicators of fresh compromises is severely limited.

The study urges cybersecurity professionals to prioritize tracing original breach sources over relying on aggregators and resellers, whose data often obscures critical context like the timing and method of initial compromise.

As dark web entities continue to exploit the hype around “billions of leaked records,” the need for skepticism and rigorous verification has never been more paramount to separate actionable intelligence from outdated noise.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.