The recently surfaced “Combo List 93M,” containing approximately 93 million email addresses and associated credentials, has gained traction on underground forums. Unlike a new breach, this dataset is an aggregation of previously compromised information collected from multiple older incidents, repackaged and circulated for use in credential-stuffing attacks and phishing campaigns. While the list is heavily populated with Hotmail and Outlook addresses, there is no evidence of a new Microsoft breach. These types of combo lists are common in the cybercriminal ecosystem and reflect the ongoing reuse of stolen data rather than fresh compromises. For individuals, this serves as a reminder of the importance of cybersecurity fundamentals: changing reused passwords, enabling multi-factor authentication, and remaining vigilant against phishing attempts. From a security professional’s perspective, the emergence of Combo List 93M is not a cause for panic but rather part of the routine cycle of recycled data dumps, highlighting the long-term consequences of poor password hygiene and the enduring value of breached credentials to threat actors.
Edward Kiledjian
@ekiledjian