Breach Compilation 2017
Dec 11, 2017
A gigantic credential dump containing about 1.4 billion email/password pairs, much of it in plain text, was found circulating online. It was notable less because it was “new” and more because it centralized hundreds of old breaches into one highly usable weaponized dataset, making credential stuffing and password reuse attacks a lot easier.
Data found in this dataset
Source files
Expand any file to inspect its column headers and the LLM's field-mapping reasoning, recorded during ingestion.
breach_combined.txt2 columns101,920,149 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | Values contain @ symbol and domain names, clearly email addresses | |
| 1 | password | high | Values appear to be plaintext passwords consistent with the breach-compilation-2017 dataset known for plain text credentials |
Notes: Standard email:password combo list. Part of the 2017 breach compilation aggregating ~1.4 billion credentials. Passwords appear to be plaintext. Some email addresses contain spaces or unusual characters which may indicate OCR artifacts or encoding issues in the original compilation.
breach_combined_001.txt2 columns137,904,346 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | Nearly all values contain @ symbol and valid email domain patterns (mail.ru, gmail.com, yahoo.com, hotmail, etc.). First line appears to be a phone number in field 0 with email in field 1, suggesting some rows may be inverted or malformed, but the overwhelming majority follow email:password order. | |
| 1 | password | high | Values are plaintext passwords of varying complexity — numeric strings, alphanumeric mixes, dictionary words, and some Cyrillic-encoded passwords. Consistent with the breach-compilation-2017 dataset known for plaintext credential pairs. |
Notes: Standard email:password combo list from breach-compilation-2017. Delimiter is colon (:). A small number of rows appear inverted (e.g., line 1: '00 44 7887 5579:battershillr@tiscali.co.uk' where field 0 looks like a phone number and field 1 is the email), suggesting occasional malformed or phone:email entries mixed in. Some passwords contain Cyrillic characters in both raw encoded form and UTF-8, indicating multi-locale source breaches aggregated into this dump. No header row present.
breach_combined_002.txt2 columns107,363,009 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol with recognizable email domains (yahoo.com, mail.ru, yandex.ru, hotmail.fr, bk.ru, etc.) | |
| 1 | password | high | Values after first colon are plaintext passwords of varying complexity; note some passwords themselves contain colons (e.g. 'ljd:') causing occasional extra fields, and some contain Cyrillic characters |
Notes: Standard email:password combo list from the 2017 breach compilation aggregate dump. Delimiter is colon but passwords may themselves contain colons, meaning some rows will have 3+ fields where field 0 is email and fields 1..N joined are the full password. Emails span many international domains including Russian providers (mail.ru, yandex.ru, bk.ru, ya.ru), Western providers (yahoo.com, hotmail.fr, web.de, aim.com), and others (tianya.cn, sbcglobal.net). Some passwords contain Cyrillic/Unicode characters. HTML entities present in raw data (e.g. ' for apostrophe, & for ampersand) suggesting the sample was HTML-encoded at extraction time.
breach_combined_c.txt2 columns82,895,720 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol and recognizable email domains (gmail.com, yahoo.com, mail.ru, yandex.ru, hotmail.com, aol.com, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity, consistent with the breach-compilation-2017 dataset which is known to contain predominantly plaintext credentials aggregated from hundreds of prior breaches |
Notes: Standard email:password combo list in plaintext. Part of the 2017 breach compilation (~1.4B records). Delimiter is colon (:) but note some passwords may themselves contain colons, which could cause parsing ambiguity on those lines. Emails span a wide range of international domains including Russian (.ru), French (.fr), Chinese (.cn), and Finnish (.fi) providers, reflecting the aggregated multi-source nature of this dump.
breach_combined_d.txt2 columns88,706,253 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol and standard email domain patterns (yahoo.com, gmail.com, mail.ru, hotmail.com, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity, consistent with the breach-compilation-2017 known plaintext credential dump |
Notes: Classic email:password combo list. Part of the 2017 breach compilation aggregating ~1.4 billion credentials from hundreds of prior breaches. Passwords are plaintext. Some emails appear malformed (e.g. D0$UKINUT@@Hotmail.com with double @) suggesting dirty/aggregated source data. Delimiter is colon but passwords containing colons could cause parsing edge cases.
breach_combined_e.txt2 columns47,614,861 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol with recognizable email domains (gmail.com, yahoo.com, mail.ru, yandex.ru, hotmail.com, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity, consistent with the breach-compilation-2017 context which is known for plain text credentials. Some entries have empty passwords, some contain Cyrillic characters, some alphanumeric strings. |
Notes: Classic email:password combo list from breach-compilation-2017, a massive aggregated credential dump of ~1.4 billion pairs. Delimiter is colon (:). Passwords are predominantly plaintext. Some lines have empty password fields (e.g. E001KH23rus@mail.ru:). Heavy presence of Russian/Eastern European email domains (mail.ru, yandex.ru, bk.ru, rambler.ru, list.ru, inbox.ru, meta.ua) alongside Western providers. Some passwords contain Cyrillic characters. Email addresses in field 0 occasionally have unusual formatting suggesting source data quality issues across the aggregated breach sources.
breach_combined_f.txt2 columns42,328,363 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol and recognizable email domains (gmail, yahoo, mail.ru, hotmail, yandex, etc.) | |
| 1 | password | high | Second field contains plaintext passwords of varying complexity and length, consistent with the breach-compilation-2017 known plaintext password dataset |
Notes: Standard email:password combo list using colon delimiter. One anomalous line (F001560@mail.ru;rustam1206) uses a semicolon delimiter instead of colon — likely a data quality issue in the source compilation. Some emails appear multiple times with different passwords, suggesting credential aggregation from multiple source breaches. Passwords appear to be plaintext rather than hashed, consistent with the breach-compilation-2017 context.
breach_combined_g.txt2 columns52,385,090 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol and domain extensions, clearly email addresses | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity, consistent with the breach-compilation-2017 known plaintext credential dump |
Notes: Standard email:password combo list in plaintext. Part of the 2017 breach compilation aggregating ~1.4 billion credentials from hundreds of prior breaches. Passwords are plaintext rather than hashed. Some emails use non-Latin characters in local parts or domains (e.g. Cyrillic). Delimiter is colon but some passwords may contain colons — parsing should treat only the first colon as the delimiter.
breach_combined_h.txt2 columns41,397,744 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol with valid email domain patterns (hotmail, yahoo, gmail, mail.ru, institutional domains, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity — alphanumeric strings, some with special characters, some matching username patterns (password reuse), consistent with the breach-compilation-2017 known plaintext credential dump |
Notes: Standard email:password combo list in plaintext. Part of the 2017 breach compilation aggregating ~1.4 billion credentials from hundreds of prior breaches. Emails span many international domains (ru, fr, ae, tw, cn, ua) and providers. Passwords are plaintext, not hashed. Some entries appear duplicated with case variants in the email field (e.g. H0008H@EMAILS.RU and H0008H@emails.ru with identical passwords), suggesting multiple source breaches were merged with inconsistent normalization.
breach_combined_i.txt2 columns33,454,059 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | Values consistently contain @ symbol and standard email domain patterns (mail.ru, hotmail.com, yahoo.com, qq.com, etc.) | |
| 1 | password | high | Values are plaintext passwords of varying formats including alphanumeric strings, Cyrillic characters, and simple numeric sequences — consistent with the breach-compilation-2017 known plaintext credential dump |
Notes: Standard email:password combo list. Part of the 2017 breach compilation aggregating ~1.4 billion credentials from hundreds of earlier breaches. Passwords appear to be predominantly plaintext rather than hashed. Mix of Latin and Cyrillic character passwords observed, consistent with heavy representation of Russian-language email providers (mail.ru, yandex.ru, rambler.ru, bk.ru, list.ru, i.ua, ukr.net). Some lines contain duplicate emails with different passwords, indicating aggregation from multiple source breaches.
breach_combined_j.txt2 columns77,573,811 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol and recognizable email domains (yahoo.com, hotmail.com, myspace.com, aol.com, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords (e.g., 'nelson1', 'candy1', 'Handboll', 'spiderkid') consistent with the Breach Compilation 2017 plaintext credential dump |
Notes: Classic email:password combo list. Part of the 2017 Breach Compilation aggregating ~1.4 billion credentials from hundreds of prior breaches. Passwords appear to be plaintext rather than hashed, making this dataset particularly dangerous for credential stuffing and password reuse attacks. Notable pattern: several lines share the same password 'Handboll' across different email domains, suggesting a single user who reused passwords across many services.
breach_combined_l.txt2 columns63,713,721 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | Values contain @ symbol and various email domains (hotmail.com, yahoo.com, mail.ru, yandex.ru, etc.), clearly email addresses. Some contain HTML entities (', &, <) suggesting the source data was scraped or exported from a web context. | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity, consistent with the breach-compilation-2017 dataset which was known to contain largely plaintext credentials. Includes alphanumeric, special character, and Cyrillic-script passwords. |
Notes: Standard email:password combo list consistent with the breach-compilation-2017 aggregate dump. Delimiter is colon (:). Passwords appear to be plaintext rather than hashed. Notable presence of Cyrillic-script passwords suggests significant Russian/Eastern European source data (mail.ru, yandex.ru, bk.ru domains). HTML entities in some email addresses (' for apostrophe, & for ampersand, < for less-than) indicate original data was pulled from HTML-encoded sources. Some accounts appear multiple times with different passwords (e.g., LB-BS@MAIL.RU), suggesting aggregation from multiple breach sources.
breach_combined_m.txt2 columns131,825,845 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | Values contain @ symbol and recognizable email domains (yahoo.com, hotmail.com, mail.ru, aol.com, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity (e.g., 'm091685', 'daniela14', 'monkey21'), consistent with the breach-compilation-2017 known plaintext credential dump |
Notes: Standard email:password combo list. Part of the 2017 breach compilation aggregating ~1.4 billion credentials from hundreds of prior breaches in plaintext. Passwords appear to be plaintext rather than hashed. Some email addresses contain non-ASCII characters (e.g., 'M0$T£R1@yahoo.com'), and some passwords contain Cyrillic characters (e.g., 'александрович'), reflecting the multinational scope of the source breaches.
breach_combined_n.txt2 columns50,911,720 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol with recognizable email domains (gmail, yahoo, hotmail, mail.ru, yandex.ru, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity; some entries show hex-encoded passwords (e.g. $HEX[...]), and some contain Cyrillic characters consistent with plaintext credential dumps |
Notes: Standard email:password combo list in plaintext. Part of the 2017 Breach Compilation aggregation of ~1.4 billion credentials. Delimiter is colon (:) though passwords themselves may contain colons in edge cases — split on first colon only. Notable patterns: mixed-case emails, international domains (ua, fr, de, ru, tw, jp), Cyrillic plaintext passwords, and at least one $HEX-encoded password value suggesting aggregation from multiple source breach formats.
breach_combined_o.txt2 columns22,715,999 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values in column 0 are formatted as email addresses (local-part@domain.tld) across all 50 rows | |
| 1 | password | high | Column 1 values are plaintext passwords — alphanumeric strings, no consistent structure, consistent with credential dump format described in breach context |
Notes: Classic two-column credential dump format matching the breach-compilation-2017 profile: email:password pairs in plain text. No other PII fields (name, DOB, address, SSN, phone) are present in this slice. Delimiter is predominantly colon but line 19 ('O00000@rambler.ru;Elenka1601') uses a semicolon, suggesting this compilation was assembled from multiple source breaches with inconsistent formatting. Passwords appear fully plaintext with no hashing, consistent with the breach description of a highly weaponized credential-stuffing dataset.
breach_combined_p.txt2 columns54,689,754 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol with recognizable email domains (hotmail, yahoo, mail.ru, aol, gmail, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity — alphanumeric strings, common password patterns, some appear to be cleartext per breach context |
Notes: Classic email:password combo list consistent with the Breach Compilation 2017 dataset. Delimiter is colon. Passwords are predominantly plaintext. Some duplicate email entries exist with variant passwords (e.g. P0-0ner@hotmail.com appears twice with Thesims15 and thesims15), suggesting aggregation from multiple source breaches. Some passwords appear to mirror the username portion of the email (e.g. P000F64BXR@163.com:P000F64BXR), a common pattern in aggregated dumps. Cyrillic characters observed in at least one entry (line 37/38), consistent with inclusion of Russian-language breach sources.
breach_combined_q.txt2 columns6,246,732 rows
File structure
Format: CSV·Delimiter: :·Has header: no·Quote: "
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | values are clearly email addresses across all rows | |
| 1 | password | high | values are plaintext passwords typical of credential dump format |
Notes: Classic breach-compilation credential dump format: email:password pairs delimited by colon. One anomalous row (line 6) uses semicolon as delimiter instead of colon (Q000000@rambler.ru;x5x4x31980) suggesting the source data was aggregated from multiple breach sources with inconsistent formatting. No other PII fields present beyond email and password. Some passwords appear to contain dates (e.g. '24121988', 'Vetal1991') or usernames mirroring the email local part, consistent with known breach-compilation-2017 characteristics.
breach_combined_r.txt2 columns67,917,447 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | Values contain @ symbol and domain names (aol.com, yahoo.com, gmail.com, etc.), clearly email addresses. One outlier line 'R0000t:P@ssw0rd' appears to be a username:password pair without a proper email, but the overwhelming majority are valid emails. | |
| 1 | password | high | Values are plaintext passwords of varying complexity (e.g., '147wer', 'rosales27', 'P@ssw0rd', '123456'), consistent with the breach-compilation-2017 dataset which is known to contain largely plaintext credentials aggregated from hundreds of prior breaches. |
Notes: Standard email:password combo list consistent with the Breach Compilation 2017 dataset (~1.4 billion credentials). Delimiter is colon (:). Passwords appear to be mostly plaintext. One anomalous line (R0000t:P@ssw0rd) uses a username rather than an email in field 0, which is expected in a large aggregated dump sourced from heterogeneous breaches. Some emails appear malformed (e.g., 'hotmal.com' likely a typo for 'hotmail.com'). Duplicate email entries with different passwords are present, indicating credential reuse or multiple breach sources.
breach_combined_s.txt2 columns130,897,459 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol and recognizable email domains (hotmail, gmail, yahoo, yandex, mail.ru, etc.) | |
| 1 | password | high | Values are plaintext passwords of varying complexity, consistent with the breach-compilation-2017 known plaintext credential dump |
Notes: Standard email:password combo list. Delimiter is colon (:). All 50 sampled lines follow the same two-field pattern. Passwords appear to be plaintext (not hashed), consistent with the breach-compilation-2017 dataset which aggregated hundreds of older breaches into a single plaintext-heavy credential store. Some lines may have trailing whitespace or minor formatting artifacts (e.g., line 30 has trailing spaces). A small number of emails appear duplicated with different passwords, suggesting aggregation from multiple source breaches.
breach_combined_t.txt2 columns68,627,981 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values follow email address patterns (local-part@domain.tld) across all rows | |
| 1 | password | high | All values are plaintext password strings consistent with credential dump format described in breach context; includes alphanumeric strings, common passwords, and mixed-case patterns |
Notes: This is a two-column credential dump with no headers, consistent with the breach-compilation-2017 dataset description — approximately 1.4 billion email:password pairs in plaintext. No additional PII fields (name, DOB, SSN, address, phone) are present in this sample. Row 19 uses a semicolon delimiter instead of colon, suggesting the compilation aggregated data from multiple sources with inconsistent formatting. Some passwords contain spaces (e.g., 'verxeeva 1972' in row 2), which may indicate a parsing artifact or that the original source used a different delimiter further downstream. The dataset as a whole is high-risk due to plaintext passwords enabling direct credential stuffing and password reuse attacks across other services.
breach_combined_u.txt2 columns9,018,213 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | Values consistently contain @ symbol and domain names, clearly email addresses. Occasional semicolon delimiter variant observed on line 42 (illico-uem.fr;cire1967) suggesting minor formatting inconsistency in source data. | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity — consistent with breach-compilation-2017 known plaintext nature. Examples include simple numeric strings, words, and mixed alphanumeric. One anomalous line (U003311) contains a third colon-delimited field suggesting email was placed in field 1 and password in field 2 for that record. |
Notes: Standard email:password combo list consistent with breach-compilation-2017 aggregate dump. Majority of records follow strict [email]:[plaintext_password] format. Minor delimiter inconsistency on at least one line (semicolon instead of colon). At least one malformed record (last line) appears to have a username prefix before the email, resulting in three colon-delimited fields — parser should handle variable field counts. Passwords are predominantly plaintext, not hashed, consistent with the known character of this dataset.
breach_combined_v.txt2 columns32,944,976 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol with recognizable email domains (gmail, yahoo, mail.ru, yandex, hotmail, etc.) | |
| 1 | password | high | Values are plaintext passwords of varying complexity — mix of alphanumeric strings, dates, words, and user-mirrored tokens consistent with the Breach Compilation 2017 plaintext credential dump |
Notes: Classic email:password combo list. Delimiter is colon (:). All 50 sampled lines follow a strict two-field format. Passwords appear to be plaintext (not hashed), consistent with the Breach Compilation 2017 dataset which aggregated hundreds of prior breaches into a single plaintext-heavy credential stuffing resource. Some passwords mirror the local part of the email address (e.g. V0000880L:V0000880L, V00022RZN:V00022RZN), a common pattern in this dump. No header row present.
breach_combined_w.txt2 columns35,726,357 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol and standard email domain patterns (gmail.com, yahoo.com, mail.ru, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity; consistent with breach-compilation-2017 known plaintext credential format |
Notes: Classic email:password combo list in plaintext. Matches the breach-compilation-2017 profile — a centralized aggregation of hundreds of prior breaches. Some entries have empty password fields (e.g. W000lk@mail.ru:). Passwords appear to be plaintext rather than hashed, which was a hallmark of this dataset.
breach_combined_x.txt2 columns13,538,424 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol with recognizable email domains (gmail, hotmail, yahoo, live, yandex, etc.) | |
| 1 | password | high | Values are plaintext passwords of varying complexity, consistent with the breach-compilation-2017 known plaintext credential dump |
Notes: Classic email:password combo list. Delimiter is colon (:). Some entries have empty passwords (e.g. X00000007@yandex.ru:). Passwords are plaintext, not hashed, consistent with the breach-compilation-2017 aggregated credential dump. Some email usernames contain colons as part of decorative handles but the split point is reliably the first colon before the domain's TLD, as the @ symbol anchors the email field boundary.
breach_combined_y.txt2 columns19,493,719 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol with recognizable email domains (yahoo.com, gmail.com, hotmail.com, mail.ru, yandex.ru, aol.com, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity, consistent with the breach-compilation-2017 dataset known for plain text credentials |
Notes: Standard email:password combo list in plain text. Part of the 2017 breach compilation aggregating ~1.4 billion credentials from hundreds of prior breaches. Delimiter is colon (:) though some passwords contain colons (e.g. 'Y0-asakur@rambler.ru:куящк асакур"'), meaning field[1] should be treated as everything after the first colon. Contains international credentials including Cyrillic-language passwords. HTML entities present in some lines (e.g. ' and ") suggesting some records were scraped or stored with HTML encoding.
breach_combined_z.txt2 columns17,972,185 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | high | All values contain @ symbol with standard email format across multiple domains (hotmail, gmail, mail.ru, qq.com, yahoo, etc.) | |
| 1 | password | high | Values appear to be plaintext passwords of varying complexity, lengths, and character sets including alphanumeric and special characters; some entries have empty passwords |
Notes: Standard email:password combo list in plaintext. Part of the 2017 Breach Compilation aggregating hundreds of prior breaches into ~1.4B credentials. Delimiter is colon (:) though some passwords themselves contain colons (e.g. 'Z001AP@mail.ru:1234 333'), meaning occasional parsing ambiguity. Passwords are plaintext rather than hashed. Some lines have empty password fields (e.g. Z0.0@mail.ru:). Emails span global domains including Russian (.ru, mail.ru, yandex.ru), Chinese (qq.com, 163.com, sina.com.cn, tianya.cn), and Western providers.