Outdated Billions of Leaked Credentials and ULP Files Flood Dark Web Forums, New Report Reveals

A comprehensive analysis of dark web credential markets reveals that billions of supposedly “fresh” login credentials circulating through combolists and URL-Login-Password (ULP) files are primarily recycled, outdated, or artificially generated data rather than genuine new breaches.

The report, published by cybersecurity researchers on July 8, 2025, warns that these secondary data sources have become increasingly unreliable indicators of actual compromises, potentially creating dangerous alert fatigue among security professionals and organizations.

Massive Scale of Recycled Credential Distribution

Combolists’ text files, containing credentials in the “EMAIL:PASSWORD” format, and ULP files, which additionally include website URLs, are being distributed on an industrial scale across dark web forums and Telegram channels.

These files often claim to contain billions of high-quality, fresh credentials, with sellers using marketing tactics like “FRESH,” “2025 PRIVATE LEAK,” or “100% QUALITY DATA” to attract buyers.

However, the investigation reveals that most of these credentials originate from well-known historical breaches, including Collection #1-5, Naz: api, Antipublic, COMB (Compilation of Many Breaches), and CitoDay.

Threat actors continuously repackage this aging data, creating an endless cycle of redistribution under new filenames that follow loose naming conventions based on country codes, email domains, or alleged breach dates.

False Marketing as Infostealer Logs Creates Confusion

A significant finding involves the widespread mislabeling of combolists and ULP files as “infostealer logs” for marketing purposes.

Genuine infostealer logs contain comprehensive digital footprints from infected devices, including HTTP cookies, browser autofill data, system information, cryptocurrency wallets, and active sessions for applications such as Telegram, Steam, and Discord.

In contrast, combolists and ULP files typically contain only basic login credentials, often lacking context or supporting metadata.

This misrepresentation not only inflates the perceived value of stale data but also creates confusion among cybersecurity professionals who may incorrectly assess the severity and freshness of potential threats.

Quality Control Issues and Fabricated Data

The report highlights significant quality control problems within credential markets. Analysis of sample files revealed completely autogenerated entries, with one combo list ironically ending with a generated email address followed by a disclaimer promising “fresh and 100% quality data.”

More concerning are sophisticated deceptions where confirmed email addresses and passwords are paired with fabricated website URLs, creating false impressions of specific service breaches.

In one documented case, an analyst’s legitimate credentials from a 2011 gaming forum breach were repackaged and falsely attributed to a significant social network the analyst had never used.

The research concludes that the proliferation of secondary, unreliable data sources creates alert fatigue, potentially reducing an organization’s responsiveness to genuine security incidents.

Cybersecurity professionals are advised to focus on identifying and monitoring primary breach sources rather than relying on the variable reliability of repackaged credential collections.