A credential-stuffing combo list labeled '1 Billion UserPass Facebook' has been indexed by leaksear.ch with 1,326,644 email or username and plaintext password pairs tied to Facebook login targeting (leaksear.ch metadata). The dataset is described as an aggregation of prior public breaches and infostealer logs, not a discrete breach of Facebook itself, and no breach date is known (leaksear.ch metadata).
What happened
The list's name is misleading: leaksear.ch metadata records about 1.3 million rows, not one billion, and says the corpus circulated on hacking forums and Telegram as a credential-stuffing combo list (leaksear.ch metadata). Combo lists are bulk sets of stolen logins compiled from sources such as stealer logs, URL-login-password files, and older leaks, and Group-IB notes they are commonly used for credential stuffing and account takeover (www.group-ib.com).
The public context matches that pattern. Have I Been Pwned describes stealer log breaches as large, aggregated datasets whose parsable entries often combine a website, an email address, and a password, while Microsoft reports that infostealers harvest credentials and tokens at scale for resale and downstream compromise (support.haveibeenpwned.com, www.microsoft.com). OWASP defines credential stuffing as automated use of stolen username and password pairs against login forms, especially when people reuse the same credentials across services (owasp.org).
Confirmed by the indexing metadata: the dataset is Facebook-targeted, contains plaintext credential pairs, and aggregates earlier exposure sources. Not confirmed: a new Facebook or Meta breach, a breach date, the original source of each pair, or whether any listed password still works (leaksear.ch metadata).
What data was exposed
The indexed fields are email addresses, usernames, and plaintext passwords (leaksear.ch metadata). The metadata lists no additional stored fields, so this should be treated as a credential exposure rather than a broader profile-data leak containing phone numbers, IDs, payment cards, messages, or Facebook profile attributes (leaksear.ch metadata).
Why this matters
For affected individuals, the main risk is account takeover where the same password was reused on Facebook or elsewhere. Credential stuffing can also give attackers a foothold for phishing, spam, impersonation, and attempts to reset accounts by abusing recovery information, risks OWASP calls out for reused credentials and leaked account data (owasp.org).
For security teams, the practical response is to look for exposed employee domains, require password changes where reuse is suspected, review recent login activity, and prioritize MFA or passkeys. Meta says password, two-factor authentication, and account email settings are managed centrally in Meta Account, and Meta compromised-account guidance recommends unique passwords and two-factor authentication for Facebook users (about.fb.com, ag.nv.gov). Readers who want to assess their own exposure should check whether their email, username, or password appears in this leak on leaksear.ch, then change any reused password immediately.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include email, password, and username.
Sources
- Group-IB: How Attackers Use Password Combolists In Brute-Force Campaigns
- Have I Been Pwned: I had an alert that emails on my domain were in a stealer log breach, but I don't see any stealer log entries
- Microsoft Security Insider: Microsoft Digital Defense Report 2025
- OWASP Foundation: Credential stuffing
- Meta Newsroom: Meta Account: The Simpler Way to Access Your Apps and Devices
- Nevada Attorney General: Compromised Account Resources