High-rank accounts (Immortal/Radiant) are sold to players who want to skip the "grind."
Use tools like Have I Been Pwned to see if your email was leaked in the breaches that feed these combo lists.
Riot’s MFA is the single most effective defense against credential stuffing. [526k]User-Pass Valorant target.txt
Accounts in specific regions or with high-tier unlocks are more liquid in underground forums.
Contrary to popular belief, these lists rarely come from a direct breach of Riot Games. Instead, they are compiled from older, unrelated data breaches (like LinkedIn or Adobe). Since many users reuse passwords, attackers "stuff" these credentials into the Valorant login portal to see which ones work. Contrary to popular belief, these lists rarely come
Use a unique password for your Riot account that isn't shared with any other service.
If you have come across this file or fear your data is part of such a list: Use a unique password for your Riot account
Once verified, "hits" are posted on Telegram channels or specialized marketplaces. A "NFA" (Non-Full Access) account—where the buyer has the login but can't change the email—might sell for as little as $1. A "FA" (Full Access) account with rare skins can go for significantly more. Critical Security Recommendations