Combo Lists and Credential Stuffing: What They Are and How to Defend Against Them

A combo list is a large collection of username-password pairs, typically compiled from multiple data breaches and infostealer logs, formatted for use in automated credential stuffing attacks. These lists circulate on dark web forums, Telegram channels, and underground marketplaces, often containing millions or even billions of credential pairs. Combo lists are the primary ammunition for credential stuffing, one of the most common and effective attack techniques used against organizations today.

What exactly is a combo list?

A combo list is a plain text file where each line contains a username (usually an email address) paired with a password, separated by a colon or other delimiter. A typical entry looks like this: user@company.com:Password123. The lists are compiled by aggregating credentials from multiple sources, deduplicating them, and formatting them for compatibility with automated attack tools.

The scale of combo lists is staggering. Individual lists routinely contain tens of millions of credential pairs, and compilations like COMB (Compilation of Many Breaches) have aggregated over 3.2 billion unique email-password pairs. These mega-compilations are freely shared on dark web forums, making massive quantities of stolen credentials available to anyone.

What makes combo lists particularly dangerous is that they blend credentials from different sources. A single list might combine entries from a 2019 database breach, credentials harvested by RedLine stealer last week, and passwords extracted from a corporate VPN compromise. This mixing makes it difficult to trace the origin of any individual credential and increases the overall hit rate when used in attacks.

Where do combo lists come from?

Combo lists are built from two primary sources, and understanding both is essential for defending against them.

Database breaches

Traditional database breaches occur when attackers exploit vulnerabilities in web applications or servers to access user databases. The stolen data, which may include email addresses, hashed or plaintext passwords, and personal information, is eventually leaked or sold. Over time, credentials from hundreds of breaches are aggregated into combo lists. The Verizon Data Breach Investigations Report 2024 found that web application attacks remain the most common breach pattern, with stolen credentials playing a role in 31% of all incidents.

Infostealer malware

The second, increasingly dominant source of combo list credentials is infostealer malware. Families like RedLine, LummaC2, Raccoon, and Vidar infect individual devices and extract saved passwords from browsers, email clients, VPNs, and other applications. According to the IBM X-Force Threat Intelligence Index 2024, infostealer activity surged by 266% year-over-year.

Each infected device produces a “log” containing all harvested credentials, sometimes dozens or hundreds of username-password pairs from a single victim. These logs are sold individually on dark web marketplaces, but they are also aggregated, stripped of contextual data, and reformatted into combo lists for mass distribution. This means credentials stolen by an infostealer yesterday can appear in a combo list being used for credential stuffing attacks today.

How do credential stuffing attacks work?

Credential stuffing is an automated attack in which stolen username-password pairs from combo lists are systematically tested against target login pages. The attack exploits a simple reality: people reuse passwords across multiple services. If someone uses the same password for their personal email, their corporate VPN, and their banking portal, a single compromised credential grants access to all three.

Attackers use specialized tools that can test thousands of credential pairs per minute against target applications. These tools rotate through proxy networks to distribute requests across thousands of IP addresses, evading rate limiting and IP-based blocking. Modern credential stuffing tools also solve CAPTCHAs, mimic human browsing behavior, and adapt to different login page formats.

The success rate of credential stuffing is surprisingly high. Industry data suggests that 0.1% to 2% of attempts succeed, which means a combo list with 10 million entries can yield 10,000 to 200,000 valid login sessions. For attackers, this is an extraordinarily efficient return on a minimal investment, since many combo lists are available for free or for a few dollars.

How big is the credential stuffing problem?

The scale of credential stuffing attacks is difficult to overstate. According to data from Akamai’s State of the Internet report, billions of credential stuffing attempts are recorded annually across their customer base. Financial services, e-commerce, and SaaS platforms are the most frequently targeted sectors.

The consequences extend far beyond unauthorized access to individual accounts. Successful credential stuffing leads to account takeovers that enable financial fraud and unauthorized transactions, data exfiltration from corporate systems, lateral movement within enterprise networks using compromised VPN or email credentials, business email compromise (BEC) attacks launched from legitimate accounts, and reputational damage when customer accounts are compromised at scale.

For organizations, the cost is substantial. The IBM Cost of a Data Breach Report 2024 found that the average cost of a data breach reached $4.88 million globally, with breaches involving stolen credentials taking an average of 292 days to identify and contain, the longest lifecycle of any attack vector.

How can organizations defend against credential stuffing?

Defending against credential stuffing requires a layered approach that addresses both prevention and detection. No single control is sufficient on its own.

Enforce multi-factor authentication

MFA is the single most effective control against credential stuffing because it adds a verification step that stolen passwords alone cannot bypass. Even if an attacker has a valid username-password pair from a combo list, they cannot complete authentication without the second factor. Organizations should enforce MFA across all corporate applications, VPNs, and cloud services, prioritizing phishing-resistant methods like hardware security keys or passkeys.

Implement rate limiting and bot detection

Login endpoints should enforce rate limiting to slow down automated attacks. Advanced bot detection solutions can identify credential stuffing traffic based on behavioral patterns, request timing, and fingerprinting, even when attackers distribute their requests across proxy networks.

Monitor for compromised credentials

The most proactive defense is knowing which of your credentials are already in combo lists before attackers use them. This is where credential leak monitoring becomes essential.

Stealed continuously monitors the sources where combo lists are compiled and distributed: infostealer log marketplaces, dark web forums, and private Telegram channels. When credentials matching your organization’s domains appear in these sources, you receive real-time alerts with full context, including the origin of the credentials and the scope of the compromise.

Enforce password policies and password managers

Organizations should enforce unique passwords across all services and deploy enterprise password managers to make this practical. When employees use unique, generated passwords for every service, a breach of one service does not cascade into access to others.

How does Stealed monitor combo lists and infostealer logs?

Stealed ingests and analyzes over 100 million credentials daily from the same sources that attackers use to build combo lists. The platform monitors raw infostealer logs as they are distributed on Telegram channels and dark web forums, combo list compilations as they are shared on underground marketplaces, and individual credential sales on dark web markets.

When credentials matching your monitored domains are detected, Stealed delivers an alert that includes more than just the compromised username and password. Each alert provides the stealer family that harvested the credential (if sourced from an infostealer log), the infected device’s machine ID, IP address, and computer name, the timestamp of when the credentials were exfiltrated, and the full list of other credentials stolen from the same device. This contextual intelligence allows security teams to go beyond a simple password reset and investigate the full scope of the compromise, identifying every account and service affected by the same infection.

How can you find out if your credentials are in combo lists?

The uncomfortable truth is that for most organizations, some employee credentials are already circulating in combo lists. The volume of infostealer infections and database breaches makes it statistically likely that credentials associated with your domains have been compromised.

The question is not whether your credentials are out there, but whether you know about it before attackers exploit them.