Combo List: Understanding This Threat to Your Credentials

A combo list is a text file containing millions, sometimes billions, of username-password pairs collected from data breaches, infostealer logs, or aggregated leaks from multiple sources. These lists are the raw material for credential stuffing attacks and circulate actively on dark web forums, Telegram channels, and cybercriminal marketplaces.

How does it work?

Combo lists are created by aggregating data from multiple sources. The first source is database breaches: when a website is compromised, user tables containing emails and passwords (sometimes hashed, sometimes in plaintext) are extracted and put up for sale. The second source, growing rapidly, comes from infostealer logs: malware like RedLine or LummaC2 steals credentials directly from victims’ browsers, producing plaintext, up-to-date credentials.

The raw data is then cleaned, deduplicated, and formatted into a standardized format (typically email:password or url:email:password). Attackers compile these files into massive collections that they sell or share on underground forums. Some well-known combo lists have exceeded 3 billion unique entries.

These lists then feed credential stuffing tools that automatically test the pairs against hundreds of online services. They also serve as a foundation for targeted phishing attacks, where the attacker uses a known old password to add credibility to their message.

Why does it matter?

Combo lists represent a persistent threat because they never truly disappear. A password stolen five years ago can resurface in a new compilation and be used in an attack if the user has not changed it. The lifecycle of a compromised credential is potentially infinite.

The scale of the problem is staggering: billions of email-password pairs circulate on the dark web, and this number grows daily with new leaks. For businesses, every credential present in a combo list represents a potential entry point into their systems.

The risk is particularly high for organizations whose employees reuse their work passwords on personal services. A leak from an e-commerce site can compromise access to the company VPN if the same password is used.

How Stealed protects you

Stealed continuously monitors the sources where combo lists are published and traded: Telegram channels, cybercriminal forums, and dark web marketplaces. Every day, the platform analyzes over 100 million credential lines to detect those matching your monitored domains.

When one of your organization’s credentials appears in a combo list or stealer log, you are alerted in real time via Slack, Teams, or webhook, with details about the exposed credential and the leak source.

Learn more: read our comprehensive guide on combo lists and credential stuffing for a detailed analysis of the stolen credential ecosystem.

Start monitoring for free to check if your organization’s credentials are circulating in combo lists.