What Is Combo List?

Combo List definition and explanation.

A combo list is a text file that contains a list of leaked usernames and passwords in a specific format. The passwords are usually obtained from different breaches and collectively stored within a file. These files may be fed into automatic brute-forcing tools that test multiple credentials on different accounts or website logins until a match is found.

What Is Contained in Combo Lists?

It is merely a collection of separate lists of passwords, originating from separate breaches of websites. A combo list doesn’t have any standard format, and in many cases, they are just a packed list of individual files, that may be in a different file format with a different data structure. They may hold different types of PII data, but their primary goal is to provide a large number of passwords and emails or other forms of usernames. When a website or service gets breached, passwords are not always stored in cleartext format, so combo lists may hold a variation of cleartext passwords or different types of hashed passwords. Some attackers will decrypt hashes, but this effort depends largely on the type of hashing algorithm used, and the number of passwords. When a site is initially breached, these stolen credentials could hold significant value depending on the nature of the service, so attackers often try to sell them first. Once they appear to be old, or someone makes them public, or researchers recover them, their value drops significantly, as websites usually reset these passwords for their users. At this point, individual lists become less valuable, but to extract more value from them, attackers may combine multiple lists into combo lists (thus the term) to try and increase their value again. Actors may also add fake accounts, and provide fake cleartext passwords instead of taking the effort to decrypt them. This will make the lists look more valuable as cleartext passwords are the only way to utilize them in various attacks, such as password spraying, credential stuffing, or account takeovers. These fake passwords are usually generated with a simple algorithm, so it may be easy to spot them, for example, they are all small case letters with fixed lengths.

How Are Combo Lists Used?

Combo lists have multiple use cases. Password spraying, credential stuffing, and account takeovers are the primary attack vector, but they can be used for targeted phishing attacks, impersonation, business email compromise, and extortions. When someone has an account on a certain website, it is more likely that he will fall victim to a fake request for a password reset, or click on a malicious link that seems to originate from that service. The passwords alone may trick people to think that they have been hacked, which was used to try and ask for ransom by a campaign, that sent people their breached passwords as proof of hacking their computer. This may look very scary for most people that are not aware of how password breaches and security works in general, so they may be inclined to pay for ransom or click on malicious content. The reason combo lists are also effective is that people tend to reuse the same password across multiple websites or services. So even if the original breached website reset all of its passwords, these accounts may be used to target other services. This is exactly the reason credential stuffing is working very effectively. In case someone reused a corporate password on a breached website, the same credentials may be used to access their online email, CRM, ERP, or other significant services. This is the reason why companies should monitor all password usage in their browsers. This allows them to discover if passwords are being reused, or if a known breached password is being used.

How to Protect My Accounts From Combo Lists?

Although there is no general solution for protection against password-related threats, there are multiple steps that you can take to protect your accounts and passwords. First of all, using individual passwords across sites protects against breached passwords from being utilized against other, more important services. Creating long passwords with a few special characters makes it significantly harder to decrypt in case they are breached in a hashed format, so even if hashes get stolen, your accounts may be kept safe. Wherever it is possible, turning on multi-factor authentication makes passwords less valuable, but remember that if one factor gets compromised, you may be reduced to a single-factor defense. Actively monitoring public breached passwords is another method to signal whenever your accounts were compromised, so you can take action. Remember though, that before passwords appear in combo lists, they have likely been accessed privately by dozens or hundreds of threat actors, so this alone won’t give you proper protection. The best approach is to combine all of the other methods, including education for multi-factor, monitoring for password strength and reuse, and automatically checking against known breached passwords. This is attainable for organizations via using the Scirge to protect all corporate accounts.

Does MFA Protect Against Password Hacking?

MFA is a great method in general, but it does not protect against the breach of passwords. When a service gets breached and passwords are stolen, it may protect from directly logging in, but there are several known ways to circumvent MFA, and it’s always up to the individual service whether MFA is available at all. Once a password is breached, attackers may try to social engineer their way into a service, try to steal MFA tokens, reuse the same password on other sites, or send misleading emails to the account owners by showing them their cleartext passwords.

Is My Password Safe to Use?

There are free and paid services to check against breached passwords and several tools that let you evaluate password strength against brute-force attacks and password cracking. As everyone has dozens or even hundreds of online accounts, it is cumbersome to manage them individually and for all online accounts. Password managers are a great tool in case they are used across all accounts, and passwords are generated automatically, as they tend to be more complex and harder to guess compared to human-created passwords. But password managers are also a point of vulnerability in case their master password is breached, or in case browsers are used for this purpose, as they also store the encryption key locally, and may sync to unsecure personal devices. The best way to protect business accounts is to automatically enforce password hygiene using Scirge.

Shadow IT Readiness Assessment.

With our Shadow IT Readiness Assessment, you can easily evaluate where your organization stands at the moment against Shadow IT risks. It's quick and anonymous, with instant results.