A combo list is a text file that contains a list of leaked usernames and passwords in a specific format. The
passwords are usually obtained from different breaches and collectively stored within a file. These files
may be fed into automatic brute-forcing tools that test multiple credentials on different accounts or
website logins until a match is found.
What Is Contained in Combo Lists?
It is merely a collection of separate lists of passwords, originating from separate breaches of websites. A
combo list doesn’t have any standard format, and in many cases, they are just a packed list of individual
files, that may be in a different file format with a different data structure. They may hold different types
of PII data, but their primary goal is to provide a large number of passwords and emails or other forms of
usernames. When a website or service gets breached, passwords are not always stored in cleartext format, so
combo lists may hold a variation of cleartext passwords or different types of hashed passwords.
Some attackers will decrypt hashes, but this effort depends largely on the type of hashing algorithm used,
and the number of passwords. When a site is initially breached, these stolen credentials could hold
significant value depending on the nature of the service, so attackers often try to sell them first. Once
they appear to be old, or someone makes them public, or researchers recover them, their value drops
significantly, as websites usually reset these passwords for their users.
At this point, individual lists become less valuable, but to extract more value from them, attackers may
combine multiple lists into combo lists (thus the term) to try and increase their value again. Actors may
also add fake accounts, and provide fake cleartext passwords instead of taking the effort to decrypt them.
This will make the lists look more valuable as cleartext passwords are the only way to utilize them in
various attacks, such as password spraying, credential stuffing, or account takeovers.
These fake passwords
are usually generated with a simple algorithm, so it may be easy to spot them, for example, they are all
small case letters with fixed lengths.
How Are Combo Lists Used?
Combo lists have multiple use cases. Password spraying, credential stuffing, and account takeovers are the
primary attack vector, but they can be used for targeted phishing attacks, impersonation, business email
compromise, and extortions. When someone has an account on a certain website, it is more likely that he will
fall victim to a fake request for a password reset, or click on a malicious link that seems to originate
from that service.
The passwords alone may trick people to think that they have been hacked, which was used to try and ask for
ransom by a campaign, that sent people their breached passwords as proof of hacking their computer. This may
look very scary for most people that are not aware of how password breaches and security works in general,
so they may be inclined to pay for ransom or click on malicious content.
The reason combo lists are also effective is that people tend to reuse the same password across multiple
websites or services. So even if the original breached website reset all of its passwords, these accounts
may be used to target other services. This is exactly the reason credential stuffing is working very
In case someone reused a corporate password on a breached website, the same credentials may be used to
access their online email, CRM, ERP, or other significant services. This is the reason why companies should
monitor all password usage in their browsers. This allows them to discover if passwords are being reused, or
if a known breached password is being used.
How to Protect My Accounts From Combo Lists?
Although there is no general solution for protection against password-related threats, there are multiple
steps that you can take to protect your accounts and passwords. First of all, using individual passwords
across sites protects against breached passwords from being utilized against other, more important services.
Creating long passwords with a few special characters makes it significantly harder to decrypt in case they
are breached in a hashed format, so even if hashes get stolen, your accounts may be kept safe. Wherever it
is possible, turning on multi-factor authentication makes passwords less valuable, but remember that if one
factor gets compromised, you may be reduced to a single-factor defense. Actively monitoring public breached
passwords is another method to signal whenever your accounts were compromised, so you can take action.
Remember though, that before passwords appear in combo lists, they have likely been accessed privately by
dozens or hundreds of threat actors, so this alone won’t give you proper protection. The best approach is to
combine all of the other methods, including education for multi-factor, monitoring for password strength and
reuse, and automatically checking against known breached passwords. This is attainable for organizations via
using the Scirge to protect all corporate accounts.
Does MFA Protect Against Password Hacking?
MFA is a great method in general, but it does not protect against the breach of passwords. When a service
gets breached and passwords are stolen, it may protect from directly logging in, but there are several known
ways to circumvent MFA, and it’s always up to the individual service whether MFA is available at all. Once a
password is breached, attackers may try to social engineer their way into a service, try to steal MFA
tokens, reuse the same password on other sites, or send misleading emails to the account owners by showing
them their cleartext passwords.
Is My Password Safe to Use?
There are free and paid services to check against breached passwords and several tools that let you evaluate
password strength against brute-force attacks and password cracking. As everyone has dozens or even hundreds
of online accounts, it is cumbersome to manage them individually and for all online accounts. Password
managers are a great tool in case they are used across all accounts, and passwords are generated
automatically, as they tend to be more complex and harder to guess compared to
human-created passwords. But
password managers are also a point of vulnerability in case their master password is breached, or in case
browsers are used for this purpose, as they also store the encryption key locally, and may sync to unsecure
personal devices. The best way to protect business accounts is to automatically enforce password hygiene