Combolists are massive databases of stolen login credentials. Bought and sold in online criminal forums, they contain information leaked in multiple past data breaches or stolen by infostealer malware.
Hackers and fraudsters use combolists to plan and execute cyber attacks such as account takeovers. Although some cybersecurity analysts downplay their significance, combolists continue to pose a significant threat to organisations in 2025.
What are combolists?
To create a combolist, cybercriminals take multiple lists of stolen usernames and passwords and combine them (hence the name combo). They clean up the data and create a single aggregated file, which can contain millions or billions of credentials. They offer the file for sale in criminal forums and marketplaces.
Many combolists consolidate lists of credentials that were leaked in third-party data breaches some time ago. As a result, some analysts say that combolists aren’t a serious danger because they contain information that’s largely obsolete.
However, even lists of older credentials can still be used to facilitate attacks. Users who haven’t changed their passwords since a historical breach occurred remain vulnerable to attacks using older data.
What’s more, some combolists contain new and exclusive information stolen using infostealers.
Infostealer logs and their link to combolist validity
Infostealers are malware that snatches files and data from infected devices. They work swiftly and can avoid detection by conventional antivirus tools.
Because infostealers are so fast and effective, infostealer logs typically contain up-to-date and active credentials. As a result, combolists based on infostealer logs are particularly dangerous and command premium prices in criminal forums.
When infostealer campaigns strike specific industries or sectors, combolist data can be used for targeted attacks on related organisations.
Combolists-as-a-Service: The subscription model for cybercrime
Combolists have evolved from simple data dumps to sophisticated cybercriminal subscription services.
Combolist-as-a-Service platforms provide regularly updated lists for a monthly fee. They come with easy-to-use interfaces, search functions, and quality ratings. These platforms enable attackers to access fresh credential data without requiring advanced technical skills of know-how.
How cybercriminals use combolists in brute force campaigns
Cybercriminals use combolists for brute force campaigns. They test multiple combinations of usernames and passwords against multiple systems and accounts until one is successful.
Credential stuffing
In credential stuffing, cybercriminals use automated tools to try millions of stolen username-password combinations across different websites and systems. They spread their login attempts across multiple IP addresses to circumvent rate-limiting measures and evade detection.
Credential stuffing works because many people reuse the same passwords, or minor variations, across accounts and systems. When attackers find a working combination, they gain immediate access to the user’s accounts and sensitive data.
Account takeover attacks
In an account takeover (ATO) attack, cybercriminals use a working set of credentials to access a user’s account. For example, their email, online banking, or work account.
The attackers can then make fraudulent transactions or use the victim’s email to send phishing messages. They may also gather information about the victim’s friends and contacts to plan further spear phishing or social engineering attacks.
For organisations, an ATO attack can be costly and damaging. High-profile targets have included Uber and Dunkin’ Donuts and the game developers Electronic Arts.
A single compromised employee account can provide an entry point for attackers to move laterally through a network. The danger is heightened if the victim has privileged access or can reset passwords for other users.
How to mitigate risks arising from combolists
To defend your organisation against the danger from combolists, take the following measures:
- Define your password policy: Ensure everyone in your organisation uses strong, unique passwords that they update regularly and keep secure using a password manager tool.
- Deploy rate limiting: Restrict login attempts per user or IP address to help to prevent credential stuffing.
- Use anomaly detection: Monitor for unusual login patterns and block suspicious activity in real time.
- Implement multi-factor authentication: If login credentials fall into the wrong hands, MFA adds a vital extra layer of protection.
- Use a cyber threat intelligence (CTI) and credential monitoring solution. CTI solutions such as Cybercheck continuously monitor for exposed credentials and personal data, providing early warning to stop attacks before they breach your defences. If cybercriminals are trading information about you or your organisation, we alert you immediately. That means you can stay extra vigilant, take proactive steps like changing passwords or blocking cards, and shut out the attackers before they make you their next victim.
