Deep Web Iceberg Myth Debunked
Threat Intelligence Educational Content
Why the Iceberg Metaphor is Wrong The iceberg model suggests a sinister hierarchy, implying that things get …
FACT: Over 15 billion credentials are circulating on various dark web forums.
In 2023 alone, Breachsense recaptured over 1.3 billion credentials from the darknet.
The rise of infostealer malware along with the growing number of third-party breaches, has created the perfect storm for threat actors looking to compromise accounts at scale.
In this post, we’ll cover what combo lists are, how they’re created, how they’re exploited, and how organizations can protect themselves.
Contents
What Is A Password Combo List?
A password combo list, also known as a combo list, is a collection of username and password pairs that originate from other data breaches.
These lists typically contain millions of credentials gathered from multiple third-party breaches and stealer logs.
The format is usually straightforward.
Each line contains a username (often an email address) and its corresponding password, separated by a delimiter like a colon or semicolon.
In some cases, the URL where the credentials were used is also included. For example:
[email protected]:password123
https://account.example.com/login.aspx:[email protected]:qwerty789
What makes combo lists particularly concerning is that many people reuse passwords across multiple services.
When credentials from one breach become part of a combo list, attackers attempt these same login combinations on other websites.
This technique is called credential stuffing.
To understand why credential stuffing is so prevalent, we need to examine how these combo lists come into existence in the first place.
How Combo Lists Are Created
Modern combo lists are typically amalgamations from two primary sources: data breaches and stealer logs.
Third-party data breaches form the foundation of most combo lists.
When companies suffer a security breach, their user databases often end up being shared and sold across various underground forums.
These breaches can range from small web forums to massive corporate databases containing millions of records.
Threat actors compile these breach dumps, remove duplicates, and standardize the format to create comprehensive lists.
Stealer logs represent the second major source.
Infostealer malware (often called “stealers” or “infostealers”) harvests credentials directly from infected devices by
- Extracting saved passwords from browsers
- Capturing login form submissions
- Stealing authentication cookies
- Pulling credentials from email clients
Popular stealers include RedLine, Raccoon, and Vidar.
Infostealers generate logs containing freshly harvested credentials daily.
These logs are particularly valuable because they often contain recently used passwords.
As opposed to third-party breaches, there is no third-party that notifies victims that their credentials have been leaked.
What makes modern combo lists particularly dangerous is how threat actors merge and process these sources.
By using automation, they can clean up the list and turn it into a valuable commodity.
Combo list prices vary based on factors like freshness, validation status, and the presence of high-value targets like corporate or financial accounts.
Once threat actors obtain a combo list, there are several ways they can be used.
How Do Threat Actors Use Combo Lists?
There are several ways combo lists are exploited.
As mentioned earlier, the most common attack is credential stuffing.
Attackers use automated tools to systematically test username/password combinations across hundreds or thousands of websites simultaneously.
These tools can distribute login attempts across different IP addresses to avoid detection and rate limiting.
Account takeover (ATO) attacks represent another major use case.
Once valid credentials are identified, attackers typically:
- First test the credentials on high-value targets like popular banking, email, and ecommerce sites
- Look for connected accounts using “forgot password” features
- Attempt to access cloud storage for sensitive documents
- Search for payment information or stored credit cards
Some threat actors also use combo lists for targeted spear-phishing campaigns.
Having access to valid email addresses and understanding password patterns helps them craft more convincing social engineering attacks.
They might reference details from the breached account to make their messages appear legitimate.
What’s particularly dangerous is the way attackers can cross-reference multiple combo lists to build detailed profiles.
When they find a user’s credentials in several breaches, they can:
- Analyze password patterns and variations
- Identify linked accounts across services
- Build timeline of password changes
- Map out corporate and personal account connections
For businesses, the risk isn’t just to individual accounts.
A single compromised employee account can provide an entry point for broader network access.
This is especially true if the victim has privileged access or can initiate password resets for others.
Given these serious risks to corporate security, organizations need a comprehensive defense strategy.
How To Mitigate Risks Arising From Combo Lists
Here are some effective strategies organizations can implement to protect themselves:
- Implement Strong Authentication Controls: Enforce multi-factor authentication (MFA) across all corporate accounts and services. Require hardware security keys for privileged accounts. Set up adaptive authentication that considers login location, device, and behavior patterns. Deploy CAPTCHA and rate limiting to prevent automated login attempts
- Monitor for Exposed Credentials: Use a breach notification service, like Breachsense, to detect when corporate emails appear in new combo lists. Deploy automated tools to scan dark web markets for company credentials. Set up alerts for suspicious login patterns that might indicate credential stuffing. Monitor for unusual access patterns, especially from new IP addresses or locations
- Enforce a Strong Password Policy: Block common password patterns and enforce strong complexity requirements. Use a password manager to generate and store unique credentials for each service.
- Strengthen Access Management: Implement the principle of least privilege for all accounts. Regularly audit user access rights and remove unnecessary permissions. Set up network segmentation to limit lateral movement if credentials are compromised. Use privileged access management (PAM) solutions for administrative accounts.
- Employee Training and Awareness: Train staff on the risks of password reuse between personal and corporate accounts. Educate teams about phishing attacks that might try to steal login credentials. Create clear incident response procedures for suspected credential compromise. Regular security awareness training focusing on password hygiene.
- Technical Controls: Deploy Web Application Firewalls (WAF) with bot detection. Implement IP reputation filtering. Use threat intelligence feeds to block known malicious IPs. Set up anomaly detection for login attempts
Mitigating Combo List Exposure with Breachsense
Breachsense continuously monitors dark web forums, marketplaces, and third-party breaches to detect exposed credentials in real-time.
The platform automatically scans and parses new combo lists, using pattern matching to identify monitored corporate email domains.
When exposures are detected, Breachsense issues instant notifications including contextual data about the breach source.
Through API integration with identity systems, SSO providers, and SIEM/SOAR platforms, organizations can automate response workflows including password resets and incident response playbooks.
Need visibility into your organization’s leaked credentials?
Book a demo to see how Breachsense helps security teams identify and mitigate data breaches before criminals exploit them.
