What Is a Combo List?

Definition and Explanation of a Combo List

A combo list is a text file that contains a list of leaked usernames and passwords in a specific format. These passwords are typically gathered from various breaches and stored collectively in one file. These files can be fed into automatic brute-forcing tools that test multiple credentials on different accounts or website logins until a match is found.

What Is Contained in Combo Lists?

Combo lists are collections of separate lists of passwords originating from different website breaches. A combo list doesn’t have a standard format, and often they are just a packed list of individual files that may be in different file formats with varying data structures. They may hold different types of Personally Identifiable Information (PII) data, but their primary goal is to provide a large number of passwords and emails or other forms of usernames.

When a website or service is breached, passwords are not always stored in plaintext format. Combo lists may contain variations of plaintext passwords or different types of hashed passwords. Some attackers will decrypt these hashes, but this effort largely depends on the type of hashing algorithm used and the number of passwords.

When a site is initially breached, these stolen credentials can hold significant value depending on the nature of the service, so attackers often try to sell them first. Once they become old, are made public, or are recovered by researchers, their value drops significantly, as websites usually reset these passwords for their users. At this point, individual lists become less valuable.

To extract more value, attackers may combine multiple lists into combo lists to increase their value again. Actors may also add fake accounts and provide fake plaintext passwords instead of decrypting them, making the lists appear more valuable. Plaintext passwords are crucial for various attacks, such as password spraying, credential stuffing, or account takeovers. These fake passwords are usually generated with simple algorithms, making them easy to spot, such as all lowercase letters with fixed lengths.

What is a Gmail Combo List?

A Gmail combo list is a compilation of email addresses and their corresponding passwords, typically specific to Gmail accounts. These lists are often compiled through data breaches, phishing attacks, or other illicit means and are sold or shared on the dark web or among cybercriminal communities.

What is a Combo List Breach?

A combo list breach refers to an incident where a list of email address and password combinations (combo list) is leaked or exposed, usually due to hacking or data breaches. These breaches can affect multiple services and platforms since many users reuse the same email-password combinations across different sites. The exposed combo lists can then be used by cybercriminals to gain unauthorized access to user accounts.

What are Account Combos?

Account combos refer to pairs of usernames (often email addresses) and passwords that are used to log into accounts on various online services. These combos are valuable to cybercriminals because they can be used in credential stuffing attacks, where automated systems try these combinations across multiple websites in an attempt to gain access to user accounts.

What is an Email Provider Combo List?

An email provider combo list is similar to a general combo list but is specifically compiled for accounts from a particular email provider, such as Gmail, Yahoo, or Outlook. These lists include email addresses from the targeted provider and their associated passwords, making them highly relevant for targeted attacks on users of that specific email service.

How Are Combo Lists Used?

Combo lists have multiple use cases, including:

• Password Spraying: Testing common passwords across multiple accounts.
• Credential Stuffing: Using stolen credentials to gain unauthorized access to accounts.
• Account Takeovers: Gaining control of accounts to steal information or perform malicious activities.
• Phishing Attacks: Targeted attacks to trick users into providing sensitive information.
• Impersonation: Using stolen credentials to impersonate victims.
• Business Email Compromise (BEC): Gaining unauthorized access to business email accounts.
• Extortion: Threatening to release stolen information unless a ransom is paid.

These lists are effective because people tend to reuse passwords across multiple websites and services. Even if the originally breached website resets all its passwords, the stolen credentials can still be used to target other services.

How to Protect Your Accounts From Combo Lists

There is no single solution for protection against password-related threats, but you can take multiple steps to protect your accounts and passwords:

1. Use Unique Passwords: Using different passwords across sites protects against breached passwords being used against other services.
2. Create Strong Passwords: Long passwords with special characters are harder to decrypt if they are breached in a hashed format.
3. Enable Multi-Factor Authentication (MFA): MFA makes passwords less valuable by adding an extra layer of security.
4. Monitor Public Breached Passwords: Actively monitoring public databases of breached passwords can signal when your accounts are compromised.
5. Use Password Managers: Password managers can generate and store complex passwords, reducing the risk of password reuse.
6. Educate Users: Teach users about the importance of strong, unique passwords and the use of MFA.

Does MFA Protect Against Password Hacking?

Multi-Factor Authentication (MFA) is an effective method to add an extra layer of security, but it does not fully protect against password breaches. When a service is breached and passwords are stolen, MFA can prevent direct login. However, attackers may use social engineering, steal MFA tokens, reuse passwords on other sites, or send misleading emails to account owners by showing them their plaintext passwords.

Is My Password Safe to Use?

There are free and paid services to check against breached passwords, and several tools to evaluate password strength against brute-force attacks and password cracking.

Since everyone has dozens or even hundreds of online accounts, managing them individually can be cumbersome. Password managers are great tools if used across all accounts and if passwords are generated automatically, as they tend to be more complex and harder to guess compared to human-created passwords.

However, password managers are also points of vulnerability if their master password is breached, or if browsers are used for this purpose, as they store the encryption key locally and may sync to unsecured personal devices.

Conclusion

A combo list is a collection of leaked usernames and passwords used by attackers for various malicious activities. Protecting your accounts involves using unique and strong passwords, enabling MFA, monitoring breached passwords, and using password managers. By understanding how combo lists are used and taking proactive measures, you can significantly reduce the risk of your accounts being compromised.