This article was updated on September 4, 2025 with updated information
By purchasing combolists on the dark web, malicious actors can buy a large number of leaked credentials that would be necessary to perpetrate cyberattacks. We’ll explain why this is slightly different from leaked credentials.
What is a Combolist?
A combolist is a collection of usernames and passwords. But, it’s not the same as leaked credentials, though. Combolists are curated for offensive use cases and pose more risk to organizations.
Combolists are valuable because many people reuse or slightly deviate their passwords across multiple accounts. When these credentials are compromised, threat actors can test to see if they work on different sites.
Compromised credentials are often pulled from multiple breaches. There is no standard format for combo lists, which are written in both hash or plain text. They may be organized by région géographique, secteur ou domaine de premier niveau.
Many threat actors want to create a high-value combo list, so they aggregate as many credentials as possible. When determining a combolist’s value, malicious actors focus on:
- Service or platform associated with the credentials.
- Date or recency of the credential breach.
- Number of breaches combined into a single package or list.
Combolists are most valuable to threat actors when they are exclusive, recent, and accurate.
What is the Dark Web’s Role in Combolists?
Threat actors rely on the dark web and cybercriminal communities to sell and buy combo lists. It provides the secrecy needed for illicit activity. Combo lists are found in places like:
There are thousands of these types of communities. Surveillance du Dark Web ensures that security teams notice relevant targets and is notified of credential-based threats.
How are combolists created?
Combolists are compiled from multiple data breaches. Numerous methods can cause a data breach, including phishing attacks, reprises de compte, ou logiciel malveillant voleur d'informations.
As much as bad actors like to tout that they are selling freshly compromised credentials, many combolists are compiled from old data breaches. In June 2025, reports circulated that over 16 billion credentials had leaked. Our enquête showed that many of these credentials were existing stolen data.
That doesn’t mean all combolists are too old to be relevant. It just means that “new” combolists are often recycled data. Regardless, organizations should take precautions and ensure there’s a monitoring process to find relevant combolists with new data.
How do threat actors use combolists?
Threat actors want to optimize their financial investment in combolists by using them in multiple ways. Here’s a quick look at the most common methods:
Attaques basées sur les identifiants
Threat actors test the stolen credentials from combolists against various websites and applications. The goal is to find a match and gain unauthorized access to sensitive data. This approach succeeds since people often reuse their passwords across multiple platforms.
Cybercriminals can automate attack methods like:
- Forçage brutal
- Pulvérisation de mot de passe
- Bourrage de Credential
- Prise de contrôle de compte
Attackers use automation to try the credentials across critical business services. If they gain access to a service, they can obtain sensitive data and cause further damage.
Targeted social engineering attacks
Access to an authentic email address can make it more difficult to spot social engineering attacks. Combolists can sort email addresses by corporate domain. With a little social media research, threat actors can find the names of:
- La haute direction
- Membres de l'équipe informatique
- Personnel des ressources humaines
- Employés du service des finances
Avec cette recherche et les adresses e-mail de la liste combinée, ils peuvent créer des attaques de harponnage.
Cyber extorsion
Ransomware attacks are rising in popularity because they work. Cybercriminals LES PLANTES $1.1 billion in 2023 from Rançongiciels attacks, which is a 140% increase from $457 million in the year prior.
Avec la collection d’identifiants compromis contained in combolists, malicious actors can “prove” that they have system or network access and trick companies into paying them, even if they haven’t deployed a Rançongiciels attack.
Why Do Combolists Matter in Today’s Cybersécurité Landscape?
Compromised credentials are a popular method for infiltrating accounts and systems. They leverage password reuse to gain unauthorized access to accounts. Even if someone resets their password, they may have used the same credentials elsewhere.
For example, someone may reuse their corporate email password to access a customer relationship management (CRM) tool, an enterprise resource planning (ERP) tool, or a human resources portal. If they only reset their email password, the leaked credentials could still be used to access other platforms.
Combolists are updated with every new malware infection or data breach. With a defensive approach, security teams can ensure that weak login credentials don’t cause greater damage.
How to Mitigate Risks Arising from Combolists
Protecting your organization from the risks of combolists requires a multi-layered approach across people, processes, and technologies.
Enforce password best practices
Employees are an organization’s first line of defense. Provide employees with cyber awareness training that addresses the key fundamentals of a strong password or passphrase:
- Choose a unique password for each account.
- Avoid using common passwords.
- Utilisez une combinaison de lettres, de chiffres et de caractères spéciaux.
Your organization can also set password requirements like a minimum length of 12 characters and periodic mandatory resets.
Provide a password manager
Selon l'un rapport, an employee manages an average of 87 passwords in their workplace – far too many passwords for an employee to remember.
With a password manager, employees can store login credentials securely. They only need to remember one master password to access their other login information.
Password managers make it easier to manage passwords while protecting them from threat actors.
Mettre en œuvre et appliquer l'authentification multifacteur (MFA)
MFA provides an additional layer of authenticity around logins. It makes sure that employees verify their identity twice. MFA is a combination of two or more of the following:
- Quelque chose qu'une personne connaît (mot de passe/phrase de passe)
- Something a person possesses (token, device)
- Something a person is (biometrics, like a fingerprint or face ID)
Linking a user’s credentials to another identity verification process deter malicious actors. It makes it more difficult to engage in credential-based attacks because bad actors might not get around MFA.
Monitor the clear and dark web
Security teams may run into these obstacles in having credential visibility:
- not knowing if a third-party vendor experiences a data breach
- can’t confirm if employees use the same passwords across their personal and workplace accounts
To mitigate these risks, security teams can monitor the clear and dark web to identify leaked credentials. You can target searches for employee names, domains, and corporate email addresses. An automated monitoring solution provides visibility into leaked data that may be difficult to find otherwise.
Mitigate Threats from Leaked Credentials with Flare
La gestion de l'exposition aux cybermenaces est une solution de Flare qui donne aux entreprises les moyens de détecter, de prioriser et de remédier proactivement aux types d'expositions couramment exploités par les cybercriminels. En tout temps, notre plateforme analyse automatiquement le Web visible, le Web clandestin et les plus importantes communautés clandestines pour découvrir des événements inconnus, prioriser les risques et fournir du renseignement exploitable qui peut être immédiatement utilisé pour améliorer la sécurité.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. See what external threats are exposed for your organization by signing up for our essai gratuit.
