This article was updated on September 4, 2025 with updated information
By purchasing combolists on the dark web, malicious actors can buy a large number of leaked credentials that would be necessary to perpetrate cyberattacks. We’ll explain why this is slightly different from leaked credentials.
What is a Combolist?
A combolist is a collection of usernames and passwords. But, it’s not the same as leaked credentials, though. Combolists are curated for offensive use cases and pose more risk to organizations.
Combolists are valuable because many people reuse or slightly deviate their passwords across multiple accounts. When these credentials are compromised, threat actors can test to see if they work on different sites.
Compromised credentials are often pulled from multiple breaches. There is no standard format for combo lists, which are written in both hash or plain text. They may be organized by geographic region, industry, or top-level domain.
Many threat actors want to create a high-value combo list, so they aggregate as many credentials as possible. When determining a combolist’s value, malicious actors focus on:
- Service or platform associated with the credentials.
- Date or recency of the credential breach.
- Number of breaches combined into a single package or list.
Combolists are most valuable to threat actors when they are exclusive, recent, and accurate.
Threat actor advertising combolists for sale in a Telegram channel
What is the Dark Web’s Role in Combolists?
Threat actors rely on the dark web and cybercriminal communities to sell and buy combo lists. It provides the secrecy needed for illicit activity. Combo lists are found in places like:
There are thousands of these types of communities. Dark web monitoring ensures that security teams notice relevant targets and is notified of credential-based threats.
How are combolists created?
Combolists are compiled from multiple data breaches. Numerous methods can cause a data breach, including phishing attacks, account takeovers, or infostealer malware.
As much as bad actors like to tout that they are selling freshly compromised credentials, many combolists are compiled from old data breaches. In June 2025, reports circulated that over 16 billion credentials had leaked. Our investigation showed that many of these credentials were existing stolen data.
That doesn’t mean all combolists are too old to be relevant. It just means that “new” combolists are often recycled data. Regardless, organizations should take precautions and ensure there’s a monitoring process to find relevant combolists with new data.
How do threat actors use combolists?
Threat actors want to optimize their financial investment in combolists by using them in multiple ways. Here’s a quick look at the most common methods:
Credential-based attacks
Threat actors test the stolen credentials from combolists against various websites and applications. The goal is to find a match and gain unauthorized access to sensitive data. This approach succeeds since people often reuse their passwords across multiple platforms.
Cybercriminals can automate attack methods like:
- Brute forcing
- Password spraying
- Credential stuffing
- Account takeover
Attackers use automation to try the credentials across critical business services. If they gain access to a service, they can obtain sensitive data and cause further damage.
Targeted social engineering attacks
Access to an authentic email address can make it more difficult to spot social engineering attacks. Combolists can sort email addresses by corporate domain. With a little social media research, threat actors can find the names of:
- Senior leadership
- IT team members
- Human resources staff
- Finance department employees
With this research and the email addresses from the combo list, they can create targeted spear phishing attacks.
Cyber extortion
Ransomware attacks are rising in popularity because they work. Cybercriminals made $1.1 billion in 2023 from ransomware attacks, which is a 140% increase from $457 million in the year prior.
With the leaked credentials contained in combolists, malicious actors can “prove” that they have system or network access and trick companies into paying them, even if they haven’t deployed a ransomware attack.
Why Do Combolists Matter in Today’s Cybersecurity Landscape?
Compromised credentials are a popular method for infiltrating accounts and systems. They leverage password reuse to gain unauthorized access to accounts. Even if someone resets their password, they may have used the same credentials elsewhere.
For example, someone may reuse their corporate email password to access a customer relationship management (CRM) tool, an enterprise resource planning (ERP) tool, or a human resources portal. If they only reset their email password, the leaked credentials could still be used to access other platforms.
Combolists are updated with every new malware infection or data breach. With a defensive approach, security teams can ensure that weak login credentials don’t cause greater damage.
How to Mitigate Risks Arising from Combolists
Protecting your organization from the risks of combolists requires a multi-layered approach across people, processes, and technologies.
Enforce password best practices
Employees are an organization’s first line of defense. Provide employees with cyber awareness training that addresses the key fundamentals of a strong password or passphrase:
- Choose a unique password for each account.
- Avoid using common passwords.
- Use a combination of letters, numbers, and special characters.
Your organization can also set password requirements like a minimum length of 12 characters and periodic mandatory resets.
Provide a password manager
According to one report, an employee manages an average of 87 passwords in their workplace – far too many passwords for an employee to remember.
With a password manager, employees can store login credentials securely. They only need to remember one master password to access their other login information.
Password managers make it easier to manage passwords while protecting them from threat actors.
Implement and enforce multi-factor authentication (MFA)
MFA provides an additional layer of authenticity around logins. It makes sure that employees verify their identity twice. MFA is a combination of two or more of the following:
- Something a person knows (password/passphrase)
- Something a person possesses (token, device)
- Something a person is (biometrics, like a fingerprint or face ID)
Linking a user’s credentials to another identity verification process deter malicious actors. It makes it more difficult to engage in credential-based attacks because bad actors might not get around MFA.
Monitor the clear and dark web
Security teams may run into these obstacles in having credential visibility:
- not knowing if a third-party vendor experiences a data breach
- can’t confirm if employees use the same passwords across their personal and workplace accounts
To mitigate these risks, security teams can monitor the clear and dark web to identify leaked credentials. You can target searches for employee names, domains, and corporate email addresses. An automated monitoring solution provides visibility into leaked data that may be difficult to find otherwise.
Mitigate Threats from Leaked Credentials with Flare
The Flare Threat Exposure Management solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. See what external threats are exposed for your organization by signing up for our free trial.
