Learn how to check if your credentials are exposed and how to protect your organization.
• Combo lists are collections of username/password pairs compiled from breaches and infostealer malware.
• Modern ULP lists (URL:Login:Password) tell attackers exactly which site to target.
• Fresh stealer logs show 30-60% credential validity vs just 0.2-2% for old breach compilations.
• 54% of ransomware victims had credentials exposed in stealer logs before the attack.
Over 24 billion username and password pairs are circulating on dark web forums right now. That’s roughly four credential sets for every person on Earth.
The rise of infostealer malware has accelerated this problem. In the first half of 2025 alone, 2.67 million devices were infected with infostealers, exposing over 204 million credentials. Combined with the steady flow of third-party breaches, attackers have an endless supply of credentials to exploit.
This guide covers how combo lists are created and traded. You’ll also learn how to detect exposed credentials before attackers exploit them.
Combo List: A file containing username and password pairs collected from data breaches and infostealer malware. Also spelled “combolist” as a single word. Attackers feed these lists into automated tools to test stolen credentials across websites. If the victim reused that password elsewhere, attackers can access those accounts too. This technique is called credential stuffing.
These lists typically contain millions of credentials gathered from multiple sources. The format is straightforward: each line contains a username (often an email address) and password, separated by a colon or semicolon.
Some lists also include the URL where the credentials were used:
user@email.com:password123
https://account.example.com/login.aspx:another@email.com:qwerty789
The second format with the URL is called a ULP (URL:Login:Password) list. ULPs are more dangerous because they tell attackers exactly which site to target.
With a standard combo list, criminals have to guess where the credentials might work. With a ULP list, they know the victim used that exact password on that exact site. No guessing required.
ULP lists have become the standard format for credentials stolen by infostealer malware. The malware captures the login URL along with the username and password, creating a ready-to-use attack package.
Because most people reuse passwords, attackers can use a single stolen credential to access multiple accounts. Learn more about credential stuffing and how these attacks work at scale.
Modern combo lists come from two primary sources: stealer logs and data breaches. Stealer logs now dominate because they contain plaintext passwords captured directly from browsers.
Third-party data breaches still contribute to combo lists, but breached databases typically contain hashed passwords that require cracking. When companies suffer a security breach, their user databases end up shared and sold across underground forums. Attackers compile these dumps, crack what they can, and standardize the format.
Infostealer Malware: Malware designed to harvest credentials from infected devices. It extracts saved passwords from browsers, captures login form submissions, and steals authentication cookies. Infostealers also pull credentials from email clients and other applications. Lumma now dominates the market according to IBM X-Force, while RedLine accounts for roughly 60% of activity according to Fortinet.
Infostealer malware like Lumma and RedLine generates fresh credential logs daily. Unlike third-party breaches, there’s no notification when credentials are stolen this way. Victims have no idea their passwords are compromised until an account gets taken over.
What makes modern combo lists particularly dangerous is how attackers merge and process these sources.
By using automation, they can clean up the list and turn it into a valuable commodity.
Here’s the key difference between old combo lists and modern ones.
Traditional combo lists were compiled from old breaches like LinkedIn 2012 and Adobe 2013. By the time credentials reached a combo list, many victims had already changed their passwords. Only 0.2-2% of credentials from these old compilations still work.
Modern ULP lists sourced from infostealers tell a different story. SpyCloud’s analysis shows 30-60% overlap between ULP credentials and active stealer logs. These aren’t stale passwords from 2015. They’re credentials harvested last week.
This freshness makes all the difference. A credential stolen today is far more likely to still work than one leaked three years ago.
Once attackers have these credentials, they need a way to monetize them. That’s where the dark web marketplace comes in.
Combo lists move through three main channels.
Telegram channels have become the primary distribution method on dark web markets. Criminals run private channels where they post fresh lists daily. Some channels are free to build reputation. Others charge for access to premium content.
Cybercrime forums remain active marketplaces. Sellers post samples to prove quality, then negotiate prices for full lists. Reputation systems help buyers identify reliable sellers.
Subscription services offer ongoing access. For roughly $20 per month, buyers get continuous access to new credentials as they’re harvested. Lifetime access packages run up to $400.
Pricing depends on freshness and completeness. Fresh credentials cost more than aged ones. Validated credentials (confirmed working) command premium prices. Full stealer logs with session cookies and browser data sell for more, while bulk combo lists from old breaches go cheaply to amateurs running high-volume attacks.
Several massive combolist breaches have shaped the credential theft landscape. Here’s what you need to know about each one.
The Collection series remains the largest credential dump ever publicly released. Collection #1 alone contained 773 million unique email addresses and 21 million unique passwords. The full Collection #1-5 series totaled over 2.2 billion credentials.
Security researcher Troy Hunt analyzed Collection #1 and found credentials aggregated from thousands of different breaches spanning years of data theft. The credentials came from major sources like LinkedIn and Adobe alongside countless smaller breaches.
COMB combined 3.2 billion unique email and password pairs into a single searchable database. Posted on RaidForums in February 2021, it aggregated credentials from dozens of major services.
What made COMB dangerous wasn’t just its size. The compilation organized credentials into a standardized format, making bulk credential stuffing attacks trivially easy. Attackers could query the database by domain and instantly find every credential associated with a target company.
The Naz.API leak exposed 71 million unique credentials harvested primarily from infostealer malware rather than third-party breaches. This marked a shift in combolist composition.
Unlike older compilations built from breach data, Naz.API contained fresh credentials stolen directly from infected devices. The leak included credentials for major services alongside session cookies that could bypass MFA entirely.
Attackers also compile region-specific combo lists targeting particular countries or languages. These specialized lists command higher prices because they’re more effective for targeted attacks.
USA combo lists focus on American banking, healthcare, and corporate credentials. Russian combo lists target Russian-language services. Regional targeting increases credential stuffing success rates because victims in specific countries tend to use certain services.
Regional targeting is growing. Generic global dumps have given way to curated, targeted collections.
Detecting exposed credentials before attackers exploit them requires monitoring the same sources criminals use. Here’s how to build that into your security operations.
Enterprise dark web monitoring solutions scan criminal marketplaces and stealer log channels for your credentials in real-time. The key is monitoring sources where credentials appear before public disclosure.
Look for platforms that cover:
Consumer breach notification services only cover publicly disclosed breaches. By the time credentials hit those databases, attackers have had months to exploit them.
The fastest path from detection to remediation is automation. Integrate breach intelligence APIs directly with your identity provider to trigger automatic password resets when exposed credentials are detected.
Typical integration points include:
Manual review of every exposed credential doesn’t scale. Automate the routine cases so analysts can focus on high-risk exposures.
Credential stuffing attacks leave distinctive patterns in authentication logs. Correlate your logs with known combo list releases to identify credential stuffing attacks.
Watch for:
When you detect credentials in a new combo list, proactively search your authentication logs for suspicious activity on those accounts. Attackers often test credentials within days of obtaining them.
Track mean time to detection (MTTD) and mean time to remediation (MTTR) for exposed credentials. Set SLAs based on credential risk level.
Suggested response windows:
Credentials with session cookies require faster response since attackers can bypass MFA entirely. Prioritize these over password-only exposures.
Credential stuffing is the most common attack using combo lists.
Attackers use automated tools to systematically test username/password combinations against target sites. Tools like OpenBullet let criminals configure attacks and integrate with CAPTCHA-solving services. They rotate through proxy lists to avoid detection and rate limiting.
Account takeover (ATO) attacks represent another major use case.
Once valid credentials are identified, attackers typically:
What’s particularly dangerous is how attackers cross-reference multiple combo lists to build detailed profiles.
When they find a user’s credentials in several breaches, they can:
For businesses, the risk isn’t just to individual accounts.
A single compromised employee account can provide an entry point for broader network access.
This is especially true if the victim has privileged access or can initiate password resets for others.
There’s another risk most companies overlook. Combo list exposure often precedes ransomware attacks.
Research shows 54% of ransomware victims had their credentials exposed in stealer log marketplaces before the attack (KELA 2025 Cybersecurity Report). The window between credential theft and ransomware deployment is shrinking. Sometimes it’s under 48 hours. Criminals use stolen credentials to establish initial access, then deploy ransomware once inside.
This means detecting exposed credentials isn’t just about preventing account takeover. It’s an early warning system for ransomware.
To see what combo list attacks look like in practice, consider what happened to 23andMe.
In 2023, attackers used credentials from combo lists to access 14,000 23andMe accounts. The company didn’t require MFA, so stolen passwords worked without any additional verification.
But the damage went far beyond those 14,000 accounts. 23andMe’s DNA Relatives feature let users connect with genetic matches. Attackers used compromised accounts to access data on 6.9 million users through these connections.
The stolen data included personal details and health reports. Genetic data can’t be changed like a password. Once it’s exposed, it’s exposed forever.
23andMe didn’t detect the attack for five months. The company only investigated after an employee found the stolen data advertised for sale on Reddit.
The aftermath was severe. The UK fined 23andMe £2.31 million for failing to implement basic security measures. Lawsuits piled up. In March 2025, the company filed for bankruptcy.
One credential stuffing attack using passwords from combo lists destroyed a $6 billion company. For security teams, the 23andMe data breach is a case study in what happens when you don’t monitor for exposed credentials or enforce MFA.
Given these risks, what can your organization do to protect itself?
Here are effective strategies you can implement to protect your organization:
Breachsense continuously monitors dark web forums, marketplaces, and third-party breaches to detect exposed credentials in real-time.
The platform indexes credentials from new combo lists as they appear and alerts you when your monitored domains are found. Each alert includes contextual data about the breach source.
Through API integration with identity systems, SSO providers, and SIEM/SOAR platforms, you can automate response workflows including password resets and incident response playbooks.
Need to know if your organization’s credentials have been leaked?
Book a demo to see how Breachsense helps security teams identify and mitigate data breaches before criminals exploit them.
Start with a dark web scan to check your exposure. For ongoing protection, Breachsense monitors dark web forums and stealer log marketplaces in real-time to detect exposed corporate credentials. Basic services only cover publicly disclosed breaches and miss fresh stealer logs entirely.
Change the password immediately on the affected account and any other account where you used that password. Enable MFA if you haven’t already. Check for unauthorized activity on the account. If it’s a corporate account, notify your security team so they can investigate potential compromise and check for lateral movement.
Many combo lists contain plaintext passwords, not hashes. Infostealers grab credentials directly from browsers before any hashing occurs. For breaches that leak hashed passwords, cracking difficulty depends on the algorithm and whether it’s salted. Weak hashes like unsalted MD5 or SHA1 crack in seconds. Modern algorithms like bcrypt with proper salting take far longer, even for simple passwords.
A standard combo list contains email:password pairs. A ULP list includes the URL where the credentials were used (URL:Login:Password). ULP lists are more dangerous because attackers know exactly which site to target. Most modern combo lists from infostealers are ULPs since the malware captures the login URL along with the credentials.
MFA stops most credential stuffing attacks since attackers can’t complete the second factor. However, infostealers also capture session cookies and MFA tokens. If an attacker has a valid session cookie, they can bypass MFA entirely. This is why credential monitoring matters even with MFA enabled.
Fresh stealer logs hit dark web markets daily. Major combo list compilations appear every few months, often containing billions of credential pairs. Telegram channels dedicated to credential trading post new lists continuously, with some channels sharing thousands of fresh credentials per day.
The largest include Collection #1-5 (2.2 billion credentials) and COMB (3.2 billion credentials). More recently, Naz.API exposed 71 million fresh infostealer credentials with session cookies that bypass MFA. Collection #1-5 aggregated years of breach data while COMB organized credentials into a searchable database.
Digital Risk Protection Threat Intelligence Dark Web Monitoring Cybersecurity Platforms Security Tools
What Are the Best Digital Risk Protection Platforms? Platform Best For Key Strength Breachsense Security teams, …
Brand Protection Phishing Detection Dark Web Monitoring Counterfeit Protection Security Tools
What Are the Best Brand Protection Platforms? Brand protection software covers a wide range of threats. Some platforms …