Plot Twist: Combolists Are Still A Threat (2023)

  • May 17, 2023
  • Kyla Cardona
  • Combolist

Plot Twist: Combolists Are Still A Threat (1)

Combolists are often thought to contain a gratuitous amount of fake or engineered data, or otherwise ineffectual at their claimed purpose, and, thus, frequently disregarded by security researchers and defenders alike. However, initial research by SpyCloud suggests the way that new combolists are being generated may challenge those assumptions.

SpyCloud’s security researchers have discovered that some combolists have shockingly high validity rates, and many prove to have a significant match to credentials sourced from malware records.

What Is a Combolist?

Combolists are created when criminals compile lists of previously breached credentials for websites or applications. Targeted combolists may be tested by the creator using automated account checkers to “verify” them as being valid for a specific website or service. For most, the usefulness of combolists is found in credential stuffing attacks, where credentials from a data leak/breach on one service are used to attempt to log into other services (which can be a related or unrelated service).

History of Combolists

Combolists have a high percentage of duplicate records as they are commonly crafted from past data leaks or breaches. Sometimes their content may even be duplicates of other combolists themselves – duplicates of older breach data. However, we can’t completely discredit old passwords. When people use old passwords or variants of them, it makes it that much easier for the criminal to execute account takeovers, especially with massive combolists that were published years prior and with websites or services that lack multi-factor authentication protection.

In the past, collections of combolists containing billions of email addresses and passwords have been shared via the hosting service “MEGA,” which offers low-cost and free file storage. Additionally, in 2020, due to the migration of almost everything in the cloud, combolists-as-a-service (CaaS) became a subscription model for cybercriminals. With this service, buyers pay a monthly membership to access a vast array of stolen credentials. As such, they can be used in credential stuffing or account takeover attacks.

Plot Twist: Combolists Are Still A Threat (2)
Plot Twist: Combolists Are Still A Threat (3)
Plot Twist: Combolists Are Still A Threat (4)
Plot Twist: Combolists Are Still A Threat (5)



Validity of Combolists

From a security standpoint, combolists were usually not highly sought after. They’ve been more of an afterthought with, at best, questionable credibility. Not only do they have high levels of duplicate records, but they also have a low percentage of validity, potentially due in part to shoddy, incomplete, or completely missing validation protocols on the part of the maker or seller. The validity of combolists can be determined by the source they came from. SpyCloud researchers hypothesized that a significant contributor to validity would be stealer logs, acquired from malware running on infected devices. Malware can be very stealthy and generate stealer logs, which include critical data for executing cybercrime, such as the login credentials, device and cookies, auto-fill data, extensive information about the device/OS and so much more that is exfiltrated directly from the infected machine. Therefore, combolists are evidently valid if they are made from these stealer logs, which can be seen in their quantifiable collision rate, or match rate (which shows a percentage of (exact) matching data from one set to another log) to the various types of stealer logs.

The following screenshots represent combolist posts from actors alongside SpyCloud’s analysis of match rates to stealer logs in our database:

Plot Twist: Combolists Are Still A Threat (8)

Plot Twist: Combolists Are Still A Threat (9)

Threat actor HqComboSpace from BreachedForums posts 884K HQ Crypto Target Combolist with a low 1.3% match to stealer logs

Plot Twist: Combolists Are Still A Threat (10)

Plot Twist: Combolists Are Still A Threat (11)

Threat actor nestor from BreachedForums posts 100k Email:Pass Combolist with a low 1.5% match to stealer logs

Plot Twist: Combolists Are Still A Threat (12)

Plot Twist: Combolists Are Still A Threat (13)

Threat actor NoDebt from NulledForums posts 450k Combolist with also a low 1% match to stealer logs

Combolist Correlation to Stealer Logs

SpyCloud security researchers have begun discovering increased data repetition between stealer logs and combolists. This redundancy significantly increases the danger of combolists because stealer logs are not the typical data leak or breach that you see publicly disclosed by a company. Instead, stealer logs come from infostealer malware, which can be installed on a victim’s device without their awareness. Infostealers extract a variety of authentication information from infected computers which often includes usernames, email addresses, passwords, browser cookies, and autofill data. Our research shows a percentage of 5%-98% match of stealer logs in combolists ranging from 2,000 credentials all the way to 44 million credentials.

Threats of Valid Combolists

Combolists have never been the main weapon in a cybercriminals’ arsenal. Combolists have been around for a long time, but utilizing stealer log data to craft them is the up-and-coming way for cybercriminals to not only monetize the stolen data, but also use them in credential stuffing, account takeover or other targeted campaigns. With this new combolist crafting method, they are more dangerous than ever before. Here are a few examples that explain why:

Plot Twist: Combolists Are Still A Threat (14)

Plot Twist: Combolists Are Still A Threat (15)

Threat actor from BreachedForums posts 100k Combolist Collected from logs with a high 98.5% match to stealer logs

Plot Twist: Combolists Are Still A Threat (16)

Plot Twist: Combolists Are Still A Threat (17)

Threat actor from BreachedForums posts 100k Fresh Email_Pass with a 93% match to stealer logs

Plot Twist: Combolists Are Still A Threat (18)

Plot Twist: Combolists Are Still A Threat (19)

Threat actor MegaCloud from BreachedForums posts a 50k Fresh Combolist with a 6.5% match to stealer logs

Plot Twist: Combolists Are Still A Threat (20)

Plot Twist: Combolists Are Still A Threat (21)

Threat actor from BreachedForums and Telegram posts 80k UHQ Combolist with a 22% match to stealer logs

Plot Twist: Combolists Are Still A Threat (22)

Plot Twist: Combolists Are Still A Threat (23)

Threat actor from BreachedForums posts 9k Combolist from RatLogs that has a 90% match to stealer logs

Plot Twist: Combolists Are Still A Threat (24)

Plot Twist: Combolists Are Still A Threat (25)

Threat actor from BreachedForums posts UHQ 316k Combolist that has a 88% match to stealer logs

Plot Twist: Combolists Are Still A Threat (26)

Plot Twist: Combolists Are Still A Threat (27)

Threat actor from NulledForums posts 72k Combolist with a 67% match to stealer logs

Combolists of the Future, Powered by Malware

Not all combolists are made the same, nor are they all valid. Combolists have long been an afterthought due to their questionable credibility, until recently. In the past, combolists were commonly generated by cybercriminals through past breaches and can even be fake, engineered data for the purpose of notoriety. Credentials from these sources are often old and invalid, especially if the company that has been breached has required their users to change their passwords.

Today, researchers from SpyCloud have noticed a new trend of combolists being generated from stealer logs. Such combolists have a tendency to be of high quality, as the credentials are harvested fresh out of stealer logs. Stealer log data comes from malware and seizes the latest, valid, and critical personal information directly from an infected machine’s browser and autofill data – the home of login credentials for a plethora of websites. Combolists generated from stealer logs are out there and they are now undeniably a threat. It’s an alarming plot twist, but one that shouldn’t surprise us. Criminals are always innovating – but it’s our job to keep pace, and this discovery could be the all-important denouement.

To learn more about the threat of combolists and see their impact on Fortune 1000 organizations, download the SpyCloud Fortune 1000 Identity Exposure Report 2023

Get the Report

Recent Posts

Plot Twist: Combolists Are Still A Threat

May 17, 2023

SpyCloud researchers break down the risk combolists provide to enterprises and security teams combating stolen credentials and how cybercriminals are still leveraging this age-old tactic.

Read More »

May 10, 2023

With the shift from passwords to passkeys, security posture stands a chance at optimization. But it’s still susceptible to compromise. We examine how.

Read More »

Cyberattacks in a Passwordless World – The Emergence of Session Hijacking

May 10, 2023

A passwordless world is not one without cyberattacks. Session hijacking is one example that defeats passkeys. We examine its growing popularity.

Read More »

Passwordless May Be The Future, But Is It a Cure-All?

May 10, 2023

Passwordless authentication feels like all the rage these days but it doesn’t come without its own challenges.

Read More »

Corporate Darknet Exposure on the Rise Due to Malware

May 8, 2023

The dark web is crawling with compromised credentials and cookies from the largest companies in the US and UK. We cover takeaways from our reports

Read More »

  • May 17, 2023
  • Kyla Cardona
  • Combolist

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

Check Your Exposure


How long does it take to unhash a password? ›

For simple passwords that contain only numbers or lowercase letters, the results were almost instant. Meanwhile, the same system would need 400 years to decode them if stronger hashing functions like bcrypt are in use. For a complex 12-character password, the duration Hive estimate is 14 billion years.

What does it mean if my password was found in a data breach? ›

If your password has been exposed in a data breach, you should immediately change the password on all affected accounts. Data breaches often occur as a means of obtaining sensitive information to commit further cybercrimes, such as identity theft or fraud.

What is combolist? ›

A combo list is a collection of compromised usernames and their associated passwords that malicious actors use to populate their automated brute-forcing tools. As with any large dataset, combo lists have more value when they aggregate more credentials, typically incorporating data from multiple breaches.

What to do if you have a password leak? ›

What To Do When Your Password is Leaked in a Data Breach
  • Limit Exposure to Risk. ...
  • Change the Password Immediately. ...
  • Change All Variations of a Compromised Password. ...
  • Get and Share Information About the Breach. ...
  • Enable Two-Factor Authentication. ...
  • Watch Account Activity and Check Credit Reports. ...
  • Freeze your credit.

Can you crack a password hash? ›

Hashcat is a powerful tool that helps to crack password hashes. Hashcat supports most hashing algorithms and can work with a variety of attack modes. To enforce security and protect hashes from attacks, use strong passwords and salts before hashing passwords.

Why can't you Unhash a password? ›

Because the hash function was designed by smart people to be hard to take the reverse of, they can't easily retrieve your password from it. An attacker's best bet is a bruteforce attack, where they try a bunch of passwords.

How do I know if I was part of a data breach? ›

When in doubt, contact the company directly. Obtain a copy of your credit report. Go to or call 1-877-322-8228 to get a free copy of your credit report. You can get one free copy of your report from each of the three credit bureaus once a year.

Is a data breach something to worry about? ›

If your personal information is exposed in a data breach, it's important to act quickly to secure your bank and credit card accounts and to take additional steps to prevent credit fraud.

Is Apple data leak warning real? ›

You will be warned about your passwords determined to possibly be in a data leak. Your actual passwords are never shared with Apple, and Apple does not store the information calculated from your passwords. You can disable this feature at any time by going to Settings > Passwords > Security Recommendations.

What is Combolist 3.2 B? ›

What is "Breach Combo List 3.2B" ? "COMB List 3.2B" is a compilation of many breaches. 3.2 billions loginid and password has been published in plain text format. It contains billions of login credentials from LinkedIn, Netflix, and many more from past breaches.

What is a combo email? ›

Combo is short for combination, so combo lists are lists containing combinations of usernames/emails and passwords. They are used for bruteforce attacks. The benefit compared to separate username and password lists is that combo lists are expected to contain a higher likelihood of success.

What is Brutus banks? ›

Bank of Brutus: An Ancient Coin Celebrating Julius Caesar's Assassination Just Sold for $3.5 Million.

Is a data leak serious? ›

The consequences for businesses and organizations can be very serious if they become the victim of a data breach. According to a 2021 report by IBM, the average cost of a data breach was more than 4.2 million USD. In other words, the financial damage caused by a data breach is significant.

Are compromised passwords serious? ›

When one of your passwords becomes compromised, it means people other than you potentially have access to your account. Compromised passwords are extremely dangerous, especially if you're someone who reuses passwords or variations of the same password across multiple accounts.

Why is my iPhone telling me my passwords have been compromised? ›

iPhone can monitor your passwords and alert you if they appear in known data leaks. Go to Settings > Passwords > Security Recommendations, then turn Detect Compromised Passwords on or off.

What is the most common password hash? ›

It's 123456, as hashed using a cryptographic protocol called MD5. The fact we know this hash corresponds to the world's most commonly used password should not be comforting, and it isn't, because MD5 has been cracked – the equivalent of thieves in heist films knowing exactly how to break open a safe.

What is the most secure password hash? ›

To the time of writing, SHA-256 is still the most secure hashing algorithm out there. It has never been reverse engineered and is used by many software organizations and institutions, including the U.S. government, to protect sensitive information.

What is the safest password hash? ›

To protect passwords, experts suggest using a strong and slow hashing algorithm like Argon2 or Bcrypt, combined with salt (or even better, with salt and pepper). (Basically, avoid faster algorithms for this usage.) To verify file signatures and certificates, SHA-256 is among your best hashing algorithm choices.

What is salt for password? ›

Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them. Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database.

What is salt hashing? ›

Hashing salting is essentially an additional step to keep passwords out of the hands of malicious hackers. It works rather simply, when a password is collected, salt is added to the password. This password is then hashed.

Can you reverse a salted hash? ›

In contrast, hashing cannot be reversed — it is essentially a form of one-way encryption. Salting is different, again, because it doesn't involve converting the original plaintext but simply complicates the text with additional characters.

Is my email on the dark web? ›

Check If Your Email Is on the Dark Web. You can use the free Identity Guard Dark Web scanner to see if your personal information has been leaked to the Dark Web. A Dark Web scanner searches the Dark Web for your email address and personal information. If it finds any activity related to you, you are alerted immediately ...

How do I know if I was part of the Equifax breach? ›

Equifax has created a website where you can find out if you have been affected by the breach. The website will ask you for the last six digits of your social security number and your last name, and then will tell you if you have been affected. You can also call 1-833-759-2982.

What information can be lost in data breach? ›

A data breach is an incident that exposes confidential or protected information. A data breach might involve the loss or theft of your Social Security number, bank account or credit card numbers, personal health information, passwords or email.

What are 4 consequences of data breach? ›

Data breaches can affect the brand's reputation and cause the company to lose customers. Breaches can damage and corrupt databases. Data breaches also can have legal and compliance consequences. Data breaches also can significantly impact individuals, causing loss of privacy and, in some cases, identity theft.

Can I sue for data breach? ›

Under data protection law, you are entitled to take your case to court to: enforce your rights under data protection law if you believe they have been breached. claim compensation for any damage caused by any organisation if they have broken data protection law, including any distress you may have suffered, or.

What type of crime is a data breach? ›

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill.

Does Apple send a warning about hackers? ›

While the message might seem convincing, it's merely a scam that's designed to swindle money from unsuspecting users, steal personal data, and spread malware. It's important to mention that Apple doesn't send security warnings and this alert is fake.

How do I know if my passwords are compromised? ›

If you use Chrome to sign in to websites, Google's Password Checkup tool can help you find and replace all your compromised, reused, and weak passwords associated with your account. To do this, go to Then select Go to Password Checkup > Check Passwords.

What is suspicious website warning Apple? ›

When Fraudulent Website Warning is enabled, Safari will display a warning if the website you are visiting is a suspected phishing website. Phishing is a fraudulent attempt to steal your personal data, such as user names, passwords, and other account information.

What is the biggest password leak ever? ›

Updated on 10/06: We have now uploaded nearly 7.9 billion out of 8.4 billion entries in the RockYou2021 password list to our leak databases. To safely check whether your password is part of this gigantic leak, make sure to head over to the CyberNews personal data leak checker.

Does comb compilation include Netflix passwords? ›

February 2021: COMB Compilation Includes Netflix Passwords

In February 2021, the Compilation of Many Breaches, or COMB, was leaked to a hacker forum. This data leak included login credentials for over 3.2 billion accounts across multiple websites, including Netflix, LinkedIn, Gmail, and Yahoo.

What does compiled breach list mean? ›

This is a list of data breaches, using data compiled from various sources, including press reports, government news releases, and mainstream news articles. The list includes those involving the theft or compromise of 30,000 or more records, although many smaller breaches occur continually.

What is a stacked email? ›

Stacking Inbox is when you sort messages from your inbox into their respective action folders. It doesn't matter the order these sessions are done, just that they are both done to complete a full stack cycle. Keep regular sessions on your calendar for email management.

What is a double blind email? ›

What is a double-blind email distribution list? Usually, with double-blind, the intention is to provide an anonymization approach, where participants do not see each other's email addresses – yet still allowing them to communicate.

Can I open two emails with one number? ›

Gmail accounts per phone number

You can have up to four Gmail accounts verified with the same phone number. Even though some of us might need to exceed this limit, this is not possible due to security measures that help to keep the internet a safer environment.

What is the biggest bank hack? ›

The 10 Biggest Data Breaches in the Finance Sector
  1. First American Financial Corp Data Breach. Date: May 2019. ...
  2. Equifax Data Breach. Date: Sep 2017. ...
  3. Heartland Payment Systems Data Breach. Date: January 2008. ...
  4. Capital One Data Breach. Date: March 2019. ...
  5. JPMorgan Chase Data Breach. Date: October 2014. ...
  6. Experian. ...
  7. Block. ...
  8. Desjardins Group.

What is the largest bank hack in history? ›

One of the biggest hacks in history is the Equifax data breach that happened in 2017. Equifax, a credit reporting agency, had several security lapses that enabled attackers to access sensitive PII, date of birth, social security numbers, address, driver's license numbers, etc., of over 143 million customers.

What is the hack of Bank of America? ›

Hackers have released a database that allegedly contains account details of over 4 million Bank of America customers. The leaked data contains sensitive information such as account balances and card CVV codes.

Does data leak mean I was hacked personally? ›

While being a part of a data breach doesn't automatically mean your identity will be stolen, it does put you more at risk of becoming a victim of identity theft. The smartest way to protect yourself from these unsavory intruders is to make sure you're covered with identity theft protection.

Is a data leak a hack? ›

The key difference between a breach and a hack lies in the intent. A hack is the result of an intentional attack, while a breach is the result of an unintentional leak of information.

Has WhatsApp been breached? ›

What happened to WhatsApp Users' Data? In November 2022, personal data from 500 million WhatsApp users was reportedly leaked and sold online. This included phone numbers from a large database of users across 84 countries, with a reported 32 million in the US and 11 million in the UK.

What virus steal passwords? ›

Trojan. PasswordStealer may attempt to steal stored credentials, usernames and passwords and other personal and confidential information. This information may be transmitted to a destination specified by the author. Trojan.

Is it safe to give passwords over the phone? ›

When it comes to the secure communication of passwords, you have a few options. Communicate passwords verbally, either in person or over the phone. Communicate passwords through encrypted emails. Sending passwords via unencrypted emails is never recommended.

What happens when I delete compromised passwords? ›

That does absolutely nothing to protect any of the accounts using those passwords. You'll need to log into each site that uses a compromised password and change it to a new one (not used elsewhere).

How do I check if my Apple ID is being used by someone else? ›

Sign in to the Apple ID website ( and review all the personal and security information in your account to see if there is any information that someone else has added. If you have two-factor authentication turned on, review trusted devices for any devices that you don't recognize.

How long does it take to crack a password hack? ›

On average it only takes a hacker two seconds to crack an 11 – character password that only uses numbers. But if you throw in some upper and lower-case letters in there that number changes, taking the hacker 1 minute to hack into a seven-character password.

Can hashed passwords be recovered? ›

Recovering a password from a hash value is generally considered impossible, at least in practical terms, because a hash function is designed to be a one-way function, which means that it is not reversible.

How long does it take to hack a password with 7 or less letters? ›

On average, it takes a hacker about two seconds to crack an 11-character password that uses only numbers. Throw in some upper- and lower-case letters, and it will take a hacker one minute to hack into a seven-character password.

How long does it take to hack a 8 digit password? ›

The findings suggest that even an eight-character password — with a healthy mix of numbers, uppercase letters, lowercase letters and symbols — can be cracked within eight hours by the average hacker.

What is the most difficult password to hack? ›

Never use common passwords like “123456,” “password,” or “qwerty.” Make sure your passwords are at least eight characters long. Passwords with more characters and symbols are more difficult to guess. Don't use common words or phrases in your passwords.

How long does it take a hacker to brute force your password in 2023? ›

Today, using the latest GPUs (RTX 4090) it takes just 59 minutes, but if cloud resources were used, the time taken to crack the password drops to just 19 minutes if using 8 x A100 GPUs from Amazon AWS, and 12 minutes if using 12.

How fast can a 10 character password be cracked? ›

How Long It Takes to Crack a Password with Brute Force Algorithm
8 characters password10 characters password
Lowercase letters onlyinstantlyinstantly
+ 1 uppercase letterhalf an hour1 month
+ 1 numberone hour6 years
+ 1 special symbolone day50 years

Can two passwords have same hash? ›

When hashing passwords, two passwords can produce the same hash, so if a user inputs someone else's username but his own password, there is a possibility that he will be able to login to that other account.

Can you retrieve original data from its hash value? ›

Hashing is One-Way

Hashing works in one direction only – for a given piece of data, you'll always get the same hash BUT you can't turn a hash back into its original data.

How many passwords can hackers guess per second? ›

Here is a quick guide to both

Computer programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second. There are 94 numbers, letters, and symbols on a standard keyboard. In total, they can generate around two hundred billion 8-character passwords.

Are longer passwords harder to hack? ›

Experts recommend using longer passwords when possible. The longer a password is, the more possible permutations it has, making it harder and harder for cybercriminals to crack.

How many people get hacked because of weak passwords? ›

30% of internet users have experienced a data breach due to a weak password. Two-thirds of Americans use the same password across multiple accounts. The most commonly used password is “123456.”

What tricks do hackers use to figure out a password? ›

  • Guessing weak passwords. One common way to crack a password is simply to guess it. ...
  • Dictionary and brute force attacks. ...
  • Phishing for passwords. ...
  • Malware on your computer. ...
  • Physical theft and spying (shoulder surfing) ...
  • Passwords leaked in data breaches.
Feb 27, 2023

How long does it take to detect a hack? ›

The response or containment time is the time it takes a company to restore services after a cyber incident is detected. Research from the cybersecurity company Deep Instinct suggests that it takes organizations more than two working days to detect and respond to a cyberattack.

How long does it take to hack a 4 digit PIN? ›

If a password is only four or five characters (whether they are just numbers or a combination of numbers, letters and symbols), there's a very high chance that it will be hacked instantly. However, if a password is only numbers and up to 18 characters, it could take a hacker up to nine months to crack the code.

Top Articles
Latest Posts
Article information

Author: Pres. Carey Rath

Last Updated: 21/11/2023

Views: 5833

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Pres. Carey Rath

Birthday: 1997-03-06

Address: 14955 Ledner Trail, East Rodrickfort, NE 85127-8369

Phone: +18682428114917

Job: National Technology Representative

Hobby: Sand art, Drama, Web surfing, Cycling, Brazilian jiu-jitsu, Leather crafting, Creative writing

Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.