A massive collection of username/email/password combinations has been compiled and sold on the dark web. This “combo list” is an extremely valuable tool for threat actors because it allows them to conduct credential-stuffing attacks.
Criminals load lists of breached credentials (like those from Linkedin, MyFitnessPal or MySpace) into automated brute-forcing tools to test passwords on a targeted website or service. They can also use this data to impersonate employees, steal PII and execute targeted phishing attacks.
What is a Combo List?
A combo list is a text file that contains a combination of leaked usernames/email addresses and passwords. Cybercriminals assemble these lists from multiple data breaches and other security incidents, then sell or inform them on the dark web. They can be used for brute-forcing attacks, which attempt to guess a username/password combination until they find one that works. This attack technique is effective because people use the same passwords across multiple sites and services. Once attackers have a list of stolen credentials, they can load it into automated tools that test them on thousands of websites and accounts until they find one that works. This is known as credential stuffing, resulting in various security risks for businesses. The passwords are usually decrypted hashes from previous breaches in a combo list. Once the hashes have been compiled, they can be loaded into brute-forcing programs and tried against hundreds of thousands of accounts or websites until a successful login is found. The latest combo list to make the rounds is the Anti-Public Combo List, compiled from various breaches and data leaks since 2017. According to researchers, this database is a collection of individual password dumps combined into a single file.
How Are Combo Lists Created?
The combination of username and password credentials called a combo list, is the basis for many cyberattacks. A combo list is a collection of stolen usernames, and passwords malicious actors use to populate automated brute-forcing tools that test credentials on websites and accounts en masse until they hit a match. Combo lists often include multiple breaches and cleartext and hashed data. They may be sorted by account type or industry and compiled from different data leaks to provide more comprehensive credentials. Attackers treat cybercrime as a business, optimizing their financial investment by purchasing combo lists that are more likely to yield success. For example, a combo list of compromised server usernames and passwords from a well-known website will have more value than a single breach. The recent leak of the Anti-Public combo list is a case in point. The list contains a combination of usernames and passwords from data breaches spanning several years. These include data from Linkedin, MyFitnessPal, Lastfm, Adobe, Tumblr, RiverCityMedia and 000webhost. While defensive security measures like multi-factor authentication (MFA) can help protect an individual’s account from a brute-force attack, the truth is that most users don’t understand or follow best practices for password management. They recycle passwords between sites, reuse old ones and need to change them regularly. That makes it easy for hackers to purchase combo lists and use them against their victims.
What Are the Risks of Combo List Breaches?
A combo list is a consolidated file of stolen or leaked credentials from multiple breaches. This makes it easier for criminals to run credential-stuffing attacks because they only have to load the passwords into automated tools that test them against thousands of target websites or login applications until a match is found. The combination of passwords and PII in a combo list makes it ideal for spear phishing attacks, extortion crimes (blackmailing victims to send wire transfers), account takeovers and other malicious activities. People often use the same password across multiple websites and services, so if their accounts are exposed in a combo list, criminals can easily access other accounts they haven’t accessed before. Another risk of combo list breaches is that breached credentials can be used to bypass security measures such as multi-factor authentication (MFA). The MFA system verifies a person’s identity when they log in by comparing the device, location and other factors that are unique to that individual. MFA helps to mitigate the risks of combo list breaches by ensuring that only those with verified identities can access an account. Still, not all individuals are willing to use this method of protection. That’s why educating employees on the importance of using MFA and a password manager that automatically checks new and existing passwords against known breached databases, such as Scirge, is critical.
How Can You Detect Combo List Breaches?
When attackers gather compromised username/email and password combinations in combo lists, they can use them to try and crack a system or website login. This is known as credential stuffing and is one of the most common system access methods. Organizations must stay ahead of their efforts as the cybercriminal community continues to find new ways to exploit compromised credentials. To do so, it’s essential to have a robust customer identity and access management (CIAM) platform with bot screening capabilities. Bot screening uses advanced machine learning to detect patterns and anomalies in suspicious activity, including when a user attempts to log into a website or account using leaked credentials.
It’s impossible to keep track of all the data breaches happening across the globe. Thankfully, some people dedicate time to tracking large-scale breaches. Combo lists are created by combing multiple sets of usernames/passwords obtained from previous data breaches. These combined lists are then sold on the dark web to malicious actors. When threat actors use these combo lists for brute-forcing attacks, they increase the likelihood of success because users often reuse passwords across websites and services.
