How Attackers Use Password Combolists In Brute-Force Campaigns

What Is A Password Combo List?

A password combo list is a file, usually in plain text, that contains combinations of usernames or email addresses paired with passwords. These lists are compiled by cybercriminals using data leaked from multiple security breaches. The more breaches they pull from, the more valuable the combo list becomes, as it aggregates a large number of compromised credentials across various platforms.

Do note that there is no universal format for combo lists. Some may include cleartext passwords, while others contain hashed versions. They are often sorted by region, industry, or top-level domain (e.g., .com, .edu).

The term “combo” refers to the combination of login details, making these lists a key tool for attacks like credential stuffing and account takeover.

Note:  In 2025 – the main source of data from which attackers obtain information and from which combolists are created – are stealer logs and ulp (url login password) files.

The old funnel was simple: site hacked → database stolen → records normalized into a combolist. The modern funnel is endpoint-first: a user’s device gets infected, the stealer scrapes browser vaults, cookies, and autofill, packages the take into logs/ULP files, and those credentials are rolled into new combolists, often the same day. It’s worth stating this shift explicitly and clarifying that today’s combolists are primarily aggregated from stealer logs and ULP files, with database leaks now just one of several inputs.

Some Password Combolist Examples

1. Collection #1 (and Collections #2–5)

Discovered in January 2019, what’s known as Collection #1 included approximately 2.7 billion email/password pairs, with about 773 million unique email addresses and 21 million plaintext passwords. It was part of a broader set (Collections #2–5) totaling over 2.7 billion records.

2. Exploit.In

First appeared in late 2016, the Exploit.In combo list included around 593 million unique email addresses with password pairs from various breaches. This list was widely circulated and used for credential stuffing campaigns.

3. Anti Public Combo List

Emerged in December 2016, this combo list contained roughly 458 million unique email/password pairs aggregated from multiple leaks. It was commonly used for credential stuffing attacks.

4. COMB (Compilation of Many Breaches)

Reported to contain over 3.2 billion email/password combinations, making it one of the most extensive compilations of breached credentials ever assembled. This list aggregates multiple prior breaches.

How Do Attackers Use Password Combolists In Brute-Force Campaigns

A simple brute-force attack involves an attacker manually trying to guess a user’s login credentials, typically using common password combinations or predictable PIN codes. Note that this approach does not rely on specialized tools or scripts. Hence, this makes it slower but sometimes effective against weak or reused passwords.

Step 1: Combo List Collection or Purchase

Attackers start by getting their hands on a combo list, a simple text file filled with stolen email and password pairs, often millions at a time. These lists can be:

• Previous data breaches (e.g., LinkedIn, Dropbox, Adobe)
• Publicly available leak databases
• Underground forums or Telegram channels

In 2019, the Collection #1 breach exposed over 773 million unique emails and 21 million passwords. This list was widely used in automated attacks and credential stuffing campaigns across e-commerce and streaming platforms.

Step 2: Automating the Attack with Credential Stuffing Tools

Manually trying thousands of login credentials would take forever. That’s where automation tools come in. Attackers feed the combo list into specialized software like:

• Sentry MBA – One of the oldest and most popular credential stuffing tools.
• OpenBullet – Highly customizable, widely used for targeting web apps.
• Storm – Focused on speed and stealth.
• Snipr – Designed for high-volume testing with advanced configuration options.

These tools allow attackers to:

• Blast thousands of login attempts per minute at a single service.
• Rotate through proxies to avoid detection or IP bans.
• Mimic real browsers or mobile logins to evade bot detection systems.

Attackers often develop or buy custom configuration files (“configs”) tailored to specific websites, like Amazon, Office 365, or Shopify. These configs know the exact field names, login flow, and response patterns to help the attack stay undetected.

Step 3: Target Selection

The success of a brute-force campaign depends heavily on choosing the right kind of target. Attackers prioritize:

• Popular consumer services like Netflix, PayPal, and Amazon, where accounts hold real value (subscriptions, gift cards, stored payment info).
• Corporate platforms such as Office 365, VPNs, or CRM tools can serve as gateways into enterprise networks.
• Gaming and streaming platforms like Steam, Epic Games, and PlayStation Network.
• Banking, trading, and fintech apps, where even a single login can lead to financial theft.

They’re especially drawn to platforms with:

• Weak login protections, like missing CAPTCHA or slow rate-limiting.
• No multi-factor authentication (MFA), which makes credential stuffing dramatically easier.

For example, after the RockYou2021 leak (8.4 billion passwords), attackers used common password matches to bombard Office 365 portals. This targeted users who reused credentials from other breached sites.

Step 4: Account Takeover (ATO)

When a credential match works, the attacker successfully takes over the account. What happens next depends on the account type:

• For consumers, it may lead to the theft of credit card info, loyalty points, personal photos, or private conversations.
• For corporate accounts, it could result in privilege escalation, lateral movement across systems, or even launching phishing attacks from trusted email addresses.

In 2022, attackers used stolen third-party credentials to breach a company’s Microsoft 365 email. They sent fake invoices to clients from the CEO’s real address, leading to a six-figure business email compromise (BEC).

Step 5: Monetization and Secondary Exploits

Attackers rarely stop at just getting access. Once inside, they find ways to monetize the compromise:

• Draining bank or crypto wallets tied to the account.
• Selling retail, streaming, or gaming logins on marketplaces like Genesis or RussianMarket, often for less than $2 per account.
• Using corporate access for internal sabotage, espionage, or further infiltration.
• Launching phishing or malware campaigns from trusted accounts.

Many dark web vendors now sell “verified combos”, where the credentials have been tested and confirmed to work. These often come with screenshots of successful logins to boost credibility.

Step 6: Refinement and Reuse

Even if only 1–2% of a combo list works, that’s still thousands of valid logins. Attackers:

• Save the successful “hits” to create premium lists for resale or future use.
• Analyze user patterns to guess password variants (e.g., “Summer2023!” → “Summer2024!”, “Password1” → “Password123”).
• Try those same credentials on other services, like using a Netflix login on Gmail or PayPal, and see if the user reuses the same password everywhere.

This becomes a recycling loop where stolen data fuels more attacks, more logins, and more potential breaches.

How to Mitigate Brute-Force Attacks Using Password Combo Lists

Brute-force attacks powered by password combo lists are fast, scalable, and highly automated. It is one of the most common entry points for cybercriminals today. But while these attacks rely on speed and volume, they can be stopped with the right combination of technical defenses, user hygiene, and threat intelligence.

Here’s how organizations can defend against them:

1. Enforce Strong, Unique Password Policies

Weak, short, or reused passwords make brute-force attacks easy wins. Start with policies that:

• Mandate long passwords (ideally 12+ characters) with a mix of symbols, numbers, and uppercase and lowercase letters.
• Ban known leaked or common passwords using real-time checks. Tools like Have I Been Pwned’s Pwned Passwords API or Microsoft’s Azure AD Password Protection can block known breached strings.
• Encourage the use of password managers (e.g., Bitwarden, 1Password, Dashlane) to generate and store complex credentials.

2. Enable Multi-Factor Authentication (MFA)

MFA is one of the simplest, most effective defenses against brute-force and credential stuffing. Even if attackers get your password from a combo list, they can’t log in without a second authentication step.

• Prefer app-based MFA (e.g., Microsoft Authenticator, Google Authenticator) over SMS, which is more vulnerable to interception.
• For highly sensitive systems, consider hardware-based tokens like YubiKey or FIDO2 devices.

Group-IB Recommendation: Deploy MFA, especially on external-facing logins like VPN, email gateways, and SaaS platforms, which are often the first targets of combo list attacks.

3. Monitor for Unusual Login Behavior

Brute-force attacks leave behind noisy footprints; you just have to listen. Look for:

• Login attempts from multiple IPs or geographies in a short time
• Repeated logins from known proxy/VPN exit nodes
• High failure-to-success login ratios during short bursts

4. Use Threat Intelligence to Detect Combo List Activity

Attackers share combo lists openly on forums, marketplaces, Telegram groups, and private channels. Group-IB’s Threat Intelligence & Dark Web Monitoring services track:

• When your organization’s email domains appear in leaked credential lists
• Early indicators of targeted brute-force or credential stuffing campaigns
• TTPs (Tactics, Techniques, and Procedures) used by specific adversaries

How Can Group-IB Help?

When it comes to credential leaks, speed is tempting, but chasing every shiny combolist or neatly packaged ULP file is a trap. Those lists might look polished, but they often hide the real story: where the breach began. If you don’t find that starting point, you’re just playing whack-a-mole while the leak pipeline keeps flowing.

The real win is in tracking the compromise back to its source, understanding exactly which system, application, or process was exploited, and shutting that door for good. That means digging deeper, cross-checking intel, and validating every lead before acting.

With Group-IB’s strength in source attribution, dark web monitoring, and breach investigation, security teams can move beyond reacting to leaks and start dismantling the infrastructure that fuels them.

Get on a call with us to know more.