Security Education
How stolen credentials are packaged and distributed
A combo list is a compilation of stolen usernames and passwords, typically formatted as simple text files with each line containing an email or username paired with a password. These lists are the raw material for credential stuffing attacks and represent the commoditized form of stolen identity data.
When databases are breached, the stolen data often includes user credentials. Attackers extract email addresses, usernames, and passwords (sometimes hashed, sometimes in plain text) and format them into standardized lists.
The most common format is email:password or username:password, with one credential pair per line. This simplicity makes combo lists easy to process with automated tools.
Individual breach dumps are often combined into larger compilations. The most infamous example is the "Collection #1-5" releases, which aggregated credentials from hundreds of breaches into massive databases containing billions of records.
These compilations are deduplicated, organized, and packaged for easy searching. Some include metadata about the original breach source, while others strip all context to maximize usability for attacks.
Combo lists are bought and sold on underground forums, Telegram channels, and dark web marketplaces. Fresh breaches command premium prices, while older or widely circulated lists are often shared freely.
Specialized sellers offer "private" combo lists that haven't been publicly circulated, promising higher success rates for credential stuffing. Others sell lists filtered by email domain, allowing targeted attacks against specific organizations.
Data in combo lists doesn't expire. A password leaked in 2015 might still work today if the user never changed it. Old breaches continue to have value because many people don't update credentials after exposure.
Even when passwords are changed, the associated data—email addresses, usernames, personal details—remains useful for social engineering and targeted attacks.
Modern combo lists often include more than just login credentials. Breaches frequently expose names, addresses, phone numbers, IP addresses, and security questions. This additional data enhances the value of each record.
Some compilations cross-reference data from multiple breaches to build comprehensive profiles. An attacker might combine your email from one breach, password from another, and phone number from a third.
Most breach checking services only tell you yes or no—your data was found or it wasn't. InfoDrain goes further by showing you the actual breach sources, when the data was exposed, and whether your credentials appear across multiple breaches.
Understanding where your data was leaked helps you assess real risk. A password from a defunct gaming forum matters less than one from your primary email service.
Your credentials may be circulating in combo lists right now. Search to see where your data appears and understand your exposure across different breaches.
Search Breach Database