LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is a "combolist," and how does credential stuffing exploit it?

A combolist is a compiled file of leaked email/username + password pairs; attackers use it for credential stuffing — automatically trying those pairs on many other sites, exploiting password reuse.

Breaches feed a combolist; a bot tries pairs across sites; password reuse leads to account takeover.

* Credential stuffing: combolist to bot to account takeover where passwords are reused. *

Combolists are the merged output of many separate breaches. A notorious example, "Collection #1" (January 2019), contained roughly 1.2 billion unique credential records aggregated from countless leaks.

The attack — credential stuffing:

  1. Attacker loads a combolist into an automated tool.
  2. The tool tries each email:password pair against hundreds of other services (banking, email, shopping).
  3. Wherever a person reused that password, the attacker gets in — no "hacking" of the new site required.

This is why one old breach can compromise accounts everywhere: the weak link is password reuse, not the strength of any single password.

How to check and protect yourself:

  • Check exposure: haveibeenpwned.com, the HPI Identity Leak Checker (Hasso-Plattner-Institut), or similar services tell you which breaches include your address.
  • Defend: a unique password per service (via a password manager) means a leak of one never unlocks the others; two-factor authentication blocks stuffing even when the password is known.

Tip: Credential stuffing succeeds at scale because a small percentage of reused passwords across a billion records is still millions of accounts. Unique passwords break the entire economic model of the attack.

Go deeper:

From Quiz: PRIVACY / Introduction to Privacy and Data Protection | Updated: Jul 05, 2026