What is a "combolist," and how does credential stuffing exploit it?
A combolist is a compiled file of leaked email/username + password pairs; attackers use it for credential stuffing — automatically trying those pairs on many other sites, exploiting password reuse.
* Credential stuffing: combolist to bot to account takeover where passwords are reused. *
Combolists are the merged output of many separate breaches. A notorious example, "Collection #1" (January 2019), contained roughly 1.2 billion unique credential records aggregated from countless leaks.
The attack — credential stuffing:
- Attacker loads a combolist into an automated tool.
- The tool tries each
email:passwordpair against hundreds of other services (banking, email, shopping). - Wherever a person reused that password, the attacker gets in — no "hacking" of the new site required.
This is why one old breach can compromise accounts everywhere: the weak link is password reuse, not the strength of any single password.
How to check and protect yourself:
- Check exposure: haveibeenpwned.com, the HPI Identity Leak Checker (Hasso-Plattner-Institut), or similar services tell you which breaches include your address.
- Defend: a unique password per service (via a password manager) means a leak of one never unlocks the others; two-factor authentication blocks stuffing even when the password is known.
Tip: Credential stuffing succeeds at scale because a small percentage of reused passwords across a billion records is still millions of accounts. Unique passwords break the entire economic model of the attack.
Go deeper:
Credential stuffing (Wikipedia) — the attack, password reuse, and the ~2% success rate at scale.