How Data Breaches turn into combo lists and why they’re a hacker’s goldmine
top of page

How Data Breaches turn into combo lists and why they’re a hacker’s goldmine


A #DataBreach occurs when (cyber) criminals infiltrate a company's data storage and extract sensitive information. This information can range from names, addresses, and phone numbers to more critical data like usernames, passwords, and credit card details, often referred to as Personal Identifiable Information #PII. The stolen data is often sold on the dark web, but it doesn't stop there.


When multiple data breaches occur, hackers compile the stolen credentials into what is known as a #ComboList. These lists combine usernames and passwords from various breaches, creating extensive databases of login credentials. Here’s how this process typically works:


Collection: Hackers gather data from numerous breaches. This data can be acquired through purchasing on dark web forums or by directly infiltrating databases themselves.

Compilation: They then clean and organise the data, removing duplicates and validating the credentials. This compilation process results in a list that contains unique and often accurate username-password pairs.


Distribution: These combo lists are then distributed through hacker forums, sold to other criminals, or used for further attacks.



Why Combo Lists Are Valuable to Hackers?


Combo lists are a treasure trove for hackers for several reasons:


#CredentialStuffing: Hackers use these lists for credential stuffing attacks, where they input the stolen usernames and passwords into various websites to gain unauthorised access. Since many people reuse passwords across different sites, these attacks can be alarmingly effective.

Efficiency: The pre-compiled nature of combo lists saves hackers time. They don't need to spend effort gathering and sorting through raw data; they can directly use the lists for attacks.

Scalability: With automated tools, hackers can test thousands of credentials in a short period, increasing the likelihood of successful breaches.



Protecting Yourself: The Importance of Data Breach Monitoring and 2 Step Verification?


One of the most effective ways to protect yourself is by registering with a data breach monitoring service. These services continuously scan the dark web and other sources for your information. When your data appears in a breach, you'll receive an alert, allowing you to take immediate action, such as changing your passwords. Popular services include: #HaveIBeenPwned which is a free service that lets you check if your email or phone number has been compromised.


Another critical step in safeguarding your accounts is enabling two-step verification #2SV, also known as two-factor authentication #2FA or multi-factor authentication #MFA. Here’s why it’s essential:


Additional Layer of Security: Even if a hacker obtains your password, they cannot access your account without the second verification step, typically a code sent to your phone or email.

Protection Against Credential Stuffing: 2SV thwarts #CredentialStuffing attacks since the hacker would need both the password and access to the second verification method.

Peace of Mind: Knowing that your accounts have an extra layer of security can reduce anxiety about breaches and potential unauthorized access.


After a data breach that you are involved in, sadly, expect scams by email known as #Phishing and scams by text known as #Smishing. If you receive an unexpected code sent by text, that's an indication your password is compromised on that account. Change your password and don't forget all the other accounts where you have used that same password, and never use it again, that's called #PasswordRecycling, another tactic criminal hackers use.


In the age of frequent data breaches, understanding how your data can be used against you is crucial. Combo lists make it easier for hackers to exploit stolen information, but you can defend yourself. Registering with data breach monitoring services and enabling two-step verification on all your accounts are practical steps that can significantly reduce the risk of falling victim to cyberattacks.


Stay informed, stay protected.

NPCC
TVP Logo
Hampshire Police Logo
SEROCU logo
Surrey Police Logo
Sussex Police Logo
Cyber Essentials Logo
Cyber Essentials Plus Logo

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of the South East Cyber Resilience Centre is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect the most recent legislation, practice, or application to your circumstances. The South East Cyber Resilience Centre provides affordable services and Cyber Essential Partners if you need specific support. For specific questions please contact us at enquiries@secrc.police.uk.  The South East Cyber Resilience Centre does not accept any responsibility for any loss that may arise from reliance on information or materials published on this website.  It is not responsible for the content of external internet sites that link to this site or which are linked from it.

© 2022 - 2024 The South East Cyber Resilience Centre

Registered in England & Wales, No. 13263448 

TM

bottom of page