Enterprise APIs
Dark Web API
Data Categories
Credential Lists

Credential Lists (Combo Lists)

Overview

Credential lists (often called "combo lists") are collections of username/email and password combinations compiled from various sources and shared among threat actors. These lists are specifically designed for credential stuffing attacks, where attackers attempt to use the same credentials across multiple services.

Characteristics

  • Origin: Typically compiled from multiple breaches, phishing campaigns, and malware
  • Format: Usually presented as simple username/email and password pairs
  • Purpose: Specifically created and formatted for automated credential stuffing attacks
  • Distribution: Actively traded and shared on dark web forums and marketplaces

Combo List Structure

Credential lists typically consist of:

  • Source Indicator: Sometimes includes the original breach source
  • Email/Username: The primary identifier
  • Password: Usually in plaintext format
  • Additional Context: May include associated services or domains

Data Example

Below is an example of what a combo list might look like:

Combo list example

Security Implications

Credential lists pose specific threats:

  • Cross-Platform Vulnerability: Enables attackers to try credentials across multiple services
  • Automated Attacks: Formatted specifically for use with credential stuffing tools
  • Password Reuse Exposure: Explicitly targets the common user behavior of password reuse
  • Ongoing Utility: Lists may be used in attacks months or years after initial compilation

API Access Methods

The NordStellar Dark Web API provides multiple ways to access credential list information:

Direct Lookups

  • Query for specific email addresses using the /email/{email-sha256}/credential-lists endpoint
  • Get detailed credential list information using the /data-source/credential-list/{id} endpoint

Bulk Operations

  • Check multiple email addresses in a single request using the /email/credential-lists (POST) endpoint
  • Retrieve information about multiple credential lists using the /data-source/credential-list (POST) endpoint

Domain-Wide Assessment

  • Use the /email/domain/{domain} endpoint to identify all email addresses from your domain in credential lists

Distinguishing Features

Differences from Database Breaches

  • Credential lists focus exclusively on authentication data (username/password pairs)
  • They are often aggregated from multiple sources rather than a single breach
  • They are specifically formatted for automated credential stuffing attacks

Differences from Malware Logs

  • Credential lists don't typically include system information or cookies
  • They focus purely on credentials rather than comprehensive device data
  • They are deliberately shared and distributed rather than secretly harvested

Use Cases

Account Takeover Prevention

  • Identify user accounts with credentials in combo lists
  • Force password resets for affected accounts
  • Implement additional authentication factors for at-risk accounts

Security Awareness

  • Educate users about the dangers of password reuse
  • Demonstrate the real-world consequences of credential exposure
  • Promote the adoption of password managers and unique credentials

Threat Intelligence

  • Track the creation and distribution of credential lists
  • Identify which services are being targeted for credential harvesting
  • Monitor for industry-specific credential compilation

Security Posture Assessment

  • Measure the exposure of your organization's credentials in combo lists
  • Track changes in credential exposure over time
  • Compare your organization's exposure to industry benchmarks

By monitoring credential lists through the NordStellar Dark Web API, organizations can protect against one of the most common and damaging attack vectors: credential stuffing. This proactive approach helps prevent account takeovers, financial fraud, and data theft resulting from reused credentials.

Breached DatabasesDark Web
NordStellar © 2026Privacy Policy