What is a ga$$pass combolist?

10.5K    Asked by AnushaAcharya in Cyber Security , Asked on Sep 26, 2022

After asking for email lists the other day, I got linked to this: https://combo-list.com/

This is a very strange "blog" which appears to be regularly publishing (or linking to, rather) lists of email addresses which have supposedly been leaked in data breaches. I have no interest in the passwords, but it seems to also include those. I'm not sure if those are really the passwords to the email accounts, or passwords for something else entirely.

My interest in this has nothing to do with using somebody else's email account.

They don't mention what a "combo list" is, and I cannot figure this out from searching or thinking. It seems like the blog assumes that everyone knows what it is.

I also thought it was a fake site at first, but eventually did manage to download a list, and it appears real. But then again, who knows what kind of information really is in those lists?

I basically wonder why anyone would run such a site, and regularly update it. Why would they give out this info to the public like this? What's in it for them? Why would they want more spammers to send emails to these victims of data breaches?

Answered by Anushri Singh

In gas$$pass combo list, Combo is short for combination, so combo lists are lists containing combinations of usernames/emails and passwords.


They are used for brute force attacks. The benefit compared to separate username and password lists is that combo lists are expected to contain a higher likelihood of success.

They may stem from data leaks or previous successful brute force attacks. The idea is that they (used to) work on some websites, and because users reuse passwords, they may work on other sites as well.

Why do people share anything with others? Fame, recognition, helpfulness, money (via ads), boredom?

It's not so much about spamming (lists of email addresses would be enough for that), but about gaining access to other users' accounts. Eg to gain free stuff (say a netflix account) or for more nefarious purposes (stealing money, credit cards, etc).



Your Answer

Answer (1)

A "GA$$PASS combolist" likely refers to a collection of username-password combinations used for credential stuffing attacks or account takeover attempts.


Here's a breakdown:

GA$$PASS: This term likely refers to a specific type of account, website, or service. It could be the name of a gaming platform, social media site, or any other online service.

Combolist: This term refers to a list of username-password pairs. These combos are often compiled by attackers through various means, including data breaches, phishing campaigns, or by purchasing them from underground forums or marketplaces on the dark web.

When attackers obtain combolists, they use automated scripts or tools to systematically try each username-password pair on various websites or services, attempting to gain unauthorized access to user accounts. This technique is known as "credential stuffing."

It's important for users to use strong, unique passwords for each online account and enable two-factor authentication where possible to protect against credential stuffing attacks. Additionally, website owners should implement security measures like rate limiting, CAPTCHA, and account lockout policies to mitigate the risk of unauthorized access.


6 Months

Interviews

Parent Categories