Combo Lists: The Silent Culprit Behind Many Security Incidents

Security incidents and data breaches can devastate businesses, leaving clients' personal data vulnerable and causing significant financial and other significant damages. Organisations may invest heavily in cybersecurity measures, but sometimes breaches still occur, leaving us wondering where they went wrong.

Picture this: As a business owner or executive, you've taken every precaution to protect your company's data. You've invested in top-notch security systems, hired a cybersecurity team, and conducted regular audits to safeguard your clients' information. You've done everything by the book. Everything goes smoothly, and you're going about your daily routine when suddenly, you receive a flood of emails from concerned clients. They report that their accounts have been hacked, their personal information has been tampered with, and passwords have been changed without their knowledge. You feel your heart race, your palms start to sweat, and a sense of dread sets in. You assemble your data breach response team - legal, privacy, cybersecurity, and operations experts all at the table - and begin the investigation process.

"Is it possible that our systems failed to detect suspicious activity?" you ask. "Was the attack so sophisticated that no one could have prevented it?"

The hours go by. There is no other trick in the book for your team to use, and you still have nothing. The initial forensic investigation did not reveal out of the ordinary. Your security systems have been tested and are functioning as they should, yet you still cannot explain how this breach occurred. You're stuck in limbo with no clear answer as to whether a data breach occurred. The clock is ticking. Tic-tac, tic-tac. Still, no reasonable degree of certainty that a data breach has happened. Tic-tac, tic-tac. 72 hours, right?

So, you already picture the scenario, and a couple of reasons come to justify this case came to your mind. Maybe clients were hacked, or perhaps someone is sabotaging you: a former partner or employee, an unsatisfied employee, or a negligent trainee. Before we move into the finger-pointing exercise, let me introduce you to combo lists.

Combo lists are lists of username and password combinations that are typically obtained through data breaches or leaks from various sources on the internet. Cybercriminals often use these combo lists to launch attacks such as credential stuffing or password spraying, which involve using automated tools to try these combinations on multiple websites or services to gain unauthorised access to user accounts.

This might surprise you (or not), but almost two-thirds of people use the same password across multiple accounts (Online Security Survey - Google / Harris Poll, February 2019). The email address used to shop online is the same for subscribing to cooking newsletters and creating social media accounts. The password for accessing public online services is the same for mobile apps. Considering the cybercriminals' perspective, it is reasonable to suppose that the credentials obtained from one platform will work on many others.

In this sense, organisations can potentially be the "sources of contagion" to many others or be "infected" by others. There are, however, measures that both organisations and individuals can take to mitigate the risk of an attack that uses combo lists.

As an individual, an excellent first step to mitigating those risks is to create different email accounts for different purposes. I used to divide those purposes into the following categories: 1) social media platforms, 2) personal communications, 3) newsletters and other subscriptions, 4) services, and 5) important communications (meaning, information that is related to taxes, communications with public entities, etc.) Besides this, I have a professional email to contact clients and another to deal with inquiries. When setting a password, if there is no special requirement, this trick does the job: instead of remembering multiple passwords, use a core password and adapt it to the website/app/service/etc. you are using. For example, suppose my core password is "Mercury2023", and I wish to create a LinkedIn account. You can, for instance, use the first and the last two letters of this platform to generate a specific password for this website. Like this: "LiMercury2023In". Add a punctuation sign at the end and/or the beginning to strengthen it. Like this: "?LiMercury2023IN?". With this simple trick, you do not have to memorise all passwords you use. You have a unique password that simultaneously follows the same rule on all websites/services/apps/etc.

On the other hand, if you are trying to protect your organisation, consider the following three essential measures. Implement a strong password policy as a first step. Strong passwords use a combination of letters, numbers, cases, and symbols to form an unpredictable string of characters that do not resemble words or names. Add an extra layer of security by implementing multi-factor authentication. This multi-step account login process provides a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user's identity for login. More importantly, implement account lockout policies to lock user accounts after several failed login attempts, which can help prevent brute force attacks using combo lists. These policies are valuable for slowing down online password-guessing attacks and compensating for weak password policies.