A combination file is a compiled list of usernames and passwords assembled from prior breaches, infostealer logs, or other credential sources. It often looks like evidence of a single new breach, but its real value to attackers is scale, reuse testing, and the ability to replay old secrets against live accounts.
Expanded Definition
A combination file is not a fresh credential dump so much as a compiled attack dataset, built from prior breaches, infostealer logs, paste sites, and other leaked sources. In NHI security, the term matters because attackers use these files to test password reuse, identify active accounts, and replay old secrets at scale across SaaS, cloud, and internal services. That makes a combination file a credential intelligence artifact, not merely a list of usernames and passwords.
Definitions vary across vendors on whether combo files are treated as a breach indicator, an initial access method, or a post-compromise signal, but the operational meaning is consistent: they enable credential stuffing and secret replay. The relevant control question is whether exposed credentials are still valid, where they are reused, and whether rotation or revocation is fast enough to matter. The NIST Cybersecurity Framework 2.0 is useful here because it frames identity, access, and recovery as continuous functions rather than one-time events.
The most common misapplication is treating a combination file as proof of a single new breach, which occurs when defenders miss that the dataset may simply aggregate older secrets that remain valid today.
Examples and Use Cases
Implementing detection and response around combination files rigorously often introduces triage noise, requiring organisations to balance broad credential monitoring against the cost of investigating large numbers of reused or already expired secrets.
- A security team sees login attempts against a cloud console from many geographies and discovers the attacker is cycling through a combination file built from old infostealer logs.
- An API key appears in a combo dataset and is still valid because the secret was stored outside a secrets manager, matching the pattern described in the Ultimate Guide to NHIs.
- Identity defenders compare breached usernames against active service accounts to see whether dormant automation identities can be abused for lateral movement.
- Incident responders use combo-file findings to trigger password resets, token revocation, and forced rotation for accounts with reused credentials.
- Threat hunters correlate reuse testing with authentication logs to distinguish opportunistic stuffing from targeted access attempts guided by a known secret set.
In practice, combination files are most useful when paired with source intelligence, because the same credential pair may be harmless in one context and high risk in another. For broader operational guidance on leaked credentials and remediation priorities, NHI Management Group’s Ultimate Guide to NHIs explains why secret visibility and rotation lag are persistent control gaps.
Why It Matters in NHI Security
Combination files are dangerous because they turn old credential exposure into present-tense access risk. In NHI environments, the blast radius is often larger than defenders expect: service accounts, API keys, CI/CD tokens, and automation secrets are frequently long-lived, reused, and under-monitored. NHI Mgmt Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which shows why leaked credential datasets must be treated as an active control problem rather than an intelligence curiosity.
This is also where remediation discipline becomes measurable. If secrets remain valid days after exposure, attackers can continue testing them while defenders are still assessing scope. The Ultimate Guide to NHIs notes that 91.6% of secrets remain valid five days after notification, underscoring how slowly many organisations invalidate exposed credentials. The right response is to inventory affected identities, revoke or rotate secrets, and verify where the same credential material was reused across applications and environments. Organisationally, the issue becomes unavoidable after suspicious authentications, account takeovers, or service interruptions reveal that stolen credential history is still live in production.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses improper secret management and exposure that combo files exploit. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential management underpin resistance to credential-stuffing attacks. |
| NIST SP 800-63 | Digital identity assurance informs how stolen credentials should be validated and challenged. | |
| NIST Zero Trust (SP 800-207) | Zero trust requires continuous verification when credentials may be replayed from combo files. | |
| OWASP Agentic AI Top 10 | Agentic systems can expose or reuse secrets that become targets in combination files. |
Strengthen authentication, monitor anomalous logins, and block reused credentials tied to leaked datasets.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org