A combo list is a text file that contains a collection of usernames or email addresses along with their corresponding passwords. Cybercriminals compile these lists from multiple data breaches or security incidents, and they are often sold or leaked on the dark web. This means that identity thieves and other criminals could potentially use this information to commit identity theft or engage in other illegal activities.

When we detect your exposed username/email and password pair on the dark web as part of a combo list, we send you a notification. While we cannot remove this information from the dark web, you can take certain actions to protect it. We advise you to change the exposed username/email address and password on all sites where you might have used them. We also recommend that you choose a new, unique, and strong password for each individual site. Do not use the same password every time.

See the exposed password

The exposed password included in the dark web notification is masked for security purposes. Follow the steps below to fully unmask the password:

1. Click the link in the notification.
2. You receive a verification code for the exposed email displayed in the notification.
   • If you do not receive your verification code, check your spam or junk folders for an email from no-reply@myidentity.avast.com.
   • As there may be a delay, check your folders again in minutes or check back again later. If you still have not received your code, please contact your Internet Service Provider to resolve this issue.
   • Please avoid sending multiple requests, as this will worsen the situation.
3. Enter the code that you received to see the password.
   • Once we verify that the email address listed belongs to you, your password is unmasked and displayed.
   • Note that the password may not be your most recent, but one you have used in the past.
4. To protect your information, update the sites in which you used this password with a new, unique, and strong password.
   • Change the exposed password on all sites where you might have used it.
   • Choose a unique, strong password on all sites where you might have used it. It is recommended that you do not employ the same password each time.
   • Review your bank account and credit card reports and watch for new bank or credit card alerts or suspicious activity.
   • In some countries, also review your credit reports and watch for new credit inquiry alerts or suspicious activity. Consider freezing your credit file.
   • Set up two-factor authentication whenever the website is available.

Updated on: 12/12/24