Learn more about Password Combo List notification

A combo list is a text file containing a list of usernames/email addresses and passwords. They are assembled by cybercriminals over multiple data breaches or other security incidents, then are sold or leaked on the dark web, which means identity thieves or cybercriminals could use them to commit identity theft or other crimes.

When we detect your exposed username/email and password pair on the dark web as part of a combo list, we send you a notification. While we cannot remove this information from the dark web, you can take certain actions to protect it. We advise you to change the exposed username/email address and password on all sites where you might have used them. We also recommend you choose a new, unique, and strong password for each individual site. Don't use the same password every time.

The exposed password included in the dark web notification has been masked for security purposes. Follow the steps below to fully unmask the password.

See the exposed password

1. Click the link in the notification.

2. You will receive a verification code for the exposed email displayed in the notification.

   • If you do not receive your verification code, check your spam or junk folders for an email from no-reply@myidentity.norton.com.

   • As there may be a delay, check your folders again in 5 minutes or later. If you still do not receive your code, please contact your Internet Service Provider to resolve this issue.

   • Do not send multiple requests, as it will make the condition worse

3. Enter the code that you received to see the password.

   • Once we verify that the email address listed belongs to you, your password will be unmasked and displayed.

   • Note that the password may not be your most recent, but one you have used in the past.

4. To protect your information, update the sites in which you used this password with a new, unique, and strong password.

   • Change the exposed password on all sites where you might have used it

   • Choose a unique strong password on all sites where you might have used it. Its recommended to not employ the same password each time

   • Review your credit reports and watch for new credit inquiry alerts or suspicious activity. Consider freezing your credit file

   • Set up two-factor authentication whenever available for website.

If you have received a second notification for the same email address and have already verified it, you will see a partially masked password with an eye icon next to it.

• You must click the eye icon to display the fully exposed password.
• Once the notification is archived, you will no longer see the password.

Need more help?

• Dark Web Monitoring
• FAQ: Dark Web Monitoring