The following steps are essential to defend against attacks fueled by combolists: Credential Stuffing Prevention - OWASP Cheat Sheet Series

Because these lists often target high-value services like PayPal and Amazon, protecting your personal information is critical. How Combolists Are Used

Attackers use automated tools to "stuff" these stolen credentials into the login pages of various websites. They rely on —the tendency for people to use the same password across multiple platforms. Even a success rate as low as 0.1% can result in thousands of compromised accounts when a list contains 1.2 million entries. Guide to Protecting Your Accounts