What is a combolist?
A combo list is a text file that contains a list of leaked usernames and passwords in a specific format. The passwords are usually obtained from different breaches and collectively stored within a file. These files may be fed into automatic brute-forcing tools that test multiple credentials on different accounts or website logins until a match is found.
A common example would be credential stuffing attacks. A tool like OpenBullet, an account checker, would use a combolist to automatically check which accounts are valid for a site. Once these accounts have been validated then they will be subject to a full account takeover and, inevitably, some sort of fraud.
They are used for brute force attacks. The benefit compared to separate username and password lists is that combo lists are expected to contain a higher likelihood of success.
They may e.g stem from data leaks or previous successful brute force attacks. The idea is that they (used to) work on some websites, and because users reuse passwords, they may work on other sites as well.