Factor: Information Leak
Applies to: historical_compromised_credentials_found, compromised_credentials_found
How does SecurityScorecard know that the Email/password combinations have been exploited and are a security risk?
SecurityScorecard collects data from log sellers and log providers, also known as "clouds of logs". We have built the engine to collect these data ourselves.
These logs are sourced from active information stealer malware such as Redline, Racoon, Meta Stealer, etc. With our engine, we are able to provide an almost real-time feed from over 50 different underground Telegram sources, as well as daily log parsing from other dark web sources. We are collecting information about 250k unique domains in a 24hr period or 265k unique leaked credentials. Many of these credentials are 1 or 2 days old from the time of collection.
Why SecurityScorecard doesn't provide evidence of the full combination of Email/Password under this Issue Type?
We do not provide the full credentials due to sensitive nature of this data and hence it is masked on the our platform.
Why are the usernames different formats?
Information stealers will collect any login credentials for web-forms, so for example if I am logging into a Government information system, the username may be numerical or may be a first/last name. The format will vary depending on the platform that a user is logging into so hence the wide variety of username formats.
How are they attributed to the Scorecard?
These credentials are attributed to Scorecards based on the domain present in the Username field or the Domain field (the portal that the user is logging into).
Why would my company be penalized if the credentials that used an email of my company are leaked on a third-party url?
When corporate email addresses or passwords are leaked on external sites, it creates significant security and compliance risks for your organization, even if the leak occurred outside of your network.
The primary risks include:
- Credential Stuffing Attacks: If an employee reuses their corporate password on a third-party site, attackers can use automated tools to test those leaked credentials and gain direct, unauthorized access to your internal corporate network and systems.
- Bypassing Security Vetting: Using corporate emails to sign up for external tools or services without IT approval introduces "Shadow IT," bypassing your corporate security protocols and data protection standards.
- Targeted Phishing & Social Engineering: Once a corporate email address is exposed in a hacker database, it becomes a target. Attackers use this information to launch highly sophisticated phishing campaigns, corporate spoofing, or "CEO fraud" attacks against your employees.
- Compliance and Legal Liability: Depending on our industry, you may be bound by strict regulatory frameworks (such as GDPR, HIPAA, or SOC 2). Exposed corporate credentials can jeopardize your security certifications, violate compliance laws, and expose the company to severe financial penalties.