Information leaked in data breaches and shared on the criminal underground can have various impacts.

Leaked Credentials (username and password combinations) pose the highest immediate risks to individuals. Regrouped in collections and combolists and exchanged on underground forums, they are used by malicious actors in credential stuffing attacks.

The impacts can be broadly divided into two categories: customer account takeovers and employee account takeovers.

When using a credential stuffing approach to access customer accounts, a malicious actor gains access to the account of the user. This account often contains personal information on the user such as a phone number or address that can be used as described below. In banking, retail or e-commerce cases, the account also generally gives access to the actor to funds or points, which he can fraudulently withdraw or use for products or services. This leads to a loss of funds for the company and increases the volume of support calls from users.

When the attack is used for employees' credentials, the consequences can be much worse. With the access to a VPN or any network connection, it effectively acts as an initial access (MITRE ATT&CK T1078) that a malicious actor can then use to pivot internally and escalate privileges. Simply by accessing an email inbox, the actor can then impersonate the employee and commit, among many others, CEO fraud.

More information around leaked credentials and account takeover can be found in our webinar on Account Takeovers Prevention.

With the increasing usage of digital tools and social media, people's names are generally widely available and the only new information from a data leak is the relation between a name and a service, for example between John Smith and myfitnesspal.com. The information can be used to target the individual, John, with more targeted phishing if combined with contact information such as an email address or a phone number. Although unfortunate, there are no concrete actions that need to be taken in the case of a leaked name or surname.

A leaked email address, without any associated password, has a limited impact. The main use for this data by malicious actors will be to include it in a list used for massive email sending (spam) or consumer phishing. In the case of a corporate address, it may also be used for targeted phishing against the organization. The information by itself has limited use, but can be combined with any other information to build a more complete profile of an individual.

A leaked phone number has limited impact, but may increase the chance that the individual will receive automated phishing calls and voice phishing (Vishing). The goal of these calls is to obtain more information from the person to eventually commit fraud or a full identity theft.

An address is a key part of an individual's identity. When leaked publicly, it can help a malicious actor impersonate the individual, especially when combined with other information such as a name or a date of birth, leading to identity theft. In certain cases, when an identity is stolen to open credit cards, a malicious actor will also attempt to intercept the mail going to this address to collect the fraudulently requested credit card and start using it.

The date of birth is often asked by financial institutions and the government to support identification. A leaked date of birth, combined with other personal information, will help a malicious actor move towards a full identity theft.

The American Social Security Number (SSN) and Canadian Social Insurance Number (SIN) are key information that is assumed to be kept confidential by individuals and can sometimes be used almost by itself, along with the name of an individual, to validate his identity. If someone's SSN/SIN is leaked, it is recommended to take measures outlined below to protect from identity theft as soon as possible.

Other personal information, such as a place or birth, a favorite sport, the brand of a first car or a mother's maiden name can be used to guess passwords and answers to security questions. Although they don't present a risk by themselves. Individuals should be aware of what information is leaked, and ensure it is not used in any authentication process (especially for financial or government access).

When a malicious actor successfully accesses a victim's bank account, he can perform different steps to execute a cash out, in which he extracts the funds and leaves the victim with an empty account. When this happens, the fraud is generally covered by the bank. The

The American Consumer Financial Protection Bureau provides guidelines in recovering stolen funds, as does the Canadian Anti-Fraud Center.

Identity theft occurs when a malicious actor has collected enough personal information around an individual to impersonate him and commit fraudulent acts. The most common ones relate to accessing credit, in which case the victim gets surprised by new credit cards, loans or mortgages that were open in their name but where the actual funds were transferred to the malicious actor.

The government of Canada provides more information around protection from identity theft and Equifax provides some guidance around what it is and what to do if it happens. In the United States and Canada, the current best practice when an individual is at risk of being a victim of identity theft following the leak of personal information is to request a credit freeze from the large credit agencies Equifax, Transunion and Experian (US only).

A number of other frauds and scams can occur when personal information is leaked, as documented by the US government's Common Scams and Frauds .

Leaked credentials databases are imported in Flare in the following way:

Additionally, every document collected anywhere in our system, such as GitHub code files or forum conversations, goes through a data extractor that looks for credentials. If any are found, they are stored in the leaked credential database.

Our intelligence team continuously monitors the criminal underground looking for leaked credential databases exchanged on forums and markets. We often look at and include breach documentation from Have I Been Pwned. There are a number of potential areas where credentials are found.

If credentials are shared as part of a clear and defined file coming from a single breached organization, the source name will include the year and the victim website, such as 2022_mysite.com

If credentials are shared as a collection - a large set of breaches brought together in a single set of files - we will name them with the name of the collection which is used by malicious actors on the criminal underground, such as collection-2-5. If credentials are shared as a combolist - a carefully selected set of valuable credentials brought together by malicious actors specifically to execute credential stuffing attacks (more details here) - leaked credential event will be listed under the 'combolists' source. These pose a higher risk to an organization as they are specifically made for offensive use cases.

If we find leaked credentials that are difficult or impossible to track to a specific source, we will aggregate them into sources names YYYY_varia . We also parse stealer logs to extract credentials when they are in the text. These would be aggregated in sources named YYYY_botnet_data .

At this point in time, Flare does not provide a complete list of breaches imported. If you're looking for a specific credential and it doesn't show up in Flare, it may be for the following reasons: