Documentation

What is breach and infostealer exposure

What is breach exposure?

A data breach occurs when credentials or personal data from a service are stolen and later leaked or sold on criminal marketplaces. If an employee used their work email address to register for a third-party service that was later breached, their email and possibly their password are now in the hands of attackers.

Attackers use these credential dumps in credential stuffing attacks — automatically trying stolen username/password pairs against your VPN, email, cloud applications, and other services. If the same password was reused, the attack succeeds silently.

What is infostealer exposure?

Infostealers are a category of malware (RedLine, Vidar, Lumma, Raccoon, and others) that silently harvest browser-saved passwords, session cookies, autofill data, and crypto wallets from infected devices. The harvested data — called "stealer logs" — is sold in bulk within hours of infection.

Infostealer exposure is more serious than a standard breach because: - It captures passwords as they exist at the time of infection, bypassing historic breach databases. - It can include session cookies, which allow attackers to bypass MFA entirely. - The device itself may still be compromised.

How ExposureIndex checks for it

The Identity scan takes the email addresses associated with your organisation and checks them against:

  1. Breach databases — Collections of leaked credential dumps from thousands of compromised services.
  2. Stealer log marketplaces — Aggregated data from infostealer campaigns, matched by email domain and address.

Results show which accounts have been exposed, whether passwords were included, and whether infostealer infection was detected.

What to do

For breach exposure

  1. Force a password reset for the affected account on your internal systems — even if the breach was on a third-party service, password reuse is common.
  2. Enforce MFA on all accounts if not already done. A breached password is useless to an attacker if they still need a second factor.
  3. Audit for password reuse — Encourage or enforce the use of a password manager so each service gets a unique password.
  4. Move to Passwordless authentication If possible, use hardware based passkeys like Yubikey or Passkeys based on biometrics like Apple FaceID/TouchID, Windows Hello or Google/Android (Face Unlock / Fingerprint)

For infostealer exposure

  1. Treat the device as compromised — Re-image or perform a full security scan with endpoint detection tools.
  2. Invalidate all active sessions for the affected user across all services (force sign-out everywhere).
  3. Rotate credentials for every service accessible from that device — not just the one that showed up in the report.
  4. Check for MFA bypass — If session cookies were stolen, the attacker may have already authenticated. Review login audit logs for anomalous access.

General hardening

  • Deploy an endpoint detection and response (EDR) tool that detects infostealer behaviour in real time.
  • Enforce phishing-resistant MFA (hardware keys or passkeys) for critical systems — SMS/TOTP codes can be bypassed with stolen sessions. Examples:
    • https://friendsofclaudia.com
    • https://www.acronis.com
    • https://www.malwarebytes.com
  • Train staff not to save passwords in browsers on shared or unmanaged devices. Use Password Managers to keep passwords unique, long and complex. In that way the user don't have to remember them all or use the same password for several different services. Examples:
    • https://friendsofclaudia.com
    • https://heylogin.com
    • https://www.1password.com

Last updated: March 28, 2026