Documentation

What is breach and infostealer exposure

What is breach exposure?

A data breach occurs when credentials or personal data from a service are stolen and later leaked or sold on criminal marketplaces. If an employee used their work email address to register for a third-party service that was later breached, their email and possibly their password are now in the hands of attackers.

Attackers use these credential dumps in credential stuffing attacks — automatically trying stolen username/password pairs against your VPN, email, cloud applications, and other services. If the same password was reused, the attack succeeds silently.

What is infostealer exposure?

Infostealers are a category of malware (RedLine, Vidar, Lumma, Raccoon, and others) that silently harvest browser-saved passwords, session cookies, autofill data, and crypto wallets from infected devices. The harvested data — called "stealer logs" — is sold in bulk within hours of infection.

Infostealer exposure is more serious than a standard breach because: - It captures passwords as they exist at the time of infection, bypassing historic breach databases. - It can include session cookies, which allow attackers to bypass MFA entirely. - The device itself may still be compromised.

How ExposureIndex checks for it

The Identity scan takes the email addresses associated with your organisation and checks them against:

  1. Breach databases — Collections of leaked credential dumps from thousands of compromised services.
  2. Stealer log marketplaces — Aggregated data from infostealer campaigns, matched by email domain and address.

Results show which accounts have been exposed, whether passwords were included, and whether infostealer infection was detected.

LeakRadar Domain Intelligence

In addition to checking individual employee accounts, ExposureIndex uses LeakRadar to perform a domain-level sweep. This goes beyond your own employees and looks at credentials leaked across your entire organisational ecosystem — including third-party suppliers and customers who interact with your domain.

Exposure categories

Employees Credentials belonging to email addresses at your primary domain (e.g. @yourcompany.com) that have appeared in breach data. Even a single exposed employee account is a high-priority finding, as it may enable direct access to internal systems via credential stuffing.

Third Parties Credentials belonging to external users — typically suppliers, contractors, or partners — who have an account or relationship connected to your domain (for example, through a shared platform, client portal, or service integration). These accounts are outside your direct control, but a compromised supplier account can still become a vector for attacks against you — for instance, through a business email compromise (BEC) or supply chain intrusion.

Customers Credentials belonging to your customers whose email addresses appear in breach data alongside your domain. This category signals that your customers' accounts may have been compromised through an external breach. Attackers can use these credentials in account takeover (ATO) attempts against your platform.

Password strength breakdown

For each category, the report shows how strong the exposed passwords are, graded as:

Grade What it means
Too Weak Very short, dictionary words, or extremely common passwords (e.g. password, 123456). These can be cracked or guessed in seconds.
Weak Passwords with some variation but still predictable patterns (e.g. Company1!). Crackable within minutes using standard tools.
Medium Moderate-length passwords with mixed characters. Still at risk if reused across services.
Strong Long, random, or complex passwords. Low immediate risk, but should still be rotated if exposed.

A high proportion of Too Weak passwords — particularly among third parties or customers — is a significant red flag. It indicates that even without sophisticated tooling, an attacker could gain access to a large share of exposed accounts with minimal effort.

What the numbers tell you

  • High third-party count with weak passwords — Your supply chain is your soft underbelly. A compromised supplier can send convincing phishing emails from a legitimate domain or access shared systems. Inform affected partners and review what access levels third parties hold.
  • Customer exposure — Review whether your platform enforces minimum password strength, rate-limits login attempts, and alerts customers about compromised credentials (a GDPR-relevant consideration under Art. 33/34 if the breach originates from your systems).
  • Employee exposure at zero — A good sign, but not a permanent state. Domain intelligence is retroactive; new breaches appear continuously. This is why ExposureIndex monitors on an ongoing basis rather than as a one-time scan.

What to do

For breach exposure

  1. Force a password reset for the affected account on your internal systems — even if the breach was on a third-party service, password reuse is common.
  2. Enforce MFA on all accounts if not already done. A breached password is useless to an attacker if they still need a second factor.
  3. Audit for password reuse — Encourage or enforce the use of a password manager so each service gets a unique password.
  4. Move to Passwordless authentication If possible, use hardware based passkeys like Yubikey or Passkeys based on biometrics like Apple FaceID/TouchID, Windows Hello or Google/Android (Face Unlock / Fingerprint)

For infostealer exposure

  1. Treat the device as compromised — Re-image or perform a full security scan with endpoint detection tools.
  2. Invalidate all active sessions for the affected user across all services (force sign-out everywhere).
  3. Rotate credentials for every service accessible from that device — not just the one that showed up in the report.
  4. Check for MFA bypass — If session cookies were stolen, the attacker may have already authenticated. Review login audit logs for anomalous access.

For third-party and customer exposure (LeakRadar)

  1. Notify affected third parties — Inform suppliers or partners whose credentials appear in breach data. They may be unaware, and their compromised account could become an attack vector against you.
  2. Review third-party access — Audit what systems, data, and integrations third parties can reach. Apply the principle of least privilege: they should only access what they strictly need.
  3. Enforce strong password policies on your platform — If customers are showing weak or medium-strength exposed passwords, consider requiring stronger passwords at registration, or implementing breach-password checking (e.g. against the HaveIBeenPwned API) during login.
  4. Enable account takeover protections — Rate-limit login attempts, alert users on suspicious login activity, and consider offering MFA to customers.

General hardening

  • Deploy an endpoint detection and response (EDR) tool that detects infostealer behaviour in real time.
  • Enforce phishing-resistant MFA (hardware keys or passkeys) for critical systems — SMS/TOTP codes can be bypassed with stolen sessions. Examples:
    • https://friendsofclaudia.com
    • https://www.acronis.com
    • https://www.malwarebytes.com
  • Train staff not to save passwords in browsers on shared or unmanaged devices. Use Password Managers to keep passwords unique, long and complex. In that way the user don't have to remember them all or use the same password for several different services. Examples:
    • https://friendsofclaudia.com
    • https://heylogin.com
    • https://www.1password.com

Last updated: April 29, 2026