Skip to main content

View Compromised Credentials

Compromised Credentials provides an overview of email addresses detected in data breaches. This allows you to track and manage compromised email accounts, monitor breaches, and view detailed information. 

View Compromised Credentials List

The list displays the email addresses detected in data breaches. Use the following information while viewing the list:

  • Search to locate specific email addresses quickly.

  • Use the following filters to narrow down the search results:

    • Breach Date: Filter credentials based on the date when the breach occurred.

    • Risk Status: Filter by accounts marked as At Risk or Not At Risk, based on the user’s status (Active or Inactive) and whether the password was reset after the breach date.

    • Breach Type: Filter by the type of breach, such as Stealer, Combo, or Credentials.

    • VIP Groups: Filter compromised credentials based on users in your configured VIP groups.

    • Domains: Filter by the domains your organization is monitoring for compromised credentials.

    • Affected Domains: Filter results by domains involved in the breach.

    • Account Status: Filter by the current status of the account, such as Active or Not Active.

    • Sources: Filter by the source reporting the breach.

  • Use Sort by to sort the list by Exposed Identifier, Breach Date, or Last Recorded On in ascending or descending order.

  • To import credentials, click the vertical ellipsis and click Import Credentials. You can browse and upload a CSV file of compromised email addresses. You can also click download template to download a sample CSV for reference.

  • To delete one or more compromised credential records, select their checkboxes from the list and click  Delete.

  • The list displays the following information:

    • Exposed Identifier: View the identifier exposed in a breach, such as an email address, username, phone number, or other personal information. You can also use the search bar to locate specific identifiers.

    • Breach Date: View the date when the breach occurred.

    • Last Recorded On: View the most recent date when the breach data was recorded.

    • Domain: View the associated domain of the email address.

    • No. of Breaches: View the total number of breaches associated with the email address.

    • Sources: View the source of the compromised credentials data. For example, Cyware CCM.

View Compromised Credential Details

To view the details of a compromised credential, click the credential of your preference and use the following information:

View Breach Details

In Breach Details, you can view the information common across breaches detected by different sources. You can view the following information:

  • Exposed Identifier: Displays the identifier associated with the compromised credential.

  • No. of Breaches: Displays the total number of breaches this credential is part of.

  • First Breach: Displays the date and time when the credential was first observed in a breach.

  • Latest Breach: Displays the most recent breach in which this credential was reported.

View Timelines

The Timelines section provides a chronological view of a compromised credential’s status, highlighting key events such as breach detection, changes in risk posture, and response actions taken.

Use the following information to view timeline details:

  • At the top, you can view a widget with a horizontal timeline that shows how the credential moved through different states over time. Each point represents a status change, breach, or action performed, along with the corresponding date.

  • Below the widget, you can view a chronological list of all events related to the credential:

    • The most recent event appears at the top, and the oldest, which is Breached, appears at the bottom.

    • If the same credential is involved in more than one breach, each instance is displayed separately with its own set of details.

    • Breaches occurring on the same date are grouped together, with the latest date shown first.

    • If multiple sources report the same breach, the information is organized by source under the corresponding breach.

  • For each breach, you can view the following information:

    • Common details about the breach, such as Domain and Username.

    • Source-specific information, grouped by each reporting source.

    Note

    The breach details may differ based on the type of breach and the data available from the reporting source.

  • You can mark breaches as Undefined, True Positive, False Positive, or Resolved. By default, all breaches are marked as Undefined.

  • To download breach details as a CSV for offline analysis, click the vertical ellipsis and select the desired source to download information specific to that source.

  • When a user takes action on the credential, the action appears as a separate entry above the breach. Any updates to the risk status are also logged as individual events.

Initiate Actions

In addition to automated actions, you can manually respond to compromised credentials using Actions. Click the desired response action to trigger the associated playbook and initiate the action. To add more response actions, configure them in Settings. For more information, see Configure CCM.