Credential Compromise🔗

The Credential Compromise page enables you to explore all breach data that we have collected based on your configured domains. While we only generate findings for active identities as outlined on IDR Overview, we still collect and retain historical data that we find related to your domains.

Access the Credential Compromise Page🔗

Access the Credential Compromise page from the Taegis Menu or by clicking on a metric within the Credential Compromise widget on the Identity Risk Posture Overview. Depending on which metric you click, you will be taken to the Credential Compromise page with the following filtered view:

Sources takes you to the Credential Compromise page filtered by the Active leak status.
Plaintext Passwords takes you to the Credential Compromise page filtered by the password type of Plaintext with an Active leak status.
Hashed Passwords takes you to the Credential Compromise page filtered by the password type of Hashed with an Active leak status.
Emails takes you to the Credential Compromise page filtered by the Active leak status.
Unique Passwords takes you to the Credential Compromise page filtered by the Active leak status.
Admin Emails takes you to the Credential Compromise page filtered by admin accounts with an Active leak status.

Note

Emails and Unique Passwords are overall metrics of the underlying data, thus there are no filters associated to them.

Credential Compromise Metrics🔗

The metrics along the top of the page are the same metrics contained within the Credential Compromise Widget. It is important to note that the metrics displayed are for active breaches.

A breach is considered active in the following scenario:

There is an Active, Deleted, or Disabled identity within the configured Identity Providers and the last_password_change time occurred before the initial leak date.

Note

If there is no matching identity to the leak, these are considered inactive. These records are often related to old users and accounts that have been deleted and are no longer in use.

Metric Definitions🔗

Sources — The number of active unique leak sources where data for your domains have been observed.
Plaintext Passwords — The number of active leaks where plaintext passwords were identified in the leak data.
Hashed Passwords — The number of active leaks where hashed passwords were found in the leak data.
Emails — The number of active unique email accounts that have been observed in the leak data.
Admin Emails — The number of active accounts identified as an admin that have been observed in the leak data.
Unique Passwords — The number of active unique passwords that have been observed in the leak data.

Explore Breaches🔗

Explore the data by using a combination of filters, which include both information about the linked users as well as the breach records. In addition, there are multiple timestamps related to the records that can be used to sort the data:

Publish Date — When the record was originally found in the datasets
Leaked Date — When the record became publicly available
Breach Date — When the breach occurred, which may not always be available

Note

There may be multiple records for the same user in a breach. This can occur when the data has been identified within a generic breach source (i.e., combolists) or if the user appeared in the dataset multiple times. As a result, it is expected that you may see multiple records for the same user within a breach source.

View Breach Details🔗

Select the breach source field to open the breach panel, which displays additional details of the breach record and information about the linked identity when available.

Take Actions🔗

If you have identity-related response actions configured, you can execute response actions for any of the linked identities from within the table or breach details.

Select Actions.
Choose which response action you would like to execute.
Follow the prompts.

Note

The Actions button is disabled if there is no matching identity found.