Beta: Credential Monitoring is currently in beta. We’re continuously expanding monitoring methods and adding new features to enhance your security posture.
What is Credential Monitoring?
Compromised credentials are one of the weakest security points and the easiest attack vector for cybercriminals. ProjectDiscovery’s Credential Monitoring is a continuous threat intelligence system that detects compromised credentials from malware stealer logs, enabling security teams to prevent account takeovers. By continuously scanning millions of exposed credentials, the platform identifies actual credential exposures that pose immediate risk to your organization, employees, and customers. We specifically focus on malware stealer logs as these have proven to be the most impactful security vulnerabilities. As we evolve this beta product, we’ll be expanding monitoring across GitHub repositories, crawled web pages, and other sources to detect exposed tokens, API keys, and environment secrets.
Try Credential Monitoring Now
Start monitoring your credentials for free and see exposed credentials in real-time
Feature access by plan
Feature | Free Users | Free Business Domain Users | Enterprise Users |
---|---|---|---|
Personal email exposures | ✓ | ✓ | ✓ |
Organization-wide credential exposures | - | ✓ (Requires DNS verification) | ✓ |
View employee passwords | - | ✓ (Requires DNS verification) | ✓ |
Export data (JSON/CSV) | ✓ | ✓ | ✓ |
API access | ✓ | ✓ | ✓ |
Multi-domain monitoring | - | - | ✓ |
Priority support | - | - | ✓ |
Access Control: Viewing employee passwords is only accessible to users with Owner or Admin account types within your organization.
How It Works
Our credential monitoring system:-
Collects malware-stolen credential data from publicly accessible sources including:
- Telegram channels and groups where malware logs are shared
- Leaks forums and websites
- Public repositories where malware logs are posted
-
Processes and filters the data to:
- Parse credential pairs (email:password combinations) from malware logs
- Extract domain and email information
- Filter for credentials matching your monitored domains
- Remove invalid formatted data
- Alerts your team when credentials matching your monitored domains are found
All credential data comes from publicly accessible sources on the internet where malware logs are shared. We do not perform any unauthorized access or hacking to obtain this information.
Important: ProjectDiscovery does not validate, test, or attempt to login with any collected credential information. We only collect and filter the data for formatting validity - we do not verify if credentials are active or functional.
Leak Classification and Mapping
ProjectDiscovery’s Credential Monitoring categorizes discovered credentials into three distinct types based on their relationship to your organization. Understanding these categories helps prioritize remediation efforts and assess security impact across different stakeholder groups.
Visual Data Flow
The following diagram illustrates how credential data flows through our classification system:Leak Categories Explained
👤 My Leaks
Personal Account Exposures- Definition: All credential exposures directly associated with your logged-in email address in the ProjectDiscovery platform
- Scope: Personal accounts and services where you used your email for registration
- Impact: Direct personal security risk requiring immediate attention
- Example: If you’re logged in as
admin@hooli.com
, this shows all malware logs containingadmin@hooli.com
credentials - Access: Available to all user tiers without additional verification
👥 Employee Leaks
Organizational Workforce Exposures- Definition: All credential exposures where the login email contains your organization’s domain, regardless of the service/platform where it was used
- Scope: Current and former employees using company email addresses on ANY platform or service
- Impact: Internal security risk affecting both organizational assets and external vendor access
- Examples:
- Internal Company Services:
john.doe@hooli.com
→mail.hooli.com
(company email)sarah.smith@hooli.com
→intranet.hooli.com
(internal systems)
- External/3rd Party Services:
john.doe@hooli.com
→github.com
(code repositories)sarah.smith@hooli.com
→aws.amazon.com
(cloud services)support@hooli.com
→slack.com
(communication tools)admin@hooli.com
→dropbox.com
(file sharing)
- Internal Company Services:
- Access: Requires domain verification for Business Domain Users; automatically available for Enterprise users
- Privacy: Only visible to Owner and Admin account types
🏢 Customer/User Leaks
External Customer Exposures- Definition: All credential exposures where the login URL/domain contains your company domain, but the email address does NOT belong to employees
- Scope: Your customers and users who have accounts on your services or platforms
- Impact: External customer security risk affecting user trust and platform security
- Examples:
user123@gmail.com
with login URL containinghooli.com
customer@yahoo.com
accessing services atapp.hooli.com
buyer@outlook.com
with stored passwords forshop.hooli.com
- Exclusions: Does not include employee emails (those are classified as Employee Leaks)
- Access: Available to verified Business Domain Users and Enterprise customers
- Privacy: Email addresses shown, but passwords are never displayed to protect customer privacy
Key Classification Distinction
Critical Understanding: The fundamental difference between Employee and Customer leaks:
-
👥 Employee Leaks: Determined by the EMAIL ADDRESS - any leak where the email contains your company domain, regardless of what service it was used on
john@hooli.com
used on GitHub ✓ Employee Leaksarah@hooli.com
used on AWS ✓ Employee Leakadmin@hooli.com
used on Dropbox ✓ Employee Leak
-
🏢 Customer Leaks: Determined by the SERVICE/LOGIN URL - any leak where external emails were used on your company’s services
user@gmail.com
used onapp.hooli.com
✓ Customer Leakcustomer@yahoo.com
used onshop.hooli.com
✓ Customer Leak
Priority Matrix for Remediation
Leak Type | Priority | Actions Required | Notifications |
---|---|---|---|
My Leaks | Critical | Immediate password reset, enable MFA | Real-time email alerts |
Employee Leaks | High | Force password resets, audit 3rd party access, security training | Dashboard alerts + email |
Customer Leaks | Medium-High | Customer notification, password reset prompts | Dashboard alerts + email |
Pro Tip: Use the leak classification to implement different response workflows. Personal and employee leaks require immediate internal action (including auditing 3rd party service access), while customer leaks may need customer communication and platform-level security enhancements.
Data Accuracy and Classification Logic
Our classification system uses advanced pattern matching and domain analysis to ensure accurate categorization:- Email Domain Matching: Sophisticated regex patterns identify company domains in email addresses
- URL Domain Extraction: Advanced parsing extracts target domains from login URLs and service endpoints
- Duplicate Prevention: Cross-category filtering ensures employee emails don’t appear in customer leak categories
- False Positive Reduction: Multiple validation layers minimize misclassification
Important: Customer leak data shows email addresses for identification purposes but never displays actual passwords to maintain customer privacy and comply with data protection standards.
Understanding Malware-Based Credential Theft
How Malware Steals Credentials
Malware (information stealers) typically harvest credentials from:- Browser saved passwords - Chrome, Firefox, Edge, Safari stored passwords
- Application credentials - Email clients, FTP clients, messaging apps
- System credential stores - Windows Credential Manager, macOS Keychain
- Browser cookies and sessions - Active login sessions
- Cryptocurrency wallets - Wallet files and recovery phrases
- SSH/RDP credentials - Stored connection credentials
Malware Log Structure
When malware infects a system, it creates “logs” containing stolen data that may include:- Victim’s system information (OS, location, etc.)
- Stolen passwords organized by application/browser
- Cookies and session tokens
- Cryptocurrency wallet data
- Screenshots and system files
Why Some Findings Lack Detailed Metadata
Important: Not all credential exposures include complete metadata such as specific malware names, infection dates, or victim details. This happens because:
- Data Processing: Threat actors often strip identifying information before sharing logs
- Source Aggregation: Logs may pass through multiple hands before becoming publicly available
- Privacy Protection: Some sources anonymize victim information
- Technical Limitations: Malware logs don’t always contain complete metadata
Common Metadata Available
When present, malware logs may include:- Collection date - When the malware harvested the credentials
- Geographic location - Country/region of infected system
- System information - OS version, browser versions
- Malware family - Type of stealer malware used (when identifiable)
When Metadata is Missing or “Blank”
If findings show blank or missing source information:- The credentials are still valid threats - treat them seriously
- Source anonymization - Information may have been stripped for privacy
- Multiple aggregation - Logs may have passed through several sources
- Technical parsing issues - Some log formats don’t parse completely
What Actions Should You Take?
When malware-exposed credentials are identified for your domain:Recommended Actions
- Force password resets for all affected email addresses
- Enable multi-factor authentication (MFA) on all affected accounts
- Disable compromised accounts temporarily and review recent activity
- Rotate associated API keys and service account passwords
- Scan endpoints for malware infections
- Deploy endpoint protection and implement password managers
- Conduct security training to prevent future credential theft
Handling Cases with Missing Source Details
When leak sources are blank or incomplete:- Prioritize these equally - assume they represent active threats
- Focus on remediation rather than source investigation
- Monitor affected accounts closely for suspicious activity
- Treat as confirmed malware exposure and follow full remediation steps
API Integration
Access credential monitoring data programmatically:- Domain Leaks:
GET /v1/leaks/domain
- Get all malware-exposed credentials for your monitored domains - Email Leaks:
GET /v1/leaks/email
- Get credential exposures for specific email addresses - Customer Leaks:
GET /v1/leaks/domain/customers
- Get customer email addresses (returns only email addresses of customers, not full credential exposures)
Integrate these API endpoints with your security tools to automatically trigger password resets and security reviews when new malware-based exposures are detected.