Credential Monitoring

​

What is Credential Monitoring?

Compromised credentials are one of the weakest security points and the easiest attack vector for cybercriminals. ProjectDiscovery’s Credential Monitoring is a continuous threat intelligence system that detects compromised credentials from malware stealer logs, enabling security teams to prevent account takeovers. By continuously scanning millions of exposed credentials, the platform identifies actual credential exposures that pose immediate risk to your organization, employees, and customers. We specifically focus on malware stealer logs as these have proven to be the most impactful security vulnerabilities. As we evolve this beta product, we’ll be expanding monitoring across GitHub repositories, crawled web pages, and other sources to detect exposed tokens, API keys, and environment secrets.

Try Credential Monitoring Now

Start monitoring your credentials for free and see exposed credentials in real-time

​

Feature access by plan

Feature	Free Users	Free Business Domain Users	Enterprise Users
Personal email exposures	✓	✓	✓
Organization-wide credential exposures	-	✓ (Requires DNS verification)	✓
View employee passwords	-	✓ (Requires DNS verification)	✓
Export data (JSON/CSV)	✓	✓	✓
API access	✓	✓	✓
Multi-domain monitoring	-	-	✓
Priority support	-	-	✓

​

How It Works

Our credential monitoring system:

1. Collects malware-stolen credential data from publicly accessible sources including:
   • Telegram channels and groups where malware logs are shared
   • Leaks forums and websites
   • Public repositories where malware logs are posted
2. Processes and filters the data to:
   • Parse credential pairs (email:password combinations) from malware logs
   • Extract domain and email information
   • Filter for credentials matching your monitored domains
   • Remove invalid formatted data
3. Alerts your team when credentials matching your monitored domains are found

​

Leak Classification and Mapping

ProjectDiscovery’s Credential Monitoring categorizes discovered credentials into three distinct types based on their relationship to your organization. Understanding these categories helps prioritize remediation efforts and assess security impact across different stakeholder groups.

​

Visual Data Flow

The following diagram illustrates how credential data flows through our classification system:

​

Leak Categories Explained

​

👤 My Leaks

Personal Account Exposures

• Definition: All credential exposures directly associated with your logged-in email address in the ProjectDiscovery platform
• Scope: Personal accounts and services where you used your email for registration
• Impact: Direct personal security risk requiring immediate attention
• Example: If you’re logged in as admin@hooli.com, this shows all malware logs containing admin@hooli.com credentials
• Access: Available to all user tiers without additional verification

​

👥 Employee Leaks

Organizational Workforce Exposures

• Definition: All credential exposures where the login email contains your organization’s domain, regardless of the service/platform where it was used
• Scope: Current and former employees using company email addresses on ANY platform or service
• Impact: Internal security risk affecting both organizational assets and external vendor access
• Examples:
  • Internal Company Services:
    • john.doe@hooli.com → mail.hooli.com (company email)
    • sarah.smith@hooli.com → intranet.hooli.com (internal systems)
  • External/3rd Party Services:
    • john.doe@hooli.com → github.com (code repositories)
    • sarah.smith@hooli.com → aws.amazon.com (cloud services)
    • support@hooli.com → slack.com (communication tools)
    • admin@hooli.com → dropbox.com (file sharing)
• Access: Requires domain verification for Business Domain Users; automatically available for Enterprise users
• Privacy: Only visible to Owner and Admin account types

​

🏢 Customer/User Leaks

External Customer Exposures

• Definition: All credential exposures where the login URL/domain contains your company domain, but the email address does NOT belong to employees
• Scope: Your customers and users who have accounts on your services or platforms
• Impact: External customer security risk affecting user trust and platform security
• Examples:
  • user123@gmail.com with login URL containing hooli.com
  • customer@yahoo.com accessing services at app.hooli.com
  • buyer@outlook.com with stored passwords for shop.hooli.com
• Exclusions: Does not include employee emails (those are classified as Employee Leaks)
• Access: Available to verified Business Domain Users and Enterprise customers
• Privacy: Email addresses shown, but passwords are never displayed to protect customer privacy

​

Key Classification Distinction

​

Priority Matrix for Remediation

Leak Type	Priority	Actions Required	Notifications
My Leaks	Critical	Immediate password reset, enable MFA	Real-time email alerts
Employee Leaks	High	Force password resets, audit 3rd party access, security training	Dashboard alerts + email
Customer Leaks	Medium-High	Customer notification, password reset prompts	Dashboard alerts + email

​

Data Accuracy and Classification Logic

Our classification system uses advanced pattern matching and domain analysis to ensure accurate categorization:

• Email Domain Matching: Sophisticated regex patterns identify company domains in email addresses
• URL Domain Extraction: Advanced parsing extracts target domains from login URLs and service endpoints
• Duplicate Prevention: Cross-category filtering ensures employee emails don’t appear in customer leak categories
• False Positive Reduction: Multiple validation layers minimize misclassification

​

Understanding Malware-Based Credential Theft

​

How Malware Steals Credentials

Malware (information stealers) typically harvest credentials from:

• Browser saved passwords - Chrome, Firefox, Edge, Safari stored passwords
• Application credentials - Email clients, FTP clients, messaging apps
• System credential stores - Windows Credential Manager, macOS Keychain
• Browser cookies and sessions - Active login sessions
• Cryptocurrency wallets - Wallet files and recovery phrases
• SSH/RDP credentials - Stored connection credentials

​

Malware Log Structure

When malware infects a system, it creates “logs” containing stolen data that may include:

• Victim’s system information (OS, location, etc.)
• Stolen passwords organized by application/browser
• Cookies and session tokens
• Cryptocurrency wallet data
• Screenshots and system files

These logs are then shared or sold on underground platforms, which is where we collect them from publicly accessible sources.

​

Why Some Findings Lack Detailed Metadata

​

Common Metadata Available

When present, malware logs may include:

• Collection date - When the malware harvested the credentials
• Geographic location - Country/region of infected system
• System information - OS version, browser versions
• Malware family - Type of stealer malware used (when identifiable)

​

When Metadata is Missing or “Blank”

If findings show blank or missing source information:

• The credentials are still valid threats - treat them seriously
• Source anonymization - Information may have been stripped for privacy
• Multiple aggregation - Logs may have passed through several sources
• Technical parsing issues - Some log formats don’t parse completely

​

What Actions Should You Take?

When malware-exposed credentials are identified for your domain:

​

Recommended Actions

1. Force password resets for all affected email addresses
2. Enable multi-factor authentication (MFA) on all affected accounts
3. Disable compromised accounts temporarily and review recent activity
4. Rotate associated API keys and service account passwords
5. Scan endpoints for malware infections
6. Deploy endpoint protection and implement password managers
7. Conduct security training to prevent future credential theft

​

Handling Cases with Missing Source Details

When leak sources are blank or incomplete:

• Prioritize these equally - assume they represent active threats
• Focus on remediation rather than source investigation
• Monitor affected accounts closely for suspicious activity
• Treat as confirmed malware exposure and follow full remediation steps

​

API Integration

Access credential monitoring data programmatically:

• Domain Leaks: GET /v1/leaks/domain - Get all malware-exposed credentials for your monitored domains
• Email Leaks: GET /v1/leaks/email - Get credential exposures for specific email addresses
• Customer Leaks: GET /v1/leaks/domain/customers - Get customer email addresses (returns only email addresses of customers, not full credential exposures)

For detailed API documentation and usage examples, see the API Reference.

​

Common User Questions

Q: Can all team members see our organization’s exposed credentials? A: No, credential visibility is restricted to Owner and Admin accounts only. This ensures sensitive breach data is only accessible to authorized personnel responsible for security. Q: Why can’t I see employee passwords? A: Business Domain Users can view employee passwords data after DNS verification. Only Enterprise customers can monitor multiple domains. Customer passwords are never displayed to any user tier to protect customer privacy. Q: How do I view my personal leaked credentials? A: You can automatically view all leaked credentials associated with the email address you used to sign up. Simply navigate to “My Leaks” to see any exposures linked to your personal email account - no additional verification required. Q: What breach notifications will I receive? A: All users receive email notifications when new breaches affecting their personal email are discovered. Business Domain Users (after DNS verification) and Enterprise customers also receive notifications for employee credential exposures across their organization. Q: How do I monitor my company’s domain? A: Business domain users must verify their domain via DNS TXT record to access organization-wide breach data. Without verification, you’ll only see personal email exposures. Enterprise users can verify and monitor multiple domains. Q: Are you monitoring our employees? A: No, we monitor internet-wide credential leaks and aggregate them into a comprehensive database. When you verify your domain, we filter this existing database to show only exposures related to your organization. We’re not actively monitoring your employees - we’re helping you discover credentials that are already publicly exposed across the internet. Q: How accurate is the breach data? A: We aggregate data from multiple verified sources. While false positives are possible, always verify before taking action. Q: How current is the data? A: We continuously monitor sources 24/7. New breaches typically appear within hours to days of being discovered. Q: How did these credentials get stolen? A: The credentials were harvested by malware (information stealers) that infected user devices. These malware strains steal saved passwords from browsers and applications, then upload the data to command-and-control servers where it eventually gets shared publicly. Q: Are these from phishing attacks or data breaches? A: No. Our credential monitoring specifically focuses on malware-based credential theft only. We do not track credentials from phishing campaigns or corporate data breaches. Q: Why don’t all findings show malware names? A: Malware logs don’t always contain identifying information about the specific malware strain. Additionally, logs are often processed and anonymized before being shared publicly, which strips technical details. Q: Why are some metadata fields showing as blank? A: This indicates that metadata fields (such as malware family name, collection date, geographic location, or system information) were not available in the original malware log or were stripped during processing. The credentials are still legitimate exposures that require immediate action. Q: Do you test if these credentials actually work? A: No. ProjectDiscovery does not validate, test, or attempt to login with any collected credential information. We only collect and present the data as found in publicly accessible malware logs.