Leaked credentials and breach exposure

What this means

The scanner queries breach-aggregator services for records tied to your domain. When the result includes a password, hash, or other credential material, we report it as a high-severity finding. When only metadata is exposed (email address, username, name, phone), we still report it because the same data fuels phishing and credential stuffing — just at medium severity.

Two important clarifications upfront:

The breach is almost never your own. Your bookkeeping@ mailbox appearing in a 2019 LinkedIn dump means the user signed up for LinkedIn with their work address and LinkedIn was breached. Your systems were not compromised. The exposure still affects you, because the leaked password is often reused on services that are yours.
Old leaks still matter. Credential dumps from a decade ago are traded daily on criminal markets. Attackers do not care about freshness. They care about whether the password still works.

Where this data comes from

Four common origins:

Third-party service breaches. A vendor your employees use is compromised and their user database leaks. Examples in the public record: LinkedIn 2012/2021, Adobe 2013, Dropbox 2012, MyFitnessPal 2018, Yahoo 2013-14, Twitter 2022, MOVEit-affected services 2023. Aggregators index these dumps and make them queryable by domain.
Infostealer logs. Malware on a personal or work laptop harvests every saved password and session cookie from the browser and uploads it to a Telegram channel or criminal marketplace. Volume is enormous: tens of millions of new entries per month. Initial Access Brokers buy these logs in bulk and resell working accounts to ransomware affiliates.
Paste sites and code-hosting leaks. Credentials accidentally committed to public GitHub repositories, posted to Pastebin during troubleshooting, or attached to an open Trello board.
Combolists. Aggregations of credentials from many breaches, merged into single files (e.g. “Collection #1”, “RockYou2021”), and sold or freely distributed. The same email-password pair appears in dozens of combolists, which is why the same record keeps surfacing in scan results.

How attackers turn the data into damage

The primary attack patterns:

Credential stuffing. A bot tries the leaked email-password pair against a curated list of services (M365, Google Workspace, banking portals, VPN gateways). Most attempts fail. The ones that succeed are the entire point. Tools like OpenBullet and SilverBullet are built for exactly this; the failure rate is acceptable to the attacker because computation is cheap.
Account takeover (ATO). Once one account is compromised, the attacker pivots: reads the inbox for invoice templates, password reset links, and internal contacts; sets up forwarding rules so the legitimate user cannot see the abuse; uses the access to send invoice-fraud mail from a real account.
Business Email Compromise (BEC). ATO of an executive or finance role. The attacker watches normal traffic for a few days, then injects a payment-redirection request at the right moment. Average loss per incident in FBI 2023 IC3 data: roughly $130k.
Targeted phishing. Knowing a real employee’s name, role, and email lets the attacker craft a believable mail to colleagues, customers, or suppliers. Leaked metadata is the source material.
Initial Access Broker pipeline. The cybercrime ecosystem is specialised. One group harvests credentials, another tests them for valid logins on enterprise targets, a third buys those access records and deploys ransomware. Your leaked credentials may move through three or more parties before being exploited.

Why this matters for your domain

Even if your own infrastructure is fine, you carry the consequences:

One reused password is enough. A shared password between LinkedIn and your VPN turns a 2012 breach into a 2026 incursion.
MFA-fatigue and adversary-in-the-middle phishing beat basic MFA. Tools like Evilginx and Tycoon proxy real Microsoft and Google login pages and harvest the session cookie after the user approves MFA. A leaked password tells the attacker which user to target.
Spear-phishing leverage. Knowing that accounting@your-domain.example exists, that they used SAP, and that their LinkedIn shows them in the AP team, is enough to draft a convincing fake-CFO email.
Audit and procurement signal. Many enterprise customer questionnaires now ask whether your domain appears in known breaches. A clean answer is a small but real sales advantage.

How to fix it

You cannot un-leak data. The remediation is layered and continuous.

Immediate (this week)

Force password rotation for every account in the leak, prioritising privileged roles. Do this for each user, not just the inbox holder; a contact-form submission in 2014 may have left a password that is still in use today.
Enable phishing-resistant MFA. Hardware keys (YubiKey, Titan), platform passkeys, or app-based push with number matching. Plain SMS or TOTP without anti-phishing protection helps less than the marketing suggests.
Audit forwarding rules and OAuth grants in your mail tenant. Compromised accounts often have hidden mail-forwarding set up by the attacker; revoke anything unfamiliar.

Structural (next quarter)

Roll out a password manager organisation-wide. Random per-service passwords are the only durable defence against credential reuse. 1Password Business, Bitwarden Teams, and Microsoft’s Authenticator-bound passwords are all reasonable choices.
Migrate to passkeys wherever supported (Microsoft, Google, GitHub, GitLab, AWS, increasingly common SaaS). Passkeys have nothing to leak.
Conditional Access / risk-based sign-in. Microsoft Entra ID and Google Workspace both let you require step-up authentication from unfamiliar geographies, impossible-travel patterns, or risky IPs. Even when a credential leaks, the unfamiliar login triggers a challenge.
Continuous breach monitoring. Subscribe to a breach-monitoring service (Have I Been Pwned for free notifications, plus a commercial provider like SpyCloud, Constella or LeakCheck for richer data) and tie alerts to your IT ticketing system.

People

Brief the team annually: every leaked password from any personal account should be rotated everywhere it was reused. The leak does not have to be your company’s fault for the consequences to be your company’s problem.
Test the response. A quarterly credential-leak tabletop: “an executive’s password just appeared in a stealer log — what does the next hour look like?”

How blueredix reports breach exposure

The scanner queries the LeakCheck.io aggregator for records tied to your registrable domain (the apex, e.g. your-domain.example, even if you scanned a subdomain). One finding per scan, listing:

Number of unique email addresses affected.
Number of records with credential material (passwords, hashes — drives the high-severity classification).
Top breaches by date and source, so you can prioritise the recent and severe ones first.
Severity is high when credentials are present, medium when only metadata is.

We do not display the leaked passwords themselves in the report — they live with the aggregator. Your domain administrator can request the raw record details from us when starting a remediation cycle.