Breaches

The Breaches tab is dedicated to exposing credentials and sensitive information that have been compromised and leaked in underground markets, dark web sources, or stealer logs. Each record represents a concrete instance of username and password pairs, email accounts, or related data tied to your organization, customers, or employees.

The tab provides analysts with structured breach intelligence, allowing them to:

Export

The Export CSV feature, located at the top-right corner, allows analysts to extract breach data directly from the Dark Web Dashboard into a structured CSV file. This feature is designed for compliance officers, incident response teams, and analysts who require offline review, reporting, or integration with internal investigation tools.

By exporting breach data, organizations gain the flexibility to analyze compromised records in external BI systems, cross-reference with HR or IAM databases, or archive breach evidence as part of their digital forensics process. Once clicked, the system opens the Export CSV dialog window where users can customize the dataset to be extracted.

Export Options

  1. All Data (Default Option)

    • Exports the entire dataset of breaches visible within the organization’s dashboard.

    • Ideal for periodic full exports, comprehensive compliance audits, or data backup.

    • Ensures no breach records are missed, providing a full snapshot of exposed credentials, domains, and sources at the time of export.

  2. Filter by Date Range

    • This advanced option allows users to narrow down exported data based on specific time frames.

    • Users can define From Date and To Date fields to control the scope of exported results.

    • Example:

      • From Date: 2025-07-20

      • To Date: 2025-07-24

    • This is particularly useful for investigating breaches within a specific window such as during an active incident response period or quarterly compliance review.

Date Filters When filtering by date, the system provides two distinct reference types to tailor the export for different use cases:

  • Breach Date: Refers to the original date when the breach occurred or was first identified on the dark web. Use this option when analyzing the historical origin of an exposure or investigating the timeline of an attack campaign.

  • Detection Date: Indicates the date when AttackMetricx detected and confirmed the compromised data through its automated dark web scanning engines. Use this option when focusing on recent detections, remediation tracking, or validating system responsiveness.

Filters Tab

As with other sections, the Breaches tab provides multiple filters to refine large datasets into manageable and actionable intelligence. While common filters like Status and Detection Date work the same way as previously explained at Breaches , this tab introduces additional breach-specific filters:

  • Compromised Devices

    • Indicates whether the leaked credentials are tied to a device that has also been flagged as compromised in the system.

    • Options:

      • Yes → The account is linked to a device already confirmed compromised.

      • No → The credential was leaked, but no related device compromise was detected.

    • This correlation helps analysts distinguish between isolated credential leaks and device-level breaches.

  • Strength (via “More” filter)

    • Sorts credentials by the evaluated strength of the stolen password (Weak, Medium, Strong).

    • Useful for prioritizing accounts that are most at risk due to weak or reused passwords.

  • Data Type (via “More” filter)

    • Filters records based on the category of leaked information (e.g., credentials, personal data, corporate accounts).

    • Ensures analysts can focus on the most sensitive or business-critical data types first.

  • Tag (via “More” filter)

    • Groups credentials by organizational tags such as Possible Customer or Possible Employee.

    • This classification helps prioritize remediation actions based on whether the account belongs to staff or external users.

  • URL Domains / Email Domains (via “More” filter)

    • Breaks down exposures by domain.

      • URL Domains → The websites or services where the credential was used.

      • Email Domains → The domains of the exposed email addresses.

    • Enables targeted response, such as focusing first on corporate domains instead of third-party services.

  • Severity (via “More” filter)

    • Assigns a risk level (Low, Medium, High) to each breach entry.

    • Severity helps analysts triage focusing first on high-risk exposures that may lead to critical compromise.

Information Provided in the Breaches Table

  • URL

    The website or service where the exposed credentials were used.

    This helps analysts identify which platform is affected (e.g., banking portals, corporate apps, or third-party services).

  • Email

    The username or email account tied to the breach.

    Critical for mapping ownership of the compromised account (employee vs. customer).

  • Password

    The stolen password associated with the email/username.

    Allows assessment of reused or weak credentials that pose ongoing risks.

  • Strength

    A system-generated evaluation of the stolen password’s robustness (Weak, Medium, Strong).

    Useful for prioritizing remediation weak or medium-strength passwords may indicate higher susceptibility to brute-force or credential stuffing.

  • Tag

    Labels accounts based on context, such as Possible Customer or Possible Employee.

    This categorization helps security teams prioritize internal staff accounts before customer accounts, or vice versa depending on the incident.

  • Detection Date

    The date and time when the system identified the breached credential.

    Provides visibility into when the exposure became known, supporting incident timelines.

  • Severity

    The risk level assigned to the credential exposure (Low, Medium, High).

    Assists with triage high severity credentials often relate to critical systems or privileged accounts.

  • Source

    Indicates whether the credential exposure was linked to a known stealer log, dark web forum, or marketplace.

    This context allows analysts to judge the threat actor sophistication and potential distribution scale.

  • Status

    Reflects the current investigation stage of the credential record (Reviewed, Not Reviewed, Resolved, Not Resolved).

    Helps teams maintain workflow discipline and avoid overlooking entries.

    You can attach notes to each record, documenting investigation steps or remediation actions which strengthens accountability and creates a clear audit trail.

  • Details

    A quick-action column that provides deeper inspection options.

    Clicking allows analysts to open the full breach record, view related incidents, and download evidence if available.

Group By Username & Password

This feature consolidates all breach records sharing the same username–password pair into a single view. Instead of listing duplicates across different incidents, the system intelligently links them together.

Compromised Timeline (via Show): When analysts click Show on the right side of a record, the system displays a visual timeline of compromise events. The compromised timeline is presented as a visual graph, making it easy to see when the same username password pair reappears across multiple breaches. Analysts can instantly recognize persistence, repeated exposures, and peaks of underground activity, rather than scanning through static lists.

Why it matters:

  • Detects credential reuse across multiple platforms one of the biggest risks in modern cyber incidents.

  • Helps analysts see whether the same compromised password has appeared in several breaches or timeframes, signaling systemic exposure.

  • Simplifies investigations by reducing noise and presenting a clear timeline of reappearances for the same credential.

PreviousMentionsNextRansomware

Last updated

Was this helpful?