SpyCloud Docs
spycloud.comGet a demo

For Consumers

Phishing Exposure Remediation Guide for Consumers

How to respond when your users' credentials or email addresses surface in phishing data.

For: Consumer Threat Protection APIs

Overview

SpyCloud Consumer Threat Protection recaptures credential and phishing data from criminal infrastructure before it is used to compromise your users. This guide covers how to interpret phishing signals in the API response, and what your team can do when a user's credential or email address surfaces in phishing data.

This guide is written for the teams operating SpyCloud Consumer Threat Protection: fraud, identity, risk, and security engineering teams who receive SpyCloud signals and decide what action to take for their users.

📋Scope Note

This guide covers credential and email exposure from phishing sources as they appear today in the Consumer Threat Protection APIs. The breach_category and breach_title fields that identify phishing-sourced records are available in API responses for records from 2026 onward. Historical records pre-2026 do not yet carry these fields. Searching and filtering by these fields is on the product roadmap.

What the API Returns for Phishing Records

When SpyCloud recaptures data from a phishing source, the API response includes two fields that identify it as a phishing record:

Key Fields

  • breach_category: "phished" — indicates the record originated from a phishing source
  • breach_title: the name of the phishing kit or campaign (e.g., "Evilginx Phishing Framework", "Unknown Phishing Kit")
  • phished_time: the timestamp when the phish event occurred, if the kit reported it
  • severity: 5 (Email Only) or 20+ (High, indicating a plaintext credential was captured)

Field Availability Note

breach_category and breach_title are available on records from 2026 onward. Records published before 2026 do not yet carry these fields.

If your logic depends on filtering by phishing source, query by phished_time or apply the fields where present and fall back to severity for older records.

Two Phishing Capture Types and What They Mean

Type 1: Credential Capture (severity 20+, High)

A plaintext password was submitted to a phishing page and captured by the kit. The user's credential is in criminal hands.

The API response includes a masked or unmasked password (depending on your access level). The phished_time field, when present, tells you when the capture occurred. The window between phish time and SpyCloud publish date is typically hours, not days: for leading kits like FlowerStorm, Evilginx, and Kratos 2FA, SpyCloud has published records as little as 96 minutes after the phish event.

ActionWho / How
Force a password reset for the affected accountYour platform; triggered when your system detects the SpyCloud signal
Invalidate all active sessions for the accountYour platform; revoke session tokens and force re-authentication
Step up authentication if the user attempts to log in before resetChallenge with a secondary factor or block until reset is complete
Review the account for any unauthorized activity in the window between phished_time and detectionInternal fraud or account review team
Consider a targeted user notification (template below)Customer communications team

Type 2: Phishing Target List Inclusion (severity 5, Email Only)

The user's email address was loaded into an active phishing kit. Lure delivery is likely. Whether the user submitted anything is not confirmed from this record alone.

This is an advance warning signal. The user has not yet confirmed their credential as captured, but a live campaign is targeting them. The window between target list inclusion and a High severity capture from the same kit can be short.

ActionWho / How
Flag the account for elevated monitoringInternal risk/fraud team
Watch for a follow-on High severity record from the same breach_title / sourceSpyCloud API; poll or webhook-based alerting
Optionally notify the user to be alert for suspicious communications (template below)Customer communications team
Do not force a password reset on an Email Only signal alone; save that action for a confirmed credential capturePlatform policy decision

What Phishing Can Expose Beyond Credentials

A successful phish does not always stop at a username and password. Depending on what the phishing page was designed to harvest, a single capture can include:

Authentication Data

  • Usernames and plaintext passwords
  • Multi-factor authentication (MFA) codes entered on the spoofed page
  • Security question answers

Financial & Personal Data

  • Credit card numbers
  • Social Security numbers and national ID numbers
  • Bank account numbers
  • Other personally identifiable information submitted during the fake login flow
ℹ️Full Data Inventory

If your risk model needs to account for beyond-credential exposure for a user, the SpyCloud data for that source may contain additional data types. SpyCloud's breach catalog shows the full data type inventory for any given phishing source.

If Your Platform Controls User Sessions

If your platform issues and can revoke session tokens for your users (consumer banking portals, streaming platforms, loyalty programs, e-commerce accounts, and similar), your response to a High severity credential capture should include session revocation alongside the password reset.

1. Revoke Sessions

Revoke all active session tokens for the affected account.

2. Force Re-authentication

Force the user to re-authenticate with a new password before any session is re-issued.

3. Step Up Authentication

If your platform supports it, step up to a secondary factor during re-authentication.

4. Review Account Activity

Review account activity during the window between phished_time and detection for any unauthorized transactions, data access, or account changes.

⚠️Do Not Rely on Password Reset Alone

A user's session can remain active after a password change on many platforms unless tokens are explicitly revoked. Revoke sessions separately from the password reset.

If Your Platform Does Not Control User Sessions (Alert and Guidance Model)

If your use case is consumer dark web monitoring, where you surface exposure alerts to your users but do not directly control their sessions or credentials on third-party services, your response is guidance-based.

Your Response

  1. Alert the user when their email and credential appear in a phishing capture. Use the severity and breach_title from the API response to contextualize the alert (which service was impersonated, when it happened).
  2. Provide clear, specific guidance on what the user should do on the affected platform: change their password, enable multi-factor authentication, and review recent account activity.
  3. If the affected credential is the same password the user may be using on your platform (or on other platforms), recommend a full password audit across accounts.

Key Consideration

Your users may be reusing the phished credential across multiple accounts. The risk is not limited to the platform that was spoofed.

Sample User Communication Templates

📝Before You Send

The following templates are starting points. Customize them for your brand, platform, and regulatory requirements. Legal and compliance review is recommended before sending any notification to users about a phishing or credential exposure event.

Template 1 — High Severity: Credential Capture (Password Reset Required)

Use when: SpyCloud has returned a High severity record for a user account, confirming a plaintext credential was captured.

Subject: [Action Required] Your account security

Hi [First Name],

We detected that your [Platform Name] login credentials may have been exposed through a phishing attack. We have taken the following steps to protect your account:

  • Your password has been reset.
  • Your active sessions have been ended.

To regain access to your account:

  1. Visit [Platform URL] and select Forgot password.
  2. Follow the steps to create a new password.
  3. We recommend enabling two-factor authentication on your account.

If you did not click on any suspicious links recently and believe this is an error, please contact our support team at [Support Contact].

Stay safe online,
[Platform Name] Security Team

Template 2 — High Severity: User-Initiated Reset (No Forced Reset)

Use when: Your platform policy does not force an immediate reset but you want to notify the user and encourage them to act.

Subject: We found your credentials in a phishing capture. Here is what to do.

Hi [First Name],

Our security monitoring detected that your email address and password appeared in data captured from a phishing attack. This means someone attempted to trick you into submitting your login credentials to a fake website.

We recommend you take these steps right away:

  1. Change your [Platform Name] password immediately: [Reset Link]
  2. If you use the same password on other accounts, change those too.
  3. Review your recent account activity for anything unexpected.
  4. Enable two-factor authentication if you have not done so: [Settings Link]

If you have any questions or need help, contact us at [Support Contact].

[Platform Name] Security Team

Template 3 — Email Only: Phishing Target List (Advance Warning)

Use when: SpyCloud has returned an Email Only record indicating the user's email was on an active phishing target list. No credential has been confirmed stolen yet.

Subject: Heads up: your email was targeted by a phishing campaign

Hi [First Name],

Our security monitoring detected that your email address was included in a list used by a phishing campaign. This means you may receive (or may have already received) emails designed to trick you into entering your login credentials on a fake website.

Your account has not been compromised. This is an early warning so you can stay alert.

Here is what to watch for:

  • Emails asking you to verify your account, reset a password, or confirm a payment
  • Links that look like official pages but show an unfamiliar web address when you hover over them with your cursor
  • Any communication asking you to act urgently

If you receive a suspicious email, do not click any links. Report it by forwarding to [Security Email] or using the Report Phishing button in your email client.

If you would like to strengthen your account security now, you can update your password and enable two-factor authentication here: [Settings Link]

[Platform Name] Security Team

Template 4 — Dark Web Monitoring Alert (Consumer DWM Use Case)

Use when: You are providing a consumer dark web monitoring service and surfacing a phishing credential exposure to your user as part of their monitoring subscription.

Subject: Alert: your credentials were found in a phishing capture

Hi [First Name],

Your dark web monitoring has detected new activity.

What was found:

  • Type: Phishing credential capture
  • Date detected: [SpyCloud publish date]
  • Data at risk: Email address, password

What this means: A phishing attack captured your login credentials from a website that was impersonating a legitimate service. Your email and password are now in criminal hands and may be used to attempt access to your accounts.

What to do now:

  1. Change the password associated with this email address on any account where you use it.
  2. Check your accounts for any unauthorized activity.
  3. Enable two-factor authentication wherever possible.
  4. Do not reuse this password anywhere.

Visit your monitoring dashboard for full details: [Dashboard Link]

[Product Name] Monitoring Team

💬Questions and Support

For technical questions about the Consumer Threat Protection API, phishing record fields, or integration support: submit a ticket from within your SpyCloud account, or contact your SpyCloud Customer Success Manager for guidance on your specific use case and response workflows.

Updated about 3 hours ago