To get the most out of the system:

• Add all appropriate domains and subdomains owned by your company to the Watchlist.
• Add personal email addresses of key employees and executives to the Personal Email Watchlist. A verification email will be sent to the owner before monitoring begins.
• Add your contact info under Notification Preferences to receive real-time automated alerts.
• Add IP address ranges used by your organization.

Once this is complete, SpyCloud will alert you when your assets are found — no need to log in to gain value.

SpyCloud is staffed by vetted security professionals with backgrounds in Fortune 500 companies, the U.S. Department of Defense, and threat intelligence fields. Here's how your data is protected:

• All shared information is treated as confidential (TLP:RED).
• All data, including watchlist items, is encrypted.
• Multiple operational security controls (not publicly disclosed) protect your information.

SpyCloud focuses exclusively on uncovering and acting on cybercrime-related breaches — no software install required.

• Monitor domains, personal emails, and more without agent installation.
• Specialized in dark web and private forum collection.
• Results are enriched, timely, and immediately actionable.

SpyCloud uses human intelligence collection techniques to access stolen credentials and data from underground forums. Analysts validate and ingest records into a central database. Assets are then matched to your watchlist, and alerts are generated automatically when matches are found.

We detect:

• Credentials from internal & external systems (keyloggers, personal use on work devices)
• Compromised corporate credentials
• IPs, cookies, passwords, and session tokens
• Backdoors or infrastructure exposure
• Intellectual property in underground markets
• Cloud service credentials (Dropbox, Google, etc.)
• Personally identifiable information (PII)

We monitor both personal and corporate addresses for deep visibility.

Severity is calculated based on source, exploitability, and password context:

• 26: Session cookie from malware-infected device
• 25: Credential or financial data from malware
• 20: Plaintext password not from malware
• 5: Hashed passwords or sensitive data without a password
• 2: Email/username only (no password or risk context)

SpyCloud ingests hundreds of breach sources monthly — sometimes exceeding 1 billion new artifacts.

• Large orgs may receive several alerts monthly.
• Small businesses may receive new alerts every few months.

SpyCloud provides remediation steps in the alert view. General advice includes:

• Change the compromised password anywhere it’s used.
• Inform affected users and stakeholders immediately.
• Enable two-factor authentication.
• Implement a password manager for hygiene.

Questions? Use the Support button in the portal.

When you add a domain (e.g., acmeinc.com), we monitor all matching addresses, like [email protected] or [email protected] — no need to add each one individually.

Domain ownership must be verified to see breach details.

• After adding a domain, click Actions > Verify.
• Choose from 5 verification methods.
• If you can’t use automated methods, click Support to request manual verification.

Yes! You can upgrade at any time. Contact the SpyCloud team via the Support button, and we’ll help expand your scope.

Yes — many organizations monitor customer credentials to prevent fraud and identity theft. Contact [email protected] for details about our Consumer ATO Provention API and pricing.

• Private: Found in criminal forums not accessible to the public — often more urgent.
• Public: Freely available leaks from Pastebin, public forums, or P2P networks.

If we find data in private sources first, it retains its private label, even if it later becomes public.

We track:

• Breach date (when the incident occurred)
• Acquisition date (when we obtained the data)
• Public disclosure date (if known)

Timelines show:

• Acquisition date for private breaches
• Public date for public breaches

Personal emails are typically non-corporate (e.g., Gmail, Yahoo) and should be added to the Personal Email Watchlist — especially for executives.

No need to add work emails here — they’re already monitored through your Domain Watchlist.

If your domain is monitored (e.g., example.com), adding [email protected] to the personal watchlist may result in duplicate notifications.

However, if you don’t control the full domain, this can be a good way to monitor personal corporate exposure.

Yes. When we discover criminal indicators that fall outside customer scope, we coordinate with:

• Law enforcement
• National CERTs
• Industry ISACs
• Other intelligence sharing partners

Customer data is prioritized and delivered immediately. Non-customer alerts follow best-effort outreach.

SpyCloud supports common two-factor authentication apps including:

• Google Authenticator
• Microsoft Authenticator
• Duo Mobile
• Authy