Severity, Source Types
📶 Severity Overview
SpyCloud applies a normalized severity to each record in our dataset to help analysts quickly assess risk and relevance.
These scores are assigned during parsing based on multiple attributes including:
- Source type (malware, breach, combolist, etc.)
- Data fidelity (plaintext vs hashed credentials)
- Presence of behavioral indicators (e.g., session cookies, malware log context)
Why It Matters
Severity helps triage results — not all credentials are equally dangerous.
A credential from an infostealer-infected machine 25 carries far more risk than one from a recycled combolist 20.
📊 Severity Table
| Severity | Meaning |
|---|---|
| 2 | Email only - typically from a breach or phishing target list |
| 5 | Informational - could contain sensitive data, but no plaintext password |
| 20 | Credential with plaintext password, could contain sensitive data. |
| 25 | Malware log with credentials, infected machine info, and/or behavioral signals |
| 26 | Session cookie data taken from a device infected by malware |
📚 Source Types
SpyCloud data spans multiple source types:
- Breach – Verified datasets from compromised organizations
- Combolist – Aggregated credential pairs with unknown or mixed sources
- Malware – Logs from infostealer-infected machines
- Phishing – Kits and email harvesting data
- Scraped / Exposed – Publicly accessible or misconfigured datasets
Sensitive Source Handling
Some datasets may be flagged as sensitive due to legal, geopolitical, or proprietary reasons.
These are still searchable but may have access or export controls.
- Government domains
- Law enforcement targets
- Privately obtained HUMINT
Updated 2 months ago