Severity, Source Types
📶 Severity Overview
SpyCloud applies a normalized severity to each record in our dataset to help analysts quickly assess risk and relevance.
These scores are assigned during parsing based on multiple attributes including:
- Source type (malware, breach, combolist, etc.)
- Data fidelity (plaintext vs hashed credentials)
- Presence of behavioral indicators (e.g., session cookies, malware log context)
Why It Matters
Severity helps triage results — not all credentials are equally dangerous.
A credential from an infostealer-infected machine 25 carries far more risk than one from a recycled combolist 20.
📊 Severity Table
| Severity | Meaning |
|---|---|
| 2 | Email only - typically from a breach or phishing target list |
| 5 | Informational - could contain sensitive data, but no plaintext password |
| 20 | Credential with plaintext password, could contain sensitive data. |
| 25 | Malware log with credentials, infected machine info, and/or behavioral signals |
| 26 | Session cookie data taken from a device infected by malware |
📚 Source Types
SpyCloud data spans multiple source types:
- Breach – Verified datasets from compromised organizations
- Combolist – Aggregated credential pairs with unknown or mixed sources
- Malware – Logs from infostealer-infected machines
- Phishing – Kits and email harvesting data
- Scraped / Exposed – Publicly accessible or misconfigured datasets
⚠️ Sensitive Source Handling
Some datasets may be flagged as sensitive due to legal, geopolitical, or proprietary reasons. These are still searchable but may have access or export controls.
- Government domains
- Law enforcement targets
- Privately obtained HUMINT
Updated 7 days ago