Threat Data Guide
Understanding the Four Types of SpyCloud Data Sources
About This Guide
SpyCloud recaptures identity artifacts from the criminal underground – including breach forums, dark web markets, malware logs, phishing infrastructure, and compiled credential lists. This guide explains what each category of data is, where it comes from, and – most critically – the recommended actions for your team to take.
At a Glance: The Four Data Types
🛡️ Breach Data
| Source | Third-party data breaches |
| Age | Days to weeks ahead of market |
| Primary Risk | Password reuse across systems |
| Required Response | Forced reset + reuse audit |
💻 Malware-Stolen Data
| Source | Infostealer infections on devices |
| Age | Often days old |
| Primary Risk | Active sessions + compromised device |
| Required Response | Same-day session revocation + endpoint investigation |
🎣 Phished Data
| Source | Phishing kits + targeting infrastructure |
| Age | Near real-time |
| Primary Risk | Active targeting before credentials are stolen |
| Required Response | Reset + security awareness notification |
📋 Combolists
| Source | Aggregated breaches, malware logs, ULPs |
| Age | Varies – often current |
| Primary Risk | Automated credential stuffing at scale |
| Required Response | Immediate forced reset + fraud signal review |
Type 01: Breach Data
Third-party breach records acquired by SpyCloud before they reach criminal markets.
SpyCloud typically acquires breach data days to weeks before it circulates widely on criminal marketplaces or paste sites. That window is your response opportunity – and it closes.
What It Typically Contains
- Email addresses and usernames
- Plaintext or hashed passwords (with ~90% cracked by SpyCloud)
- Security question answers
- Partial payment data, phone numbers, physical addresses
- Account metadata from the breached service
Why It Matters
- Password reuse is the primary attack vector
- Attackers automate stuffing within hours of acquiring breach data
- The window between SpyCloud acquisition and broad market release is your only lead time
- Even "changed" passwords often follow crackable patterns
Where It Comes From
When a third-party service is breached, attacker access to databases exposes all records stored by that service.
Depending on how the service stored credentials, SpyCloud may recover plaintext passwords, weakly hashed passwords (which can be cracked), or salted hashes.
The most valuable breach records contain reusable passwords – and most do.
Why It Matters for Your Organization
The password reuse problem is the core risk here.
Most people reuse passwords across personal and professional accounts.
An employee's password exposed in a breach of a consumer platform – a streaming service, a shopping site, a social network – is often the same password (or a minor variation) they use to log into your corporate systems.
Attackers know this and automate credential stuffing attempts against enterprise targets within hours of acquiring breach data.
Hidden Risk: Variants and Patterns
Even when users change passwords, they often follow predictable patterns:
- Appending a number
- Capitalizing the first letter
- Substituting characters (
pa$$word)
SpyCloud's analytics surface these patterns. A password that's "different" may not be different enough to stop an attacker using rule-based cracking.
Recommended Response
Force a password reset for all affected accounts immediately – do not rely on users to self-remediate.
| Priority | Action |
|---|---|
| 🔴 High | Check for password reuse across internal systems – SSO, VPN, admin portals, email |
| 🔴 High | Enable MFA on any accounts where it isn't already enforced |
| 🟡 Medium | If PII was exposed, follow applicable breach notification requirements |
| 🟡 Medium | Flag the breach source to security awareness |
Enabling MFA reduces credential reuse risk, but standard MFA (TOTP, push) can still be bypassed by AiTM phishing kits.
Time-to-reset: Measure how long it takes from SpyCloud alert to confirmed password change.
Type 02: Malware-Stolen Data
Credentials and session data harvested from infected devices by infostealer malware – often just hours or days old.
Malware-exfiltrated data is frequently just days old. This is not historical data – it is current exposure. Treat every malware log as an active incident until proven otherwise.
What It Typically Contains
- Passwords saved in browsers
- Active session cookies
- Browser fingerprints
- Autofill data
- VPN and desktop application credentials
- Device metadata
Why It Matters
- Session cookies bypass MFA entirely – including TOTP and push-based MFA
- Password resets do not invalidate stolen sessions
- The infected device may still be actively compromised
- Full logs often expose dozens of applications at once
Why Session Cookies Are the Critical Risk
Modern web applications authenticate via session tokens, not passwords.
When malware steals an active session cookie, an attacker can replay that cookie against the target application and gain authenticated access – without knowing the password and without triggering any MFA prompt.
This technique, known as pass-the-cookie or session hijacking, is now standard in attacker toolkits. Unlike AiTM phishing, which intercepts credentials in transit, pass-the-cookie operates entirely post-authentication – making it invisible to login-layer controls.
The Device Is the Incident
The infected device may:
- Still be infected and actively exfiltrating data
- Still have active C2 communication
- Still have access to corporate systems
- Expose additional applications not visible in the alert
Managed vs. Unmanaged Device Risk
Unmanaged and BYOD devices present a compounded risk: they fall outside your standard EDR coverage, may never be fully remediated, and can serve as persistent footholds even after credentials are reset.
It is recommended to escalate unmanaged device alerts for separate triage – do not treat them the same as managed endpoints.
Recommended Response
Revoke all active sessions immediately – a password reset alone is not sufficient. The session is the threat.
| Priority | Action |
|---|---|
| 🔴 High | Immediately revoke all active sessions |
| 🔴 High | Force a password reset |
| 🔴 High | Isolate the affected device |
| 🔴 High | Review the full malware log for additional exposed apps |
| 🟡 Medium | Escalate unmanaged/BYOD devices for separate triage |
| 🟡 Medium | Document the incident timeline |
Session revocation time: From alert to confirmed session invalidation.
Type 03: Phished Data
Credentials captured via phishing kits and targeting infrastructure – including pre-attack visibility before credentials are stolen.
Phished data creates two distinct response windows: post-phish cleanup and pre-phish prevention. Both require action.
What It Typically Contains
- Username/password pairs
- Session cookies (in AiTM attacks)
- Campaign metadata
- User targeting intelligence
- MFA codes in some attacks
Why It Matters
- AiTM phishing kits bypass MFA entirely – including TOTP and push-based MFA
- Executives are disproportionately targeted
- Stolen session cookies mean a password reset alone isn't enough
- Attacks move from phish to account access in minutes
- Pre-phish visibility enables prevention, not just cleanup
How AiTM Phishing Bypasses MFA
Adversary-in-the-middle (AiTM) phishing kits proxy the real login page in real time, capturing both the password and the MFA token as the victim enters them.
The attacker immediately replays those credentials against the real service before the session expires – bypassing MFA without the victim ever knowing.
Pre-Phish vs. Post-Phish Visibility
SpyCloud's phishing intelligence captures two distinct signals:
Pre-phish: Targeting data from phishing infrastructure – SpyCloud identifies that your employee or customer is being targeted before the phish lands. This is prevention intelligence.
Post-phish: Credentials already captured by a phishing kit – the phish has succeeded and credentials are in attacker hands. This is incident response intelligence.
Why Executives Are High-Value Targets
Executive accounts provide attackers with elevated access, financial authorization capabilities, and high-trust positions for social engineering downstream targets.
Spear-phishing campaigns targeting executives (business email compromise, vendor fraud) are among the highest-ROI attack types for criminal operators.
Recommended Response
Post-phish: treat as a confirmed compromise and reset immediately. Pre-phish: notify the user and brief security awareness before the attack lands.
| Priority | Action |
|---|---|
| 🔴 High (post-phish) | Immediately reset credentials |
| 🔴 High (post-phish) | Revoke active sessions – AiTM attacks steal cookies, not just passwords |
| 🔴 High (post-phish) | Investigate downstream account access and session activity |
| 🔴 High (post-phish) | Treat as confirmed compromise – do not wait for confirmation |
| 🟡 Medium (pre-phish) | Notify the targeted user directly |
| 🟡 Medium (pre-phish) | Brief security awareness and increase monitoring |
| 🟡 Medium (pre-phish) | Consider proactive credential rotation for targeted accounts |
| 🟢 Long-term | Evaluate passkeys/FIDO2 for high-risk and executive accounts |
Pre-phish notification rate: Percentage of targeted users notified before phishing activity occurs.
Type 04: Combolists
Aggregated credential datasets compiled from breaches, malware logs, and ULPs – formatted for immediate use in automated attacks.
Modern combolists are not the credential dumps of five years ago. Today's lists aggregate breach records, malware-stolen credentials, and ULPs into operational attack datasets.
What Modern Combolists Contain
- Historical breach credentials
- Malware-stolen credentials
- ULPs (URL:Login:Password)
- Attack-ready formatting
- Targeted credential subsets
Why ULPs Matter
Attackers already know:
- The login page
- The target service
- The credential format
- The likely authentication workflow
What Credential Stuffing Looks Like at Scale
Modern stuffing operations run millions of credential attempts across multiple targets simultaneously.
Attackers use residential proxies, distributed infrastructure, and low-and-slow authentication patterns to evade detection.
How ULPs Accelerate Attacks
A URL:Login:Password entry is not just a credential – it's a ready-made attack instruction. The attacker knows exactly which login endpoint to target, which credential format to submit, and which service they're attacking.
ULP-formatted combolists reduce attack setup time to near zero and enable highly targeted stuffing campaigns against specific applications.
Why Combolist Exposure Is Harder to Detect
Unlike a breach with a known source, combo lists aggregate credentials from multiple origins. Your affected users may not appear in any single identifiable breach – making it harder to scope the exposure or trace the credential source.
SpyCloud surfaces combolist matches regardless of origin, giving you actionable exposure data even when the root breach is unknown.
Recommended Response
Force resets and correlate with authentication logs – stuffing attempts may already be in progress.
| Priority | Action |
|---|---|
| 🔴 High | Force resets for all affected accounts |
| 🔴 High | Review authentication logs for stuffing patterns |
| 🔴 High | Correlate with WAF and bot detection activity |
| 🟡 Medium | Review downstream fraud indicators |
| 🔴 Critical | Escalate immediately if ULPs target your application directly |
Stuffing attack detection lag: Time between combolist exposure and authentication anomaly detection.
Response Framework: Speed by Data Type
| Data Type | Response Window | First Action | What Happens If You Delay |
|---|---|---|---|
| Breach Data | Days to weeks | Force password reset | Credential stuffing begins |
| Malware-Stolen Data | Hours to days | Revoke active sessions | Session replay + active compromise |
| Phished Data (post-phish) | Hours | Reset + revoke sessions | Account takeover + lateral movement |
| Phished Data (targeting) | Before attack | Notify + brief user | Phish lands without warning |
| Combolists | Immediate | Forced reset + fraud audit | Automated credential stuffing |
Questions? Contact your SpyCloud CSM or log in to submit a support ticket.
Updated about 21 hours ago