Understanding IDLink
WITHIN SPYCLOUD INVESTIGATIONS MODULE – AVAILABLE ON PRO & CORE LICENSES
What is SpyCloud IDLink?
IDLink™ connects the dots between personal and corporate identities to uncover hidden risks.
Built into the SpyCloud Investigations ecosystem, it maps identity relationships using recaptured data from the criminal underground — helping organizations understand how exposed personal data can lead to corporate compromise.
IDLink supports deeper correlation, actor attribution, and exposure analysis across multiple selectors.
🔍 How SpyCloud IDLink Works
IDLink leverages SpyCloud’s recaptured data — including breach, malware, and infrastructure data — to map identity relationships using graph-based logic.
🔑 Key Capabilities
- Cross-identity correlation: Link personal and work email addresses, usernames, and passwords to the same individual
- Password reuse detection: Detect when personal and corporate credentials share the same password or variations
- Actor profiling: Build a profile of an identity across multiple exposures
- Malware victim overlap: Detect if personal and corporate identities were exposed on the same infected device
- Pivoting: Move across selectors (email, phone, SSN, machine ID, etc.) to uncover deeper identity links
🧭 How IDLink Works
IDLink starts with a selector and performs behind-the-scenes pivots to uncover identity connections.
1. Start with a Selector
Initiate your query with any of the following:
- Email address
- Username
- Phone number
These are known as query selectors.
2. Pivot Behind the Scenes
IDLink automatically performs pivots on related identity fields, including:
- Backup emails
- Social handles
- Machine IDs
- SSNs
- Passport numbers
- National IDs
- Log IDs
- Bank account numbers
If your query email appears in a breach that contains a phone number, IDLink will pivot to data linked to that phone number – and continue exploring additional relationships.
🔁 Pivot Depth Explained
The depth level controls how many rounds of pivoting IDLink performs.
| Depth | What It Does | Best For |
|---|---|---|
| Depth 1 | Only returns direct matches to your query (no pivots) | Quick lookups based on known data |
| Depth 2 | Pivots once using high-confidence fields (e.g., password, SSN, machine ID) | ✅ Recommended starting point |
| Depth 3 | Additional pivots on Depth 2 results | Deeper investigations |
| Depth 4 | Full graph traversal through all Depth 3 connections | Comprehensive profiling; large datasets |
SpyCloud applies internal scoring logic to rank confidence and remove weak links from your results.
🧠 What’s Happening Behind the Scenes
Under the hood, IDLink uses a proprietary graph-based algorithm to intelligently explore identity connections.
Behind-the-Scenes Process:
- The selector (email, username, phone) is queried across SpyCloud’s dataset
- Matching records are scanned for pivot fields (e.g., SSNs, machine IDs, social handles)
- Additional queries are performed on those fields to pull related records
- Each record is modeled as a node; shared fields become edges
- Edges are weighted based on confidence (e.g., shared SSN > shared device)
- Irrelevant or low-confidence connections are discarded
- This spidering process continues until:
- The selected depth level is reached
- No new relevant links are found
- Duplication or noise is detected
This allows IDLink to build a context-rich identity graph without overwhelming the user with extraneous data.
Updated 3 months ago