Skip to content

Breaches

HackedList.io Portal: Breaches

Data available in Portal

Credentials

Credentials are available upon opening the specific record by clicking it. All credentials displayed in the Portal come directly from devices infected by infostealer malware. More specifically, these credentials have been saved on-device by the user and later extracted by the malware. We provide them "as-is", their validity depends on more factors (most importantly, Infection time and whether the correct credentials have been saved on the device in the first place).

We advise you to verify credentials validity yourselves, or to request support from us by using the Request investigation functionality (see below).

HackedList.io Portal: Breaches / credentials

Domain

Full URL associated with the username and password.

Username

Username extracted from the saved passwords cache on infected device.

Password

Password extracted from the saved passwords cache on infected device.

Id

Our internal ID of the record. If you have any questions about specific record, always refer to it with this unique identifier in communication with us.

Status

Can be either New or Resolved. You can change the status of the record from New to Resolved yourself, for example after resetting that user's password and finishing the breach investigation.

Ip

IP address of the infected device. Availability of this information depends on the type of malware that the device was infected with, because not all malware types report it. If we've been able to extract it, it is shown.

Dataset

There are two main types of datasets you can encounter in our system:

Local

Full record is already saved in our database, this means that username, password and all details are available. For this type of record, you can request our help with investigation (with the Request investigation button).

Market

We've detected, that data related to you monitored domain are being traded online, on a darknet market. However, in order to provide you with full details about the breach, it first has to be retrieved from the market (you can request this with the Obtain breach details button).

Internally, we are also tracking the specific source of the record, ie. which Telegram channel or darknet forum thread it comes from. This information is available upon request.

Country

Country of origin of the infected device. Availability of this information depends on the type of malware that the device was infected with, because not all malware types report it. If we've been able to extract it, it is shown.

Infection time

Date and time when the device was infected with the infostealer malware. Only available if the malware type used reports it.

Index time

Date and time when we first discovered that record. Not always corresponding with the Infection time, as there might be some (sometimes hours, sometimes years) delay between the time device is infected and the time data extracted from it are made available on the darknet.

Index time is always available.

Filtering

Index time

Allows you to filter results based on Index time.

HackedList.io Portal: Breaches / index time

Infection time

Allows you to filter results based on Infection time.

HackedList.io Portal: Breaches / infection time

Verification level

Verified domains

Select this filter to show breaches only related to domains you verified your ownership of.

Unverified domain

Select this filter to show anonymized results related to domains that you haven't verified your ownership of yet.

Supplier domains

Supplier domains are coming soon

This functionality is currently under development and will be available soon for all paying users.

Select this filter to show only breaches related to domains of your suppliers / partners.

Breach type

We distinct between two types of breaches - Domain a Login types.

Domain

This filter will display breaches, where user with any username accessed one of your monitored domains (like vpn.example.com, if your monitored domain is example.com).

This might be both your own client / customer, or internal employee, depending on the service they are accessing.

Login

This filter will display breaches, where user with username that includes one of your monitored domains (like [email protected], if your monitored domain is example.com) accessed any website, be it some of yours or third-party.

Unless you are an public e-mail service provider, users using your domain as part of their username tend to be associated with your organization, ie. employees.

Depending on your organization's policy, it might be against the rules to use company e-mail address at third-party services. Further, users tend to reuse passwords across different services, which might pose further risk to your organization.

Status

You can track whether the breach is resolved (ie. you changed that user password and reinstalled their computer) using the Status feature, as described above.

New

All breaches are labeled as New when added and remain in this state unless you manually change them to Resolved.

Resolved

You can see all Resolved breaches by selecting this filter.

Dataset

You can use this filter to distinct between Local and Market breach types. The difference is described above.

Local

Use this filter option to see all breaches of the Local type. With this breach type, you'll see all details we have in our database and you can request our help with investigation.

Market

Use this filter option to see only breaches that we detected on darknet marketplaces. This means, we currently don't have all details for them and only detected that such details are for sale online. You can let us obtain the breach details using the Obtain breach details button.

You can further filter the Market breaches using the Market purchase status filter (see below).

Investigation

You can request our help with investigating the breach using the Request investigation button. After that, you can use these filters to distinct between breaches you already requested investigation for and those you have not yet.

Investigations are coming to Portal soon

Currently, investigation reports are being delivered to you through e-mail or other specified communication channel. However, we are working on making them accessible directly from the Portal.

Requested

Use this filter option to see all breaches you have requested our help with investigation for.

Not requested

Use this filter option to see all breaches you have not requested our help with investigation for yet. All breaches are in this category by default, until you use the Request investigation functionality.

Market purchase

You can track whether or not you already requested we obtain the breach details from the darknet marketplace using the Market purchase filter.

Purchased

Use this filter option to see only breaches of the Market type we already successfully obtained for you from darknet marketplaces. Once obtained, you'll be notified with e-mail and purchased Market breach will have an associated Local breach record, with all available details (like affected credentials).

Requested

Use this filter option to see only breaches of the Market type you asked to obtain from darknet marketplaces.

Not requested

Use this filter option to see only breaches of the Market type you have not yet requested obtaining from darknet marketplaces.

Available actions

Export into CSV

You can easily export all details from the Portal to CSV file for further processing. Use the Export button in upper right corner.

HackedList.io Portal: Breaches / CSV export

CSV file you are able to download has the following structure and includes exactly the same information you can see in the Portal:

"id","ip","dataset","country","infection_time","index_time","domain","username","password","url"
X-XXXXXXX,,"market","CZ",,"YYYY-DD-MMT00:00:00+00:00","example.example.com",,,
"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","123.123.123.123","local","CZ",,"YYYY-DD-MMT00:00:00+00:00","example.example.com","john.doe","example_password","https://example.example.com/admin/login.php"

Request investigation

For Local type breaches, you have an option to request support from our team with the investigation of how exactly the breach happened and what impact it has. You can request our help with the Request investigation.

Price of the investigation is subject to your pricing plan.

HackedList.io Portal: Breaches / request investigation

Obtain breach details

For Market type breaches, you have an option to request our team to obtain the complete breach details for you from the darknet marketplace they have been advertised at. You can request this action using the Obtain breach details button.

Number of free darknet marketplace purchases per month and the cost of additional ones is a subject to your pricing plan.

HackedList.io Portal: Breaches / market purchase

Possible values:
- yes - value should be available after purchase
- no - not available even after purchase
- maybe - this fact is not known, we can't only be sure after purchasing the record

Data available in investigation report

If available, we will provide you with the following information:

  • Complete information about the computer infected, like hostname and installed software
  • Name of the malware used during the attack
  • Source of the infection (if identifiable)
  • Company credentials that have been affected by the breach and our assessment of impact of their potential misuse
  • Whether the user had access to VPN or other remote-access service
  • And more, depending on the data being available.