Exposure intelligence
A leaked password isn’t the end — it’s the start of the attack
Billions of credentials sit in public breach dumps. Attackers don’t "hack" — they replay leaked logins until one works. Understand the chain, check your exposure, and shut it down.
- Based on HIBP, IBM & Verizon data
- Vendor-neutral
- Updated 2026
What is a data breach
A breach isn’t always a "hack". Often it’s just a reused password.
A data breach is any incident where data is accessed or disclosed without authorisation — and the most common fallout is leaked login credentials.
A data breach is the unauthorised access, disclosure or loss of data. It can be a sophisticated intrusion — but very often it’s a misconfigured database, a phishing victim, or a third-party service that gets compromised and dumps its user table online.
The single most valuable thing in most breaches is credentials: email-and-password pairs. Because people reuse passwords, one leak from a forgotten forum can unlock someone’s email, bank or company account years later.
This is why a breach is a chain, not an event: leak → aggregation into combolists → automated credential stuffing → account takeover. breachmonitor walks each link — and how to break it.
What gets exposed
Not all leaked data is equal
Different data types create different risks. Knowing what leaked tells you what to do first.
- PASSWORD
Login credentials
Email-and-password pairs are the crown jewels of a breach. Reused anywhere, they enable credential stuffing and account takeover across unrelated services.
- PII
Personal data
Names, addresses, phone numbers and dates of birth fuel targeted phishing, SIM-swapping and identity fraud — and they can’t be "changed" like a password.
- TOKEN
Session tokens & keys
Leaked session cookies, API keys or auth tokens can let an attacker in without a password at all, sometimes bypassing multi-factor authentication.
- FINANCE
Financial details
Card numbers and banking data enable direct fraud. Even partial data (last four digits, expiry) strengthens social-engineering and vishing attacks.
What to do first
Triage a leak by what it exposes
When you learn you’re in a breach, the exposed data type sets the urgency.
- Act now
Password leaked & reused
A password you use elsewhere is in the dump. Change it everywhere it’s reused and enable MFA immediately.
Signal: Credentials + reuse → account takeover risk
- This week
No MFA on key accounts
Email, banking and work accounts without a second factor are one leaked password away from takeover. Turn on MFA.
Signal: Single factor on high-value accounts
- Planned
Personal data exposed
PII can’t be reset, so treat it as permanent: expect targeted phishing and verify unusual requests independently.
Signal: PII leaked — phishing & identity risk
- Monitor
Old or already-rotated data
Data from an account you’ve since secured or closed. Keep monitoring in case it resurfaces in new combolists.
Signal: Historic data — low immediate risk
Free tool
How exposed are you?
Tick the risk factors that apply to you. The meter estimates your credential-exposure level and tells you what to fix first — nothing is sent anywhere.
Your exposure
0/100 exposure
Low exposure — keep it up
You’re following the fundamentals. Keep unique passwords, MFA everywhere, and a monitoring alert so a future leak doesn’t change that.
Moderate exposure
A leak could reach one or two accounts. Prioritise a password manager for unique passwords and turn on MFA for your email and banking first.
High exposure
Several factors compound here — a single breach could cascade. Stop reusing passwords, enable MFA on every important account, and check where your email has already leaked.
Critical exposure
You’re one leaked password from account takeover. Change reused passwords now, enable MFA everywhere, close old accounts, and set up breach monitoring today.
An awareness aid, not a security audit — it estimates exposure from common risk factors and doesn’t inspect your accounts.
The numbers
The scale of exposure
Leaked credentials aren’t rare events — they’re a standing, industrial-scale supply.
Each figure links to its primary source. Numbers are approximate and updated as new reports are published.
For security teams
Your employees’ passwords are leaking on services you don’t control
Corporate credentials show up in breaches of unrelated third-party sites, then get replayed against your VPN, email and SSO. Monitoring closes that window.
Under the EU GDPR, a personal-data breach likely to result in a risk to individuals must be reported to the supervisory authority within 72 hours of becoming aware of it — making fast breach detection a legal necessity, not just good practice.
-
Monitor for leaked credentials
Continuously check whether corporate emails and passwords appear in new breaches and combolists — before attackers try them against you.
-
Enforce MFA and unique passwords
Credential stuffing only works on reused, single-factor logins. MFA and a password policy break the chain at scale.
-
Reduce your leaked attack surface
Exposed session tokens, API keys and forgotten accounts widen the blast radius. Find and retire them.
-
Have a response plan
GDPR’s 72-hour clock starts at awareness. Detection, containment and notification need to be rehearsed, not improvised.
Guides
Go deeper
Plain-English explainers on how leaks turn into attacks — and how to respond.
-
What is a data breach? Types, causes and consequences
A data breach is any unauthorised access to data. Here’s how they happen, what gets exposed, and why leaked credentials cause the most damage.
Read guide -
Credential stuffing: how one leaked password becomes account takeover
Attackers don’t guess passwords — they replay leaked ones. Here’s how credential stuffing turns an old breach into a hijacked account.
Read guide -
What to do after a data breach: a step-by-step response
Found out you’re in a breach? Here’s the order to act in — from the leaked password to monitoring for what comes next.
Read guide
Frequently asked questions
Short, clear answers
What is a data breach?
A data breach is any incident where data is accessed, disclosed or lost without authorisation. It ranges from a targeted intrusion to a misconfigured database left open online. The most commonly leaked and abused data is login credentials.
What is a credential leak?
A credential leak is the exposure of usernames and passwords, usually as a result of a breach. Leaked credentials are aggregated into "combolists" and used in automated attacks against other services. See how credential stuffing works →
How do I know if my data has been breached?
Free breach-notification services let you check whether your email address appears in known breaches. For ongoing coverage, use monitoring that alerts you when your data shows up in a new leak, so you can react before attackers do.
What should I do if I’m in a breach?
Change the affected password everywhere you reused it, enable multi-factor authentication on important accounts, and watch for phishing that references the leaked data. Follow the full response steps →
Why is password reuse so dangerous?
Because attackers assume it. When one site leaks your password, bots automatically try the same email-and-password pair on email providers, banks and social networks. A unique password per site contains the damage to that one account.
Does multi-factor authentication stop credential leaks?
It doesn’t stop the leak, but it usually stops the takeover: a leaked password alone isn’t enough to log in. MFA is the single most effective defence against credential stuffing, though leaked session tokens can sometimes bypass it.
How do organisations monitor for leaked credentials?
They continuously match their domains and employee accounts against breach and combolist data, and alert or force a password reset on a match. Services such as OffSeq Breach and Threat Radar automate this.