breachmonitor

Exposure intelligence

A leaked password isn’t the end — it’s the start of the attack

Billions of credentials sit in public breach dumps. Attackers don’t "hack" — they replay leaked logins until one works. Understand the chain, check your exposure, and shut it down.

  • Based on HIBP, IBM & Verizon data
  • Vendor-neutral
  • Updated 2026

What is a data breach

A breach isn’t always a "hack". Often it’s just a reused password.

A data breach is any incident where data is accessed or disclosed without authorisation — and the most common fallout is leaked login credentials.

A data breach is the unauthorised access, disclosure or loss of data. It can be a sophisticated intrusion — but very often it’s a misconfigured database, a phishing victim, or a third-party service that gets compromised and dumps its user table online.

The single most valuable thing in most breaches is credentials: email-and-password pairs. Because people reuse passwords, one leak from a forgotten forum can unlock someone’s email, bank or company account years later.

This is why a breach is a chain, not an event: leak → aggregation into combolists → automated credential stuffing → account takeover. breachmonitor walks each link — and how to break it.

What gets exposed

Not all leaked data is equal

Different data types create different risks. Knowing what leaked tells you what to do first.

  1. PASSWORD

    Login credentials

    Email-and-password pairs are the crown jewels of a breach. Reused anywhere, they enable credential stuffing and account takeover across unrelated services.

  2. PII

    Personal data

    Names, addresses, phone numbers and dates of birth fuel targeted phishing, SIM-swapping and identity fraud — and they can’t be "changed" like a password.

  3. TOKEN

    Session tokens & keys

    Leaked session cookies, API keys or auth tokens can let an attacker in without a password at all, sometimes bypassing multi-factor authentication.

  4. FINANCE

    Financial details

    Card numbers and banking data enable direct fraud. Even partial data (last four digits, expiry) strengthens social-engineering and vishing attacks.

What to do first

Triage a leak by what it exposes

When you learn you’re in a breach, the exposed data type sets the urgency.

  • Act now

    Password leaked & reused

    A password you use elsewhere is in the dump. Change it everywhere it’s reused and enable MFA immediately.

    Signal: Credentials + reuse → account takeover risk

  • This week

    No MFA on key accounts

    Email, banking and work accounts without a second factor are one leaked password away from takeover. Turn on MFA.

    Signal: Single factor on high-value accounts

  • Planned

    Personal data exposed

    PII can’t be reset, so treat it as permanent: expect targeted phishing and verify unusual requests independently.

    Signal: PII leaked — phishing & identity risk

  • Monitor

    Old or already-rotated data

    Data from an account you’ve since secured or closed. Keep monitoring in case it resurfaces in new combolists.

    Signal: Historic data — low immediate risk

Free tool

How exposed are you?

Tick the risk factors that apply to you. The meter estimates your credential-exposure level and tells you what to fix first — nothing is sent anywhere.

Tick everything that’s true for you

Your exposure

0/100 exposure

Low exposure

Low exposure — keep it up

You’re following the fundamentals. Keep unique passwords, MFA everywhere, and a monitoring alert so a future leak doesn’t change that.

Moderate

Moderate exposure

A leak could reach one or two accounts. Prioritise a password manager for unique passwords and turn on MFA for your email and banking first.

High

High exposure

Several factors compound here — a single breach could cascade. Stop reusing passwords, enable MFA on every important account, and check where your email has already leaked.

Critical

Critical exposure

You’re one leaked password from account takeover. Change reused passwords now, enable MFA everywhere, close old accounts, and set up breach monitoring today.

Check your credentials with OffSeq Breach

An awareness aid, not a security audit — it estimates exposure from common risk factors and doesn’t inspect your accounts.

The numbers

The scale of exposure

Leaked credentials aren’t rare events — they’re a standing, industrial-scale supply.

14B+
compromised accounts are indexed by Have I Been Pwned — most people appear in at least one.
Source: Have I Been Pwned, 2024
~10B
passwords were compiled in the 2024 "RockYou2024" leak — the largest password compilation ever seen.
Source: Cybernews, 2024
$4.88M
was the global average cost of a data breach in 2024 — a record high.
Source: IBM Cost of a Data Breach, 2024
~258 days
was the average time to identify and contain a breach — long enough for leaked credentials to be used many times.
Source: IBM Cost of a Data Breach, 2024

Each figure links to its primary source. Numbers are approximate and updated as new reports are published.

For security teams

Your employees’ passwords are leaking on services you don’t control

Corporate credentials show up in breaches of unrelated third-party sites, then get replayed against your VPN, email and SSO. Monitoring closes that window.

Under the EU GDPR, a personal-data breach likely to result in a risk to individuals must be reported to the supervisory authority within 72 hours of becoming aware of it — making fast breach detection a legal necessity, not just good practice.
GDPR Article 33 · EUR-Lex
  • Monitor for leaked credentials

    Continuously check whether corporate emails and passwords appear in new breaches and combolists — before attackers try them against you.

  • Enforce MFA and unique passwords

    Credential stuffing only works on reused, single-factor logins. MFA and a password policy break the chain at scale.

  • Reduce your leaked attack surface

    Exposed session tokens, API keys and forgotten accounts widen the blast radius. Find and retire them.

  • Have a response plan

    GDPR’s 72-hour clock starts at awareness. Detection, containment and notification need to be rehearsed, not improvised.

Frequently asked questions

Short, clear answers

What is a data breach?

A data breach is any incident where data is accessed, disclosed or lost without authorisation. It ranges from a targeted intrusion to a misconfigured database left open online. The most commonly leaked and abused data is login credentials.

What is a credential leak?

A credential leak is the exposure of usernames and passwords, usually as a result of a breach. Leaked credentials are aggregated into "combolists" and used in automated attacks against other services. See how credential stuffing works →

How do I know if my data has been breached?

Free breach-notification services let you check whether your email address appears in known breaches. For ongoing coverage, use monitoring that alerts you when your data shows up in a new leak, so you can react before attackers do.

What should I do if I’m in a breach?

Change the affected password everywhere you reused it, enable multi-factor authentication on important accounts, and watch for phishing that references the leaked data. Follow the full response steps →

Why is password reuse so dangerous?

Because attackers assume it. When one site leaks your password, bots automatically try the same email-and-password pair on email providers, banks and social networks. A unique password per site contains the damage to that one account.

Does multi-factor authentication stop credential leaks?

It doesn’t stop the leak, but it usually stops the takeover: a leaked password alone isn’t enough to log in. MFA is the single most effective defence against credential stuffing, though leaked session tokens can sometimes bypass it.

How do organisations monitor for leaked credentials?

They continuously match their domains and employee accounts against breach and combolist data, and alert or force a password reset on a match. Services such as OffSeq Breach and Threat Radar automate this.