Of the many use cases associated with threat intelligence and digital risk protection, monitoring for exposed credentials is always one of the most popular. 

It’s easy to see why. The average business user has 191 passwords and, unfortunately, 65% of users reuse the same password for multiple accounts or all accounts. With more than 15 billion credentials exposed, the chances of your employees having passwords exposed is pretty high.

But it’s about far more than just the likelihood of exposure; the appeal of credential monitoring endures for three main reasons.

  1. It represents a clear business risk. If a valid credential is exposed, it’s not hard to understand how that can lead to an account takeover, loss of data, or Business Email Compromise. The 2020 Verizon DBIR outlined that 80% of breaches related to hacking involved brute-force cracking or the use of lost or stolen credentials.
  2. It’s highly actionable. Some threats can be hard to actually do something about. With exposed credentials, you can reset the affected accounts.
  3. It resonates with the C-Suite. Showing executives their own exposure helps the security team demonstrate the types of risk they are facing and makes it personal. 

However, due to the large volumes of credential breach, high staff turnover, use of recycled credentials in circulation, mitigating credential exposure is cumbersome and time consuming. When it comes to passwords, security teams want to know:

  1. Is it for their systems
  2. Is it still valid
  3. Has it been remediated before

However, current breach alerting tools make this increasingly difficult to make that distinction. 

SearchLight Helps to Validate Credentials: Built-in tools for greater relevance

Digital Shadows (now ReliaQuest) new alert type simplifies and speeds up the triage process, while ensuring the relevance of alerts. Improved workflows include email and password format validation, which can feed into automated playbooks meaning the analyst doesn’t have to touch benign alerts. The new credential risk alert provides powerful functionality and context needed for security teams to remediate credential exposure, quicker. 

Unlike many breach tools, each SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) credential exposure alert requires a username and password, and is alerted on a per-credential pair basis. Here’s a functional overview:

Automated Playbooks

In April, we wrote about why we have incorporated playbooks into the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) portal. These playbooks have been really popular with security teams providing guidance for how to respond to SearchLight’s digital risks. 

These playbooks have just got a lot more exciting with this release. Users can now automatically reject credentials that do not meet a predefined email or password format. 

email and password formats SearchLight
Fig 1 – Setting email and password formats for validation in SearchLight
Credential Format in SearchLight
Fig 2 – Saved credential format in SearchLight

Timeline viewer

To avoid duplicating work, the new credential alert has been designed so that reused credentials will not be raised as new alerts. Nevertheless, knowing of reuse can be useful context and so it is important that security teams have access to this information. 

Within the “Credential Timeline”, users can view where that given credential has appeared or been alerted over time. Clicking into “View Details” will take users to the Source viewer entry.

Credentials Timeline
Fig 3 – Tracking the exposure of a credential pair over time
Exposed Credentials SearchLight
Fig 4 – Drilling down into the history of a specific exposed credential exposed over different sources

Adding to Allowlists

Some exposed credentials correspond to users who have since left the business, and it can be frustrating to keep on re-triaging those alerts. To make this easier, we’ve added the ability to add a certain username to an allowlist – meaning that no further alerts will be raised for that particular username.

Fig 5 – Adding a username to the allowlist


Last month I wrote about Digital Shadows (now ReliaQuest)’ customizable reporting module (you can read that here: Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight).

With this new release, we’ve included a new reporting component that enables users to create reports outlining the different statuses and validation states associated with different credentials. 

Credential Exposure Report
Fig 6 – Digital Shadows (now ReliaQuest) reporting component for credentials

Get in Touch to Learn More

We’re incredibly excited to be releasing these new updates to our exposed credential monitoring today. 

If you would like to learn more about how this could work for you, get in touch to arrange a meeting with one of our team.

Not ready but still interested in credentials? No problem. Have a read of our new research, From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover, instead!