Your organisation's security does not exist in isolation. When your employees sign up for third-party services — SaaS tools, conference registrations, industry forums, personal accounts — using their work email and a reused password, a breach at any of those services becomes a breach of your systems. The password your CFO used on a breached industry forum is probably the same one they use for your financial systems. This is not a hypothetical — it is the attack vector behind the majority of account takeover incidents.
The Scale of the Problem
The HaveIBeenPwned database catalogues over 13 billion breached accounts from more than 700 data breaches. These include major services that your employees almost certainly use: LinkedIn (700M records), Adobe (153M records), Dropbox (68M records), and hundreds of smaller services. Each breach exposes email-password pairs that attackers systematically test against other services.
Credential stuffing tools automate this at scale. An attacker loads a list of breached credentials, points the tool at your login page, and tests thousands of combinations per minute. No vulnerability exploitation is needed — they are using legitimate credentials that happen to work because of password reuse.
What ShieldReport's Credential Monitor Detects
ShieldReport cross-references email addresses associated with your domain against the HaveIBeenPwned breach database. For each match, you receive:
- Affected email address: Which employee account was exposed.
- Breach source: The specific service that was breached (LinkedIn, Adobe, etc.).
- Breach date: When the breach occurred — older breaches may already be exploited.
- Exposed data types: Whether the breach included passwords, password hashes, security questions, phone numbers, or other data.
- Risk level: High for breaches with plaintext or weakly hashed passwords; medium for salted hashes.
Why MFA Is Not Enough
Multi-factor authentication significantly reduces credential stuffing risk, but it does not eliminate it. MFA fatigue attacks (repeated push notifications until the user approves), SIM swapping (taking over the phone number for SMS codes), and token theft (stealing the session after MFA is completed) are all active attack techniques. MFA raises the bar — but it is not a substitute for ensuring credentials are not compromised in the first place.
The correct response is layered: force password resets for exposed accounts, enforce unique passwords through breach-aware password policies, deploy phishing-resistant MFA (hardware keys or passkeys), and monitor continuously for new breaches.
Incident Response for Credential Leaks
When ShieldReport detects a credential leak, the recommended response follows a straightforward playbook:
- Immediate: Force password reset for the affected account. Review recent login activity for signs of unauthorised access.
- Short-term: Enable or strengthen MFA on the affected account and any accounts using the same email.
- Ongoing: Implement breach-aware password policies that reject known-compromised passwords at the time of creation or change.
- Organisational: Security awareness training on password reuse risks. Consider deploying a password manager to reduce reuse.
ShieldReport continuously monitors your domain's email addresses against the global breach database — flagging exposed credentials before attackers use them for credential stuffing, with specific remediation steps for each affected account.