What are data leaks?

Data leaks affecting your employees are displayed in two distinct ways, depending on whether their potential for exploitation is confirmed or not.

  1. 🆕 Data leaks with confirmed exploitation potential

    1. Vulnerability "Valid user credentials found in a data leak/MO365/Fortinet"

    2. How does Stoïk confirm the exploitation potential of the leak?

  2. Data leaks with exploitation potential to be confirmed

    1. Understanding the results

    2. Why does a former employee appear in the Data Leak tab?

    3. Why does an alert concern a workstation that does not belong to us?

    4. Why does the notification date of a leak not always correspond to the date of compromise?

    5. Why do some data leaks show an unknown source?

  3. What to do in the event of a data leak alert?

1. 🆕 Data leaks with confirmed exploitation potential

These are the most critical data leaks, meaning that an attacker could directly use them if they managed to obtain them. Given their criticality, a dedicated vulnerability is created for each of them in the Stoïk External Scan results.

1.a. 🆕 Vulnerability "Valid user credentials found in a data leak/MO365/Fortinet"

Our External Scan alerts you if the credentials found by our Data Leak tab are still active.

In concrete terms, customer credentials disclosed on the Dark Web are now automatically tested on the relevant URL to verify their validity, thanks to an internal Stoïk development using generative AI.

If validity is confirmed, a "high" vulnerability is created during the Stoïk External Scan analysis, prompting users to update their credentials.

The username and URL are then displayed on Stoïk Protect (the password can be shared upon express request to [email protected]).

As this is a "high" vulnerability, Stoïk's CERT analysts will proactively notify you by email if an alert of this type appears.

1.b. How does Stoïk confirm the potential for exploitation of the leak?

The data leaks tested by Stoïk come mainly from two sources:

  1. Leaks from password databases (Combolists): These databases are sets of credentials (emails, passwords) retrieved from several past leaks and aggregated without clear context. Example: [email protected] / M0t2Pa$$ / supersite.com These combolists do not always reveal the exact website where the credentials were leaked. This makes it difficult to test the credentials on the service mentioned. In this case, Stoïk automatically tests the credentials on critical and widely used services such as Microsoft 365 (O365) or Fortinet VPN (if this service is used by the insured). 💡 We do not test the credentials directly on the mentioned site, unless it is known with certainty, as in the case of log stealers (see below).

  2. Leaks from malware (stealers): Stealers are malware installed on compromised machines that retrieve locally used credentials. These leaks are much more accurate: they generally include the following three elements: Email / Password / Exact login URL. Example: [email protected] / M0t2Pa$$ / https://supersite.com/loginpage.php When the URL is clearly identified, the credentials are tested directly on the corresponding site, in addition to Microsoft 365 (O365) and Fortinet VPN. This precision greatly reduces false positives and effectively targets the risks of active compromise.

Summary of checks done by Stoïk:

Leak type
Data available
Check by Stoïk

Combolist

Email + Password (or Website)

O365 + Fortinet only

Stealer logs

Email + Password + URL leaked

URL leaked + O365 + Fortinet

If the URL concerned is Fortinet or O365, the vulnerability displayed is named "(...) found in Fortinet/Microsoft Office 365 dataleak". Otherwise, the vulnerability displayed is named "(...) found in a dataleak", and the URL is specified in the vulnerability details.

By default, if the results of the checks done by Stoïk are empty, no vulnerability is created, but the leak is still displayed in the "Data leak" tab.

2. Data leaks with potential for exploitation to be confirmed

2.a. Understanding the results

External Surface > Results > Data Leaks lists all data leaks detected among your employees, whether or not their potential for exploitation has already been confirmed.

The date shown generally corresponds to when our tool detected the data breach, not the actual date of the breach.

By clicking on a specific data breach, you can access detailed results. Here are two examples of how to interpret the results:

  1. "IP" and "Password": For this example, understand that for the email address [email protected], the plaintext password and IP address were leaked during the Adobe Data Breach 2024 data leak for the domain my-company.com.

  2. "Password" and "Encrypted password": For this example, understand that for the email address [email protected], the plaintext password ("password") and the hash ("encrypted password") were leaked on several websites of unknown origin, hence the term "combolists".

2.b. Why does a former employee appear in the Data Leak tab?

If you see an alert about an account associated with an employee who is no longer with the company, there are several logical reasons for this.

Origin: This is not an Active Directory account or a company email address that is directly active in your IT system, but rather a third-party user account using an address from your domain, for example : [email protected] registered on an external site, such as https://random.saas. This type of account may belong to:

  • A former employee who created a SaaS account with their work address.

  • An account that is still active in a SaaS application, whose work email address remains valid.

  • An external account created without email address verification, which is possible on certain platforms.

Reason for detection: The alert is generated by Stoïk because the account's email address is linked to your domain name or the password associated with this account has appeared in a public data leak. Therefore, even if it is a former employee or an account not managed by your IT department, this account may:

  • Still be billed to your company (common for SaaS subscriptions)

  • Have access to internal data, if no revocation has been made

  • Represent a risk of indirect compromise (password reuse, bounce attack)

Recommendation: In this situation

  • Identify whether the account is still active in the application concerned

  • Revoke or deactivate the account if you have control over it

  • Contact the SaaS publisher to request deletion if necessary

  • Update your employee departure procedures to include the systematic revocation of third-party accounts

2.c. Why is there an alert for a workstation that does not belong to us?

Even if the position in question does not directly concern you, the alert is relevant if activity related to your field or organisation is detected.

Any unusual activity may indicate: Unauthorized use, potential compromise, poor management of third-party access.

You may receive a cybersecurity alert for a workstation that is not listed in your IT inventory. This may seem surprising, but there are several possible explanations for this situation.

An employee's personal device

  • Origin: An employee may, voluntarily or out of habit, access work resources from a personal device (personal computer, tablet, etc.).

  • Reason for detection: The alert is generated by Stoïk because this workstation is not secured or supervised by your IT teams and may therefore represent a vulnerable entry point for attacks (ransomware, data theft).

  • Recommendation: In this situation, ask your employee to limit this use or to secure their device (encryption, antivirus, strong password, etc.). It is strongly recommended that you review your personal device usage policy (BYOD) if you have not already done so.

Workstation of a service provider or subcontractor

  • Origin: It is possible that a service provider (external IT support, consultant, freelancer, etc.) may access your data or systems from their own workstation.

  • Reason for detection: The alert is generated by Stoïk because it involves your services or your domain. The workstation is considered at risk if it is compromised or poorly protected.

  • Recommendation: In this situation, check whether this service provider is still active in the company. If not, revoke their access. Otherwise, ensure that good security practices are in place on their side.

Shared or public workstation (hotel, terminal, internet café, etc.)

  • Origin: In some rare cases, your services may be accessed from a public or shared terminal: hotel terminal, meeting room PC, etc.

  • Reason for detection: The alert is generated by Stoïk because these machines are highly exposed to malware or keyloggers. This is because connections are rarely encrypted or private.

  • Recommendation: In this situation, it is essential to remind your employees never to use a public computer to access critical resources, or at the very least, to use a VPN and encrypted connections.

2.d. Why does the date of notification of a leak not always correspond to the date of compromise?

Users often wonder about the time lag between the date of a data leak (or stolen password) and the date of receipt of the Stoïk alert. The main reason is that passwords are not immediately made public.

Indeed, credentials stolen by infostealers (malicious software capable of extracting passwords from browsers, managers or system caches) are not always shared instantly on the forums or marketplaces we monitor.

In practice, stolen information is first sold in private circles or restricted groups, and only becomes publicly available after several weeks or even months. That's when our system detects it and alerts you.

2.e. Why do some data leaks show an unknown source?

Origin: You may see data leaks appear in your Stoïk Protect interface without a clear indication of their origin. In this case, the source is listed as "Combolist", which means it is unknown or unverifiable.

A combolist is a massive compilation of identifiers (email addresses, passwords, sometimes other data) gathered from various leaks. These files are repackaged by cybercriminals and then resold or shared on forums without always mentioning the origin of the data.

Reason for detection: The alert is generated by Stoïk because even if the exact source is unknown, the risk is real. Indeed, the identifier (email + password) still works on certain services, so it can be exploited for a credential stuffing attack or give access to a SaaS used in your company.

3. What to do in the event of a data leak alert?

  • Change the password immediately.

  • If you do not recognise the service, check the internal usage of the email address mentioned.

  • Enable multi-factor authentication (MFA) if you have not already done so.

PreviousHow to configure the Stoïk External Scan?NextWhat IP addresses does the Stoik External Scan use?

Last updated

Was this helpful?