Recaptured Data in Preventing Cyber Crime Explained

Authentication data and PII from third-party breaches and malware infections put your business and customers at risk of cyberattacks. Our focus is recapturing that data and making it actionable through automated solutions that remediate darknet exposures to stop account takeover, ransomware and online fraud.

The criminal underground is packed with stolen credentials, PII, and browser fingerprints that let criminals impersonate your employees and customers, evading detection from traditional fraud controls.

Underground data exists for nearly everyone – employees, vendors, and customers – who may have dozens or more online personas. When their credentials and PII are leaked in a breach or exfiltrated from a malware-infected device, your team can’t effectively protect them (and your business) fast enough on your own. You need an expert who can tell you exactly what criminals know about your business and your customers so you can take action.

For the longest time, data from the criminal underground wasn’t accessible. Now it’s an untapped source of powerful insights. We call it Recaptured Data.

0 +
0 +


0 +


0 +
Data Types
Guide to Recaptured Data

What is Recaptured Data?

Recaptured Data is information that SpyCloud’s security researchers have recovered from tens of thousands of security breaches, millions of malware-infected devices, and other covert sources – transformed into action. 

The SpyCloud Recaptured Database contains over 400B assets which power our account takeover, ransomware, and online fraud prevention solutions. It is comprised of more than 200 distinct field types collected directly from breach records and logs from malware-infected devices:

  • Compromised credentials (email address + password pairs)
  • Authentication cookies / tokens
  • PII including names, street addresses, phone numbers, and credit card details
  • Government identification including SSNs, NINOs, driver’s licenses, and passport numbers 

We make this data machine-readable and available to help enterprises make informed decisions about how to protect themselves, their employees, vendors, and customers.

What makes Recaptured Data unique?

A lot of companies claim to offer the best “breach data.” Recaptured Data is not just data from breaches. That data, in the form most providers offer, is unstructured data that is not actionable.

What makes Recaptured Data unique – in short – is its variety, actionability, and insights.

  • Variety
    With more than 200 data types, Recaptured Data covers the gamut of information exposed in the criminal underground. But it’s also variety in sources that makes Recaptured Data special. We not only recover data from breaches, but also from other underground sources only we have access to – as well as from infostealer logs. These contain information exfiltrated from malware-infected devices, which criminals immediately operationalize by selling to other bad actors or by using the data to impersonate employees and customers, flying under the radar of fraud detection tools.

With stolen cookies and credentials, criminals can do extreme damage to companies and individuals. But in the hands of enterprise security and fraud prevention teams, this same data can be used to negate at-risk web sessions and protect vulnerable accounts.

  • Actionability
    Recaptured Data isn’t raw data: it’s records that are enriched with supporting contextual information, including the source, breach description or malware family, actual compromised password, and much more.

SpyCloud has invested heavily in “de-hashing” collected passwords, allowing customers to determine whether exposed credentials exactly match the in-use credentials for their employees and customers. More than 90% of the 25B passwords in our database are in plaintext, making our data the most actionable in the industry.

No false alerts here, only evidence of compromise.

  • Insights
    SpyCloud correlates Recaptured Data points to form a true picture of a user’s risk across their many exposed online personas. This means we are able to identify a user in one breach as being the same user exposed in another breach or through a malware-infection on their personal or corporate device. We can tie email addresses, usernames, passwords, and PII together to reveal a singular user’s risk of account takeover, synthetic identity, and fraud across their many exposures. This is the only way to determine their true risk to your enterprise.

Why should you use Recaptured Data?

In short, companies use Recaptured Data to help avoid the risk of breaches caused by the use of stolen authentication data, or fraud that otherwise goes undetected earlier in the attack timeline. The key is recapturing data early after a breach or malware infection occurs, so it’s in your hands before it’s used to cause harm to your business and your customers.

By the time other companies alert you to exposures, criminals have already had stolen data in their hands for months (and sometimes years). 

No enterprise can gather their users’ compromised data with the speed and scale necessary to thwart attacks.

This is SpyCloud’s focus, and why hundreds of enterprises rely on us.

Who uses Recaptured Data?

Since cyber criminals don’t discriminate, companies of all sizes in varied industries use Recaptured Data. Any company can use it, and so far, hundreds of companies around the world – including half of the Fortune 10 – rely on it. 

SpyCloud customers include:

#1 Global
Streaming Service
#1 Global
#1 Global Software
Top 5
US Bank
#1 Global
Online Retailer
#1 US Crypto

Join us in our mission to disrupt criminals’ ability to profit from stolen data

[JUST RELEASED] 2023 Ransomware Defense Report highlights infostealers as precursors to future attacks. Download Now