Recaptured Data from Breaches, Botnets & Underground Sources

Our cyber analytics engine drives action to protect your business.

SpyCloud recaptures stolen credentials and PII not only from data breaches, but also from malware-infected devices and other underground sources at scale. Our proprietary engine curates, enriches, and analyzes this data – transforming it into actionable insights that enable enterprises to quickly identify legitimate users vs. potential criminals using stolen information, and take action to prevent account takeover, ransomware, and online fraud.

Cyber Analytics Engine

SpyCloud has been known for the massive repository of recaptured data that powers our ATO and fraud prevention solutions. But our innovative cyber analytics engine goes much further than strictly data collection. After each digital asset is acquired, it is put through a rigorous quality-control process to determine its value. We cleanse and parse it, crack the passwords and further enrich the data, and then correlate it to individual users across their multiple online personas to determine their true risk to your enterprise.

SpyCloud's Cyber Analytics Engine
SpyCloud's Cyber Analytics Engine


Creating the world’s largest collection of recaptured data

We rapidly collect stolen and leaked assets from the criminal underground containing user credentials and high-value PII such as first and last names, addresses, phone numbers, dates of birth, SSNs.

We do this using a combination of Human Intelligence (HUMINT) and Applied Research (HUMAN+TECHNOLOGY). Our team of researchers have been performing this type of tradecraft for years and are the most capable in this area. Critical information is recovered by our researchers very early in the attack timeline, often within days of the breach occurring. In many cases, we are the first to inform the affected victim organizations through our responsible disclosure process. These efforts create the world’s largest and most relevant repository of recaptured data gathered from breaches, botnets, and other underground sources.

Data Breaches
Data Breaches
Malware-Infected Device Logs
Underground Sources


Removing the noise to reveal what’s most actionable

Our unique cleansing and curation process reveals the recaptured data that is directly relevant and actionable for your business. The SpyCloud engine parses and normalizes petabytes of unstructured data, discarding records that do not contain passwords or high-value PII. It compares each record to the billions of assets already in our database. We end up discarding about 60% of the files we collect as duplicates from past breaches that have been repackaged as combolists. This ensures that our customers are not inundated with extraneous alerts. 

Through this process, SpyCloud manages more than 200 distinct attributes collected directly from darknet records that are made machine-readable and available to help enterprises make informed decisions.


Adding context and cracking passwords

SpyCloud goes further than any other vendor to enrich the recaptured data with supporting contextual information including the source, breach description, and the actual breached password. We have invested heavily in “de-hashing” collected passwords, allowing customers to determine whether exposed credentials exactly match the in-use credentials for their employees and customers. Through our proprietary processes, SpyCloud is able to provide more than 90% of collected passwords in plaintext, making our data the most actionable in the industry.


Correlating risk across users’ multiple online personas

In this phase,  our cyber analytics engine draws correlations across billions of records that have been stolen and distributed by criminals. This allows SpyCloud to provide unique insights about the true identity and online behaviors of your employees and customers. These analytics are provided through APIs and integrations to popular SIEMs, SOARs, and TIPs to protect your enterprise from criminals using stolen information.

The Value of Human Intelligence

SpyCloud uses Human Intelligence (HUMINT) to quickly recapture data within days of a breach or malware infection occurring. SpyCloud’s security researchers recapture breached data (including malware-infected user records) earlier in the attack timeline and share it with customers before it is used to cause harm, typically months or even years before anyone else. In many cases, we are the first to inform the affected victim organizations through our responsible disclosure process.

Timeline of a data breach showing what cybercriminals do with stolen credentials, starting with targeted account takeover attacks of high-value victim. Ultimately, stolen logins will end up on the deep and dark web and used in high-volume credential stuffing attacks.

We’re confident you’ll get more matches with SpyCloud. Let’s do a match rate test.

Interested in integrating SpyCloud data to enhance your solution?