Reveal Your Full Risk Picture

with IDLink™ Analytics

Exact-match monitoring checks whether a specific work email address or username appears in a breach, malware log, or phishing dataset. It returns results for that one identifier and stops there. The problem is that most employees use multiple email addresses, personal accounts, and usernames across their digital lives, and they frequently reuse passwords across those accounts. When a personal account is breached and the stolen credentials include a password that matches the employee’s current corporate password, an exact-match scan of the corporate email returns nothing — because the breach didn’t expose the work address. The exposure exists, but it’s invisible to exact-match tools. SpyCloud IDLink addresses this by automatically running pivots across every identity artifact associated with a person: work email addresses, personal email addresses, backup emails, usernames, shared passwords, PII, device fingerprints, and more than a dozen other asset types. It builds a connected identity graph that links corporate and personal exposures, then returns only the results that are relevant to the corporate risk. Compared to exact-match queries, IDLink finds an average of 8 times more identity records per user, 14 times more plaintext passwords, 5 times more email addresses, and twice as many malware records.

Password reuse between personal and work accounts is one of the most common and most difficult-to-detect ATO entry points. An employee who uses the same password for their personal Gmail account and their Okta SSO login creates a risk that no corporate monitoring tool can see through exact-match detection — because the Gmail breach doesn’t expose the work email address. IDLink closes this gap by correlating the employee’s work identity against their full personal identity footprint. When SpyCloud’s data contains a breach record showing a personal email address exposed with a particular password, and IDLink determines that personal email belongs to an employee whose current work account password matches that exposed password, it flags the exposure and triggers remediation through Active Directory, Okta, or Entra ID. This is what allows Identity Guardians with IDLink enabled to find 14 times more plaintext passwords per user than exact-match scanning. The employee’s account would remain vulnerable indefinitely under exact-match monitoring because the exposure never touches the corporate domain.

IDLink operates across more than 200 identity asset types recaptured from SpyCloud’s darknet dataset, including current and historical email addresses, backup and recovery emails, usernames across multiple services, plaintext and hashed passwords, phone numbers, physical addresses, device fingerprints, IP addresses, breach source metadata, and malware infection telemetry. When IDLink runs a query on a corporate employee or consumer identity, it automatically pivots across all available asset connections in the background, building an identity graph that links records from breach data, infostealer malware logs, and phishing captures across that person’s full digital history. Critically, IDLink does not return everything it finds. It applies relevance filtering to remove out-of-scope identity assets that don’t connect to the target corporate risk, which keeps results actionable rather than noisy. The output is a curated set of exposures tied to the specific user’s identity — not a raw dump of every record associated with adjacent data points. This precision is what enables SOC teams to run IDLink-powered investigations at scale, with one customer reporting a 400% increase in analyst productivity after deployment.

In cybercrime investigations, a single data point — one email address, one username, one IP — rarely tells the complete story of who is behind an attack. Manual OSINT pivots across multiple sources to find connected identities, alternate personas, and infrastructure take days of analyst time and frequently hit dead ends when the data isn’t in indexed public sources. IDLink automates the correlation layer. Starting from a single selector, IDLink pivots automatically across SpyCloud’s full darknet dataset to surface connected usernames, alternate email addresses, shared passwords used across accounts, device fingerprints, and infrastructure associations that link the target identity to broader criminal activity. Because SpyCloud’s data comes from recaptured infostealer logs, phishing kit output, and breach data — not surface-web indexing — it surfaces connections that standard OSINT tools don’t reach. IDLink surfaces 8 times more identity records per investigation than standard OSINT methods, and one customer reported compressing a two-week investigation to four seconds. For analysts working ransomware attribution, insider threat investigations, or fraud campaign mapping, IDLink turns an OSINT dead end into a live lead by finding the cross-account connections attackers use to stay hidden.

IDLink is embedded across SpyCloud’s product suite and is also available as a standalone API for teams that want to integrate holistic identity correlation directly into their own tools and workflows. In the enterprise context, IDLink powers the deeper scanning capability in Identity Guardians, enabling Active Directory Guardian, Okta Workforce Guardian, and Entra ID Guardian to detect password reuse between personal and corporate accounts rather than only flagging exact corporate credential matches. In the investigation context, IDLink runs automatically inside the Cybercrime Investigations Module, pivoting across identity assets in the background every time an analyst submits a selector. For consumer-facing applications, the Consumer IDLink API allows fraud and product teams to submit multiple identity artifacts together and receive correlated exposure signals for synthetic identity detection, high-risk account creation screening, and transaction risk decisioning. Teams deploying IDLink as a standalone API can query it programmatically alongside other data sources, feeding results into SIEM platforms, custom investigation workflows, or fraud decisioning engines. The common thread across all deployments is the same: IDLink replaces single-dimension identity checks with a connected view of a person’s full exposure history across their work and personal identity footprint.