EUROCONTROL Strengthens Security and Cyber Awareness for the European Aviation Industry with SpyCloud’s Automated ATO Solution

The European Organisation for the Safety of Air Navigation, or EUROCONTROL, is an intergovernmental organisation working to achieve safe and seamless air traffic management across Europe. EUROCONTROL’s member states, comprehensive agreement states, and stakeholders, including navigation service providers, civil and military airspace users, and airports, work in a joint effort to make aviation in Europe safer, more efficient, more cost effective, and with a minimal environmental impact.


When EUROCONTROL created its European Air Traffic Management Computer Emergency Response Team (EATM-CERT), the team was charged with seeking opportunities to enhance the organisation’s security posture and increase cybersecurity awareness.


After an evaluation of services, the team selected SpyCloud Employee ATO Prevention as the first tool in its cybersecurity framework because they saw protecting users against account takeover (ATO) and ransomware as a high-impact opportunity.


EUROCONTROL protects its 2,000 employees and 1 million constituent accounts on 130 domains from ATO that can lead to ransomware attacks, increases cybersecurity awareness, and provides enormous value to their security program with SpyCloud.

Protecting the European Aviation Industry Against ATO and Ransomware

EUROCONTROL fulfils the European Union’s commitment to “One European Sky” as an intergovernmental agency that supports aviation in Europe by delivering technical excellence and civil-military expertise across the full spectrum of air traffic management. The organisation consists of 41 member states, two comprehensive agreement states, and aviation stakeholders, including navigation service providers, civil and military airspace users, and airports. The agency’s mission is to support operations, research, and innovation for the aviation industry across the continent.

When the European Air Traffic Management Computer Emergency Response Team (EATM-CERT) was created within EUROCONTROL in 2017, the team sought security solutions that would make a quick impact on the community by enhancing the organisation’s security framework and also promoting cybersecurity awareness with their constituents. A key criteria for potential solutions was automation, since the team was new and had limited resources available to manage new programs.

“We are there to help the community and provide something that is adding value,” said Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager for EUROCONTROL. “We sought out new services that would make a difference in and help our community of member states and stakeholders.”  

The team initiated the lengthy public procurement process in which services were evaluated in an open, fair and transparent manner, with considerations during testing including whether the service was useful, impactful, and cost and resource efficient. 

One of the security challenges facing the aviation industry is “big game hunting,” in which cybercriminals target large, high-value organisations with ransomware. Aviation stakeholders, especially airlines and airports, manage a lot of personally identifiable information (PII) for passengers, which is an intriguing target for criminals as information that can be monetised.

Aviation tends to be an attractive target for cybercriminals and state-sponsored groups because it is a critical infrastructure sector for a country, and for a lot of countries they are very much dependent on aviation. It can be an important element of the economy, as well as a source of national pride. For aviation, it’s really important to be protected because we are a target for hackers with enhanced capabilities for attacks.”
Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager

SpyCloud Employee ATO Prevention was selected as the first value-added service for EUROCONTROL’s EATM-CERT program because it would make an immediate, high impact on the organisation by protecting accounts from account takeover  and ransomware using insights from data recaptured from the criminal underground. 

Previously, a national cybersecurity centre would alert EUROCONTROL of any breach notices and the team would handle that on a case-by-case basis as a result of an outside alert. Now with SpyCloud, EUROCONTROL proactively monitors and manages its employee and constituents’ user accounts to ensure compromised credentials aren’t being used within internal systems. SpyCloud Employee ATO Prevention protects 2,000 EUROCONTROL employee accounts and approximately 1 million constituent accounts from 130 domains against ATO and ransomware. 

Additionally, SpyCloud created a feature to provide account views and dashboards for each individual constituent using the service. The EUROCONTROL EATM-CERT team was able to implement and manage the solution quickly and with ease, with the scalability to accommodate new constituents. 

EUROCONTROL’s mission to achieve safe air space in Europe aligns well with SpyCloud’s mission to make the internet a safer place. While EUROCONTROL uses SpyCloud to protect against ATO and ransomware, another benefit of the solution is that it helps bring awareness to everyone’s responsibility to protect their credentials and identity.

As we move toward digitalisation, people tend to be naive about digital assets. For example, they will protect their passport, but not their credentials. We’re trying to convey the message that credentials are as important as your passport. It helps people understand the world we’re living in and to behave in a more responsible way.”
Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager

Offering SpyCloud Employee ATO Prevention to its constituents helps EUROCONTROL provide critical value-added services and strengthen its reputation. The agency’s success is evidenced in the addition of new constituents over time.


Protecting a Million Accounts from ATO and Ransomware

With EUROCONTROL supporting all aspects of aviation in Europe, SpyCloud’s Employee ATO Prevention protects the accounts for all EUROCONTROL constituents, including airlines, airports, and civil and military airspace users. While EUROCONTROL protects 2,000 of its own employees, the SpyCloud solution extends to its constituents, protecting approximately 1 million accounts from 130 domains from ATO. Since 2018, EUROCONTROL has been able to identify more than 300,000 vulnerable accounts and prevent potential ATO attacks.  

Further, protecting against ransomware attacks in a critical infrastructure sector such as aviation is paramount to ensure the safety of employees, passengers, military personnel, and all those involved in the European airspace. EUROCONTROL is able to use insights on malware-infected users from SpyCloud to help constituents prevent attacks that can have serious consequences.

We recently helped an aviation stakeholder identify that they had compromised systems. Our ability to identify infected users was really beneficial because their cyber capabilities didn’t detect that their system was subject to a cyber attack. It’s via the information of the compromised account from EUROCONTROL that they further investigated and they found out that their system was attacked.
Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager

Bringing Value and Awareness to All Constituents

Working with SpyCloud allows EUROCONTROL to not only address security challenges, but also bring awareness to the value of security solutions by making it personal. For example, during the test phase, SpyCloud was able to show EUROCONTROL board members their personal exposure on the criminal underground. This information helped the organisation see the value and importance of investing in this type of solution.  

“The biggest benefit of working with SpyCloud is raising awareness, really opening everyone’s eyes and making a big difference with something tangible to individuals, including senior management. The beauty of it is showing that all staff in the organisation have a responsibility. Everyone is a door to enter the organisation, and each of us is a guardian of that door. It’s not the business of just the IT security team. It’s everyone’s duty to behave in a way that will contribute to enhancing the level of resilience of the organisation. Because they are aware, they are careful and they are mindful about their responsibility with regard to their credentials,” Patrick said.

Strengthening Security For Every Constituent Through Automation and Efficiency

EUROCONTROL is able to offer SpyCloud services to all of its constituents, many of which may not be able to procure such a service themselves due to challenges with the procurement process, financial constraints, or competing priorities. 

“We help the community because the more companies that are aware of this kind of service and the benefits, the more they will be open to other cyber investments. It’s a dynamic that we’re creating to enhance the level of cyber culture,” Patrick said.

With SpyCloud, EUROCONTROL and its constituents can automate activities, responses, and analysis so the teams can be more efficient and focus on other value-added projects. 

“Having a certain level of automation is important because it allows us to conduct analysis that derives indicators and signals on a dashboard. It’s super flexible, efficient and easy, so it gives our team the opportunity to spend time on other priorities rather than manual tasks related to monitoring for and remediating compromised credentials,” Patrick said.

Bolstering Penetration Testing Capabilities with Recaptured Data

Password hygiene is critical for the organisations supported by EUROCONTROL. Many workers in the aviation industry are passionate about flying, and key phrases, aeroplane types or company names tend to show up in passwords, which is to be expected based on human behaviour. EUROCONTROL not only uses SpyCloud data to produce rainbow tables for penetration testing (pen testing), but it also plans to strengthen its overall password security and pen testing by developing an artificial intelligence/machine learning (AI/ML) application to identify aviation-related passwords based on SpyCloud’s dataset.

For an AI/ML tool to work, you have to train a model and for that you need a data set. Since our users are interested in aviation, they will use passwords with aviation terms in them. That’s where the SpyCloud service is really useful because most of the time, the passwords that have leaked can be cracked and therefore we can enrich our AI model with already known aviation-related passwords.
Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager

Support Regulatory Compliance Preparedness

When industry and government regulations have significant impacts for noncompliance, having a strong security framework is critical to ensure requirements are being met. For example, a EUROCONTROL constituent may find that they aren’t as prepared to meet regulatory requirements like GDPR, but having access to solutions such as SpyCloud Employee ATO Prevention through EUROCONTROL can strengthen their ability to comply.  

While there’s no regulation in place that requires organisations to investigate whether credentials are exposed, the SpyCloud solution can be part of your arsenal to demonstrate that you’re able to comply with the regulation. GDPR is tough and not everybody understands all the consequences of that immediately, so it may take a while to address the overall issue and the challenges around that regulation
Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager

About SpyCloud

SpyCloud transforms recaptured data to protect businesses from cyberattacks. Our products leverage a proprietary engine that collects, curates, enriches, and analyzes data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud. Our unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings.

SpyCloud customers include half of the 10 largest global enterprises, midsize companies, and government agencies around the world. Headquartered in Austin, Texas, SpyCloud is home to over 150 cybersecurity experts who aim to make the internet a safer place.

Download the PDF version of the case study to print or share with others.

Ecommerce Marketplace


Mobile Ecommerce Marketplace


Reduces ATO fraud and avoids $1 million in fraud losses in burgeoning Latin American market with SpyCloud

With over 27 million active users per month, this ecommerce marketplace provides a personalized and entertaining shopping experience to consumers around the world via mobile devices. As bad actors target its site and customers, the organization looked for new ways to proactively combat them.


Following a surge in fraud after high-profile data breaches in the Latin American market, the ecommerce marketplace sought innovative and effective ways to reduce account takeover (ATO) to protect consumer information and reduce financial losses due to fraud.


The marketplace chose SpyCloud Consumer ATO Prevention to detect when its consumers are using compromised credentials, so they can be reset to prevent ATO.


SpyCloud’s Consumer ATO Prevention solution has helped the company identify vulnerable accounts quickly and take action to prevent millions of ATOs. As a result, the marketplace avoided $1 million in fraud losses and enabled 2 full-time resources on the risk management team to focus on other projects.

Ecommerce Platform Sought Innovative Approach to Combat ATO

Historically, the ecommerce platform has experienced a higher fraud rate in the Latin American market, and noticed a spike in fraudulent activities and increasing losses following several high-profile data breaches that exposed credentials and sensitive data including credit card numbers. After the marketplace saw evidence of credential stuffing attempts and ATO attacks, the company sought innovative ways to protect their customers’ personal account information and their own bottom line.

For this organization, ATO impacts are two-fold: they negatively affect their brand reputation and their P&L. Accounts taken over by bad actors cause headaches for both the customer and the business, and can give the customer a perception of a lack of security on the marketplace. In addition to the potential loss of customers, fraudulent activity also causes increased chargebacks.

“ATO is one of those things that is very explicit for users who’ve been impacted. Even though financially there may not be huge impacts, it will create a scar when it comes to your trust with the customers.”
Director of Risk Management 

As the volume of ATO attacks and use of stolen credit card information increased on the platform, particularly with dormant accounts, tracking fraudulent activity proved to be a challenge for the ecommerce marketplace. While buyer behavior can offer insights into the validity of an account, the organization struggled to properly monitor suspicious account activity and transactions. 

Previous solutions that provided risk scores or signaled human versus machine behavior weren’t meeting the company’s expectations of combatting ATO. While these solutions were effective in detecting suspicious behavior, they came with a tradeoff between recall (identify as much fraud as possible with the lowest false negatives) and precision (accuracy in identifying bad actors with the lowest false positives so as not to disturb good users).

By using SpyCloud’s Consumer ATO Prevention solution, the ecommerce marketplace is able to leverage data recaptured from the criminal underground to flag users whose credentials are compromised, thus making the account vulnerable to ATO. Remediation steps include initiating challenges such as multi-factor authentication and password resets to better protect customers and their personal information. 


Reduced ATO Fraud Activity in LATAM Region by 90%

With Consumer ATO Prevention leveraging recaptured data from the criminal underground to identify accounts using compromised credentials, the ecommerce marketplace saw a 90% reduction in ATO in the Latin America region, which accounts for 50% of the company’s fraud activity in that area. As a result, the ecommerce marketplace avoided $1 million in fraud losses.

Prevented Millions of ATOs Globally

As the organization began using Consumer ATO Prevention, they found the scale of risk was much bigger than initially thought since they previously didn’t have the ability to properly benchmark ATO attacks. With the success in reducing ATO fraud activity in the LATAM region, the marketplace rolled out Consumer ATO Prevention across the entire platform to protect all user logins. SpyCloud’s solution proved to be the best balance between precision (low false positives) and recall (low false negatives).

Reduced Resources Dedicated to ATO Prevention

Before SpyCloud, the company’s risk management team was overwhelmed by work related to consumer account takeover, dedicating 2 data scientists and 1 engineer to the challenge. With SpyCloud, the company was able to reallocate 2 of these team members to other projects. Now, the team only requires a single data scientist to handle the reduced workload, and that team member still has the bandwidth to focus on other projects. Maintaining the SpyCloud API requires minimal time investment, as it runs automatically and only requires monitoring of high-level metrics.

“We value SpyCloud because not only does it help solve ATO, it also gives our team more bandwidth and allows us to provide a better customer experience.
– Director of Risk Management

About SpyCloud

SpyCloud transforms recaptured data to protect businesses from cyberattacks. Our products leverage a proprietary engine that collects, curates, enriches, and analyzes data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud. Our unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings.

SpyCloud customers include half of the 10 largest global enterprises, midsize companies, and government agencies around the world. Headquartered in Austin, Texas, SpyCloud is home to over 150 cybersecurity experts who aim to make the internet a safer place.

Download the PDF version of the case study to print or share with others.




Industry: SOFTWARE

Atlassian Protects Its Enterprise And Its Customers While Saving Time With Automated ATO Prevention From SpyCloud

Atlassian’s team collaboration and productivity software helps teams organize, discuss, and complete shared work. Teams at more than 225,000 customers, across large and small organizations – including Bank of America, Redfin, NASA, Verizon, and Dropbox – use Atlassian’s project tracking, content creation and sharing, and service management products to work better together and deliver quality results on time.


Due to the increasing number of industry breaches, Atlassian sought a more efficient and proactive approach to addressing potential future incidents, without the burden of collecting, curating and validating exposed data on their own.


The company selected SpyCloud Employee ATO Prevention to proactively protect their 7,000 employees from the consequences of ATO, as well as SpyCloud Consumer ATO Prevention to detect potentially compromised customer accounts. 


Atlassian protects its employees and customers from cyberattacks with SpyCloud’s solutions, reducing resource hours spent researching Atlassian’s potential involvement in public breaches and securing its brand reputation.


Previously, Atlassian lacked visibility of the exposed credentials of their employees. Given the challenge of staying ahead of the ever-evolving threat landscape, they realized the need to proactively protect themselves against potential account takeover (ATO) attacks involving data stolen in third-party breaches. Atlassian prioritizes security and sought a reliable, scalable solution, allowing them to provide customers with the confidence that their corporate resources are secure.

Initially, Atlassian took a manual approach to addressing public third-party data breaches. For example, when an industry breach was made public, members of the security team would have to comb through the breach data to see if Atlassian was involved and would pre-process the dataset to make it actionable, then contact any impacted employees to remedy the issue. This manual process would take four or more hours per breach, and with breaches being made public seemingly every day, the team was spending too much time trying to keep up.

“We had to do everything manually before, and the whole process took a lot of time.”
Niels Heijmans, Principal Security Intelligence Analyst at Atlassian

They knew there had to be a better way and started looking into different options to help address their challenge. During their search, Atlassian evaluated vendors and found that many vendors were opaque in their data sources and collection time; it wasn’t clear where the data came from, or how old it was, or if the data set had already been actioned by Atlassian’s security team.


Transparency, the ability to quickly recapture data within days of a breach or malware infection occurring, and automated solutions made SpyCloud stand out from the competition. SpyCloud’s cyber analytics engine that transforms recaptured data from the criminal underground to make it truly actionable, coupled with its ability to recapture breached data earlier in the attack timeline, helped Atlassian solidify its decision to implement SpyCloud’s Employee ATO Prevention solution.

It took Atlassian a mere two weeks to fully automate the credential collection, verification and rotation process with SpyCloud’s API for both employees and customers, and the solution’s automation resulted in zero maintenance time. Atlassian is now alerted of any corporate credentials exposed in third-party breaches, and that notification triggers an automated ticket through their security operations center to action the issue, prompting the employee to reset their password. 

In addition to monitoring the use of exposed credentials, SpyCloud’s solutions help Atlassian identify when employees or suppliers accessing Atlassian services on personal devices are infected with malware, an incredibly difficult cyber threat to detect on devices outside of corporate control. The security team is then able to reach out to the infected user and help them remedy the issue by providing the infection source information and steps to remove the malware.

“It puts your organization at risk if a personal device is being used to log in with corporate credentials,” Niels said.

To combat this, SpyCloud offers unique data richness and transparency that goes beyond just finding compromised credentials. SpyCloud can tell you what user is infected with malware and for how long, which makes a difference in your incident response.

With the success of protecting employee accounts, Atlassian looked to fulfill their customer-focused corporate values by also protecting customer accounts with SpyCloud Consumer ATO Prevention. Many of Atlassian’s customers use their software to enable mission-critical tools, so a disruption or attack could have significant impacts, such as halting financial transactions or delaying critical medical decisions. Malicious actors gaining access to these types of business processes could have detrimental results, and Atlassian doesn’t stand for that. Protecting customers is at the core of how Atlassian operates.


Atlassian Protects Hundreds of Thousands of Corporate and Customer Accounts from ATO

Automated Solution Protects Employees and Enables Time Savings

Atlassian no longer spends hours manually processing public breaches. SpyCloud’s API allows Atlassian to quickly detect compromised credentials and remediate them automatically with SpyCloud’s fresh, actionable breach data and malware bot logs at their fingertips.

Because the solution is fully automated, we are able to process 14,000 unique credentials per month. This scalability allows us to use our resources efficiently.”

Extending ATO Prevention to Malware-Infected Users

Once Atlassian saw the results of how they were able to protect employee accounts and prevent ATO, they decided to explore how SpyCloud could help them support their corporate value to honor their customers. SpyCloud identified credentials from Atlassian users who had logged into their accounts using malware-infected personal devices. Atlassian tested 55,000 of these recovered logins against their consumer database over a three-month period and discovered that 70% matched their current Atlassian passwords. They were able to reset passwords for these users and secure their accounts. 

Today, Atlassian uses SpyCloud data to protect accounts for teams at over 225,000 customers and secure their mission-critical business processes.

Ease of Integration for Automation

Atlassian was able to easily integrate SpyCloud’s solutions into its security framework to maximize the value of its cybersecurity investments. SpyCloud’s solutions are integrated with AWS Lambdas, Jira, Splunk, and Atlassian’s security, orchestration, automation, and response (SOAR) solution to enable fully automated workflows that protect employee and customer accounts.

Icon - Products Integrations

Ongoing Support Enhances Vendor Relationship

SpyCloud’s dedicated customer success team ensures Atlassian’s satisfaction with its solutions and maintains an open communication cadence to support their needs. Whenever Atlassian requests feature updates or additional recently-recaptured data, SpyCloud’s team is quick to go the extra mile. 

“Whenever I have questions or feedback, the SpyCloud team is always willing to help,” Niels shared. 

They’re happy to have discussions about the products because we’re investing in them and finding value in them. And when I have ideas on improvements, there’s always someone from SpyCloud who will listen and help us.”

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.

Download the PDF version of the case study to print or share with others.

Fortune 100 Financial Services Company


Protecting a Fortune 100 Financial Services Company


Investigating the Global Threat Landscape



With high-value customer accounts on the line, this financial services company wanted to sharpen their account takeover prevention program to prevent more online fraud, as well as enhance their threat intelligence team’s investigations with breach data beyond what they could collect on their own. 


SpyCloud enables this firm to identify and remediate compromised consumer passwords at scale to lock out criminals. SpyCloud’s robust dataset also enriches the information the threat intelligence team can use to investigate fraud – which is important given that they typically start with only a few pieces of information.


Today, the firm protects millions of consumers around the world from account takeover fraud with SpyCloud. In their fraud investigations, SpyCloud data facilitates connections that weren’t possible before, helping the threat intel team get more out of their other data sources and deliver their findings with a higher degree of confidence. 

SpyCloud empowers enterprises against cybercrime by giving them access to the largest collection of compromised credentials and personally identifiable information (PII) in the security industry, as well as powerful tools for investigating threat actors and their personas.

One of the many large customers using the full set of SpyCloud data and research tools is a Fortune 100 financial services provider. This organization agreed to anonymously share details of their strategy for investigating and determining the credibility of threats to their consumers, employees, partners, and acquisition targets. For this security team, SpyCloud’s solutions have become key among the complex set of tools used to alert customers to threats, evaluate the risk of new business opportunities, understand the plans of cybercriminals, and hunt down fraudsters.

Threat Hunting

The financial services organization’s worldwide threat intel team uses a two-pronged approach to identifying, classifying and responding to threats. A tactical analysis team tracks the tactics, techniques, and procedures (TTPs) threat actors are using to target the organization, then determines response strategies depending on the type of threat, be it ransomware, malware, phishing, or credential stuffing.

A strategic analysis team investigates the perpetrators behind these attacks. The strategic analysis team identifies the individuals or groups who carry out attacks or share information related to the organization’s protections with other cybercriminals.

SpyCloud’s data helps these teams:

    • Protect consumer accounts from fraud by detecting and remediating exposed credentials.

    • Attribute threats to specific individuals or groups of actors and gather evidence for law enforcement.

    • Develop risk profiles on partners, vendors, and acquisition targets to protect the organization from inheriting risks through third parties.

Fraud Prevention and Investigation

Preventing fraud is the primary objective for this financial services firm, and SpyCloud helps by giving the fraud team reliable and fast access to breach data that can help prevent account takeovers. In these attacks, criminals use lists of known username and password pairs, often obtained from breaches, to attempt to log into financial accounts. Once in, they may change key account information to lock out the rightful owner and siphon funds elsewhere. Other tools and tactics are used depending on the criminals’ ultimate plan to monetize these stolen accounts – for example, some may be resold on the underground market – but stopping account takeovers in the first place is the best way to prevent financial fraud.

Among companies monitoring the dark web and cybercriminal underground, SpyCloud typically recovers, curates, and gets breach data into customers’ hands the fastest, thanks to its human intelligence-driven approach. This means customers like this Fortune 100 financial services organization can act on SpyCloud data quickly, alerting compromised customers before cybercriminals can monetize their information.

The task of protecting consumers for this organization is huge. Each day, the security team sees a massive volume of credential stuffing attacks against customer accounts. Many are low-level threats, in which attackers simply automate lists of password and username combinations to see if they manage to find a successful login. To prevent that success, the organization regularly checks their entire customer database against SpyCloud’s breach data to identify exposed credentials and force customers to reset them.

Pro Tip: Scanning your entire customer database and forcing credential resets for compromised users is a tactic SpyCloud recommends for all its customers, and the benefits extend beyond preventing fraud or providing peace of mind for security teams. Companies who proactively monitor and remediate for password exposures are more likely to retain customers. A PWC study of U.S. adults found that 87% of consumers say they will take their business elsewhere if they don’t trust that a company is handling their data responsibly. Most consumers do trust financial organizations with their data, and by being proactive in helping consumers avoid fraud, organizations can prove their commitment to responsible data handling.

Other account takeover attempts are more dangerous, carried out by motivated, adaptive threat actors who are specifically targeting the firm’s customer accounts. As the team explains, “We see actors that are very unsophisticated that just don’t care…and then we have actors who will respond within a certain time frame to a given control being introduced that specifically blocks their activity. Sometimes it’s 8 hours, sometimes it’s 24 hours, sometimes it’s a few days, but we can always tell which actors are targeting us and we notice certain patterns.”

Particularly for these targeted attacks, resetting compromised passwords quickly is essential. A consumer’s account is vulnerable the moment a new data breach exposes their login. SpyCloud’s fast access to new breach data enables the firm to shorten that exposure window by resetting exposed passwords quickly to head off this type of attack. 

Reducing Outside Risk

Today’s enterprises rely on hundreds of partners, vendors, and other third parties to deliver products and services to consumers around the world. Each outside group with access to the network presents a multitude of cybersecurity risks. This financial services organization uses SpyCloud’s investigation solution and breach data to see deeper into third parties’ overall risk profile, which is especially helpful in understanding the potential risks posed by acquisition targets.

At the beginning of an M&A process, the security team uses SpyCloud to investigate whether the target company has had any data breaches that they haven’t disclosed, whether because they have chosen not to inform the acquiring company or because they don’t know that they have been breached.

As the team investigates, the PII in SpyCloud’s database can help them identify exposed information they may not have previously known was in criminal hands. Names, addresses, phone numbers – each provides another pivot point for the investigation. The team will not only create a risk profile for the business, but will also identify the exposure of key executives and employees who may join the larger organization after the acquisition. It’s Zero Trust on an individual level.

Confidence is the Key to Intelligence Value

As a global organization serving many millions of customers and interacting with thousands of third parties, this financial services organization relies on SpyCloud as a critical part of its collection of intelligence-gathering tools. In this industry, security professionals know that confidence in the credibility of intelligence sources simplifies the difficult task of identifying threat actors, preventing their attacks from infecting consumers, and, hopefully, leading law enforcement to make arrests.

When reporting to internal stakeholders or to law enforcement, SpyCloud’s customer knows that their assessments of threats and threat actors are made with a higher degree of confidence because of the reliability and credibility of SpyCloud’s data.

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.


Download the PDF version of the case study to print or share with others.

Alvarez & Marsal


Alvarez & Marsal


Alvarez & Marsal Automates Account Takeover Prevention for 6,000+ Users with SpyCloud Active Directory Guardian



When Alvarez & Marsal first encountered SpyCloud a number of years ago, they had a problem: many of their employees were using compromised passwords.


SpyCloud Active Directory Guardian’s automated AD scans and password resets enabled Alvarez & Marsal to detect and respond to compromised employee credentials at scale, providing a strong foundation for their now-robust employee ATO prevention program. 


With SpyCloud, Alvarez & Marsal protects 6,000+ user accounts around the world from ATO and maintains compliance with both GDPR and CCPA. Automated password resets give them confidence during audits – plus, they’ve boosted their score with cybersecurity insurance providers.

About the Customer

Alvarez & Marsal is a global professional services firm with over 6,000 employees spread across 54 office locations. With employees and customers around the world, Alvarez & Marsal is subject to a variety of regulations, such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This case study explores how the company uses SpyCloud to automate account takeover prevention for their workforce.

Automating Account Takeover Prevention

Alvarez & Marsal uses SpyCloud to monitor the credentials of employees at all 54 of the company’s global offices, as well as service providers enrolled in their Active Directory.

Multiple times a day, Alvarez & Marsal runs SpyCloud Active Directory Guardian to find out if any of their 6,000+ users’ credentials have been exposed on the criminal underground, checking against billions of compromised credentials in SpyCloud’s database that have been recovered from third-party breaches. Active Directory Guardian automatically forces password resets for users whose login information has been compromised.

“What SpyCloud’s Active Directory Guardian does for us is invaluable. To be able to search through billions of data points – it’s impossible for us to do. But Active Directory Guardian picks out issues instantly,” said Alvarez & Marsal Global Senior Director of IT Operations, Dan Holland.

“Capturing the issues before they become a problem is significant,” Holland said; it’s one key reason why the company has never experienced a breach.

Automation makes it possible for his team to close the gaps left by employees’ bad password hygiene, which evolves constantly. They’ve found that the biggest risk is presented by employees who reuse passwords from their personal life to protect their work accounts.

“We have seen people cycle through passwords that have normally been quite good, run out of ideas, and then go back to an old LinkedIn password,” Holland explained. “Active Directory Guardian needs to be run regularly because we have a lot of people looking at what we do and looking for possible routes in. Our SOC team is a very busy group.”

SpyCloud Active Directory Guardian scans Alvarez & Marsal’s 6,000+ user accounts multiple times per day.


For Alvarez & Marsal, SpyCloud plays an important role in a robust security program.

“Even though we have other layers of protection, we still see password reuse. So we know that if it wasn’t for Active Directory Guardian, people’s behavior would put us into a position of weakness.”

Preparing to Meet Global Compliance Regulations

Adopting Active Directory Guardian has made it easier for Alvarez & Marsal to prepare to meet the wide variety of compliance regulations they are subject to as a global company, such as Europe’s General Data Protection Regulation (GDPR), and set the company up for success with the California Consumer Privacy Act (CCPA).

“Because we’re global, we’re subject to everyone’s regulations. So we have to treat everything at that top level and address accordingly,” explained Holland.

“SpyCloud plays a part in helping us understand our security posture. We can say we’re Cyber Essentials Plus certified, we can discuss what processes we have in place with Active Directory Guardian to protect us in case a password is leaked. There’s a gap that SpyCloud’s Active Directory Guardian fills for us, and lots of people don’t have that addressed. We think that gives us a little bit of an edge on any queries that go down that particular path.”

Specifically, Holland said, using SpyCloud to support their preparation for GDPR set them up for success with CCPA.

“GDPR is comprehensive, and CCPA follows a very similar ethos. Being prepared for GDPR and having our answers ready and that toolset that we use, which includes SpyCloud, puts us in a very good position to be able to address CCPA.”

For Holland, using SpyCloud to detect and reset compromised passwords automatically provides peace of mind when auditors reach out. He feels confident in his ability to answer their questions and satisfy requirements related to account security.

“SpyCloud often comes into the picture during an audit, either to make a statement on our posture, or to talk about what happens if a password is discovered. Active Directory Guardian reports in, we have tickets created, and we can track what’s discovered and when.

And it also will give us an indication of particular user habits, of maybe their consciousness around security,” Holland explained. “I see a lot of audit requests from banks, customers, etc. We’re asked, how quickly can you react to something? With Active Directory Guardian running on a daily basis, as soon as there’s a hit, the password is reset. I’m not sure you can do much better than that.”

Compliance aside, the ability to address these types of concerns with SpyCloud has provided other unexpected benefits.

“As a byproduct, SpyCloud has also given us a better score with our insurance companies. I remember six months ago being brought into a meeting with our cyber insurance providers and they told us that we were the lowest-risk company that they had seen. That’s due to the stack we’ve implemented, and obviously SpyCloud is part of that stack.”

Protection For Years to Come

When Alvarez & Marsal first started using Active Directory Guardian a number of years ago, they were just beginning to roll out a multi-factor authentication program. SpyCloud data provided powerful evidence of password reuse that helped accelerate MFA adoption across the business. Today, Active Directory Guardian is a central piece of a larger toolset the company has built to protect employee accounts from account takeover.

“This is a product that we’ve purchased or renewed year on year. So there’s the value of it. Every year, it’s automatically renewed—no questions asked. That’s quite a powerful statement really, especially when there are a lot of options in different areas in the marketplace and sometimes budgets are difficult. SpyCloud seems to be one of the first that gets ticked off the list.”

SpyCloud Active Directory Guardian

Detect and reset compromised Active Directory passwords automatically using the largest database of compromised credentials in the world.

Whether you choose to run a manual or automated scans, SpyCloud checks your users’ Active Directory credentials against billions of recovered breach assets to see if any of your corporate logins are available to cybercriminals. You can identify if your employees have reused exact breached credentials, “fuzzy” variations that are easy for criminals to detect, off-limits passwords like your company name, or any
password that has ever appeared in the SpyCloud database.


Download the PDF version of the case study to print or share with others.

Global Fintech Company


Global Fintech Company


SpyCloud Enabled a Global Fintech Company to Protect Thousands of Vulnerable Accounts Representing Tens of Millions of Dollars

Fintech Account Takeover Prevention Case Study - SpyCloud
Benefit #1:

Account Takeover Prevention

With SpyCloud, this company is able to combat both automated and targeted account takeover attacks against their consumers.

Scroll to Benefit 1

Benefit #2:

Automation at Scale

Using the SpyCloud API, the company has been able to automate nearly 100%, freeing up time for the security operations team.

Scroll to Benefit 2

Benefit #3:

Infected User Intervention

The company has protected thousands of accounts by intervening proactively when consumers appear in SpyCloud’s botnet data.

Scroll to Benefit 3

About the Customer

This case study covers an anonymous SpyCloud customer – a fintech platform used by merchants, consumers, and traders all over the world. The company also provides merchant payment processing systems and tools supporting some of the most highly trafficked websites. Due to the valuable and sensitive nature of its users’ information and assets, threat actors are continuously looking for ways to exploit them.

Combating Automated and Targeted Account Takeover (ATO)

With so much at stake for its business and customers, this company invests heavily in cybersecurity. It goes to great lengths to not only protect customers and employees, but also to educate them on how to protect themselves and why it matters. Despite warnings for the last several years, many consumers continue to reuse passwords across multiple websites and services. When one site is breached, threat actors apply those stolen credentials to access consumer accounts on other sites.

“We know that password reuse and compromised credentials are still the number one way that people get themselves hacked,” explained the head of the organization’s security operations team. “We’re one of the few major consumer-facing platforms that requires two-factor authentication for all of our users. But even with 2FA, a stolen or lost password is still a really bad security situation.”

The company uses SpyCloud to check users’ credentials proactively, identifying logins that appear in SpyCloud’s breach data, and taking action to secure vulnerable accounts as soon as possible after an exposure. In addition to protecting users from account takeover by locking out potential attackers, this also helps to reduce the confusion caused when users receive unexpected 2FA codes during credential stuffing attempts.

“Since starting to use SpyCloud, we’ve seen a corresponding drop in partial logins, which might happen if there’s a login attempt using a breached login combination that can’t bypass two-factor authentication, for example. But that still triggers a login notification to the user and they get confused. For us to be able to get ahead of that curve and know that we can prevent these partial login attempts in the first place adds an extra layer of defense.”

High-volume credential stuffing attacks aren’t the only concern for this organization. Given the substantial monetary value of the accounts they manage, cybercriminals are very motivated to invest time and effort into targeted, creative attacks against their customers. As a result, the company not only uses SpyCloud data to reset exposed passwords, but also to help model clients’ account takeover risk behind the scenes to determine who may be at highest risk of an attack. For example, the company has found that being exposed in a data breach at all —regardless of whether a password was exposed—increases customers’ likelihood of being targeted for SIM-swapping.

“We get some predictive data out of SpyCloud that we factor into our risk models. If you have recently appeared in a data breach, you are at elevated risk of SIM-swapping and that’s something we can take action on accordingly.”

Users’ breach exposures can reveal not only risks created by the specific information criminals have access to, but also the ways a user’s own habits can put them in danger. By including that information in risk models, the security team can identify accounts that may require additional oversight or even individual outreach for education.

“If you have 30 or 40 passwords exposed, or if 20 of them are the same, it tells us something about your security patterns as an individual. That means we can do some targeted individual outreach with clear recommendations, or factor that information into our ATO risk models. If someone has a higher risk of ATO due to their prominence in the community or the balances they carry, but they don’t demonstrate the same security hygiene that we hope for, we might want to put in some countermeasures.”

Automating Account Takeover Prevention at Scale

The company’s security operations team reviewed several options and chose SpyCloud because of its industry-leading cybersecurity expertise and robust dataset, which provided a match rate of 3-5 percent on customer-facing credentials during their initial data test.

The team was also impressed with the speed of SpyCloud’s high-volume, performant API, which is important because if the company opts to gate a user login, verification of the account credentials needs to be instantaneous. The API interface was also easy to work with during implementation, making setup a breeze.

“The SpyCloud API was super easy to integrate. It took a day and a half for our engineers, and then it was just up and running. We’ve had the integration in place for a year now and had zero issues, zero downtime. On the technology side, it’s an enterprise-grade API for us.”

With access to high-quality, regularly-updated breach data from SpyCloud, the company was able to eliminate manual sourcing for credential lists, which had been taking about half of a full-time employee’s time without coming close to satisfying the organization’s needs. In addition, the team was able to create automated workflows using the SpyCloud API that freed them up to work on higher-value projects.

“Our goal is always to automate as much as possible, and in SpyCloud’s case, we’ve been able to automate virtually 100%. That has been a tremendous time saving so we can focus on things that are more targeted, unique, or interesting.”

Automation opens up more time for activities that can help the team continually improve their sophisticated account takeover prevention program, such as performing internal investigations to evaluate trends and root cause analysis, and determine if there are additional mitigations they might be able to put into place to protect customers. To help support these activities, the team uses SpyCloud’s API to integrate SpyCloud data into their Security Orchestration, Automation and Response (SOAR) tools.

Using SpyCloud data in conjunction with SOAR tools helps the team enrich and pivot on their investigation data, as well as provide additional feedback for their account takeover modeling. For example, SpyCloud data has helped the team correlate credential stuffing botnets to understand the sources of the combolists they’re testing and determine if other accounts might be at risk. Using lists of stolen credentials, malicious actors leverage this type of botnet to bombard websites with attempts to gain access using the stolen logins.

“Given the passwords these botnets are trying, we can develop hypotheses about where they’re getting their source data and to some extent, what software is being used. This lets us pivot and see what other email addresses were exposed in that particular breach.”

Through scenarios like this, SpyCloud helps the team strengthen their defenses proactively in support of their primary objective: “We do everything we can to protect our users and their funds.”

Protecting Consumers from Credential-Stealing Botnets

SpyCloud recovers some data collected by botnets – malware infections that siphon credentials and other data from users’ systems and send them to an attacker’s command and control panel. If a user’s credentials appears in a botnet record, it’s likely that attackers also have access to a substantial amount of other sensitive data, including their personal information, additional credentials, web history, browser fingerprint, and more. These users are at extremely high risk of account takeover, and criminals often start by targeting valuable accounts such as those belonging to customers of this fintech company.

By using SpyCloud data to identify users whose data has appeared in botnet records, this company has been able to lock cybercriminals out of thousands of highly vulnerable accounts.

“With SpyCloud’s botnet data, we’ve protected thousands of accounts representing tens of millions of dollars of funds. They are users we found in SpyCloud’s botnet data, where we were able to successfully intervene and force password resets and account recoveries before an attacker was able to do something malicious with those credentials.”

Because these users’ systems have likely been compromised, the company takes steps to ensure reset passwords don’t end up right back in an attacker’s hands.

“We assume that if your [customer login] credentials appear somewhere in the botnet data, your email and phone and other mechanisms for proving you are who you say you are are compromised, too,” explained the head of the security operations team. “By educating customers about cybersecurity, the team hopes to help users eliminate the malware from their systems and prevent them from falling into similar traps in the future.”

“With the botnet data, we saw a very easy way to give a high-signal, highly targeted message to end users where not only can we say that we’re going to take more extreme security measures, lock the users’ account, and require them to re-verify; but we’re also able to send them an email saying, ‘it looks like your password was stolen due to malware; before you recover your account, we highly recommend running some sort of antivirus scan, using a password manager…’ Otherwise they’re just going to end up back in the same position.”

With valuable accounts at stake, consumers’ reactions to this outreach have been positive. Even better, this approach means the company has not only protected accounts on its own site but likely others as well, preventing immeasurable damage.


Using SpyCloud data to support consumer account takeover prevention enables this company to support one of their guiding principles: maximizing security without sacrificing usability.

“Security and usability are often seen as opposites, as tradeoffs. We strive to make sure they aren’t,” they explained. “We want to be the most secure and most trusted, but we still want to be the most useful. That’s where SpyCloud fits in because it gives us the data we need to intervene when we need to, and then leave users alone when we don’t.” Rather than forcing users to jump through hoops that might encourage more bad habits, the team strives to provide as much protection as possible without adding friction to the login process.

“We look for ways to make login and authentication as easy for users as possible and still help intervene at key points to prevent them from harming themselves. If we can see that a user has a bad pattern of setting simple, predictable passwords that are going to get them in trouble later, that allows us to do a targeted intervention. SpyCloud gives us another tool in our arsenal to protect our customers without forcing them to try to think like a security team.”

Beyond protecting consumer accounts, the team highlighted some additional benefits that are often overlooked, such as the reputational value of investing in account takeover prevention.

“We look at SpyCloud as reputation mitigation as well. You can do everything right and still end up in headlines for the wrong reasons. At a certain volume, ATO is indistinguishable from your platform’s security being compromised.”

The team also emphasized the bigger picture, pointing out how interconnected financial services accounts have become. Because of integrations between different types of accounts from both fintech and traditional financial accounts, an account compromised on one platform can easily cascade into losses for another provider. Conversely, companies with strong account takeover practices provide additional protection for providers whose users have connected accounts. Ultimately, the team hopes more financial services organizations start using SpyCloud. 

“As more companies start to use SpyCloud and check for compromised credentials, there are some really powerful network effects that can come out of it. We’ll all benefit.”

The SpyCloud Difference

Truly Actionable Recaptured Data Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.


Download the PDF version of the case study to print or share with others.

Global Managed Services Provider


Global Managed Services Provider


SpyCloud Enables a Global Managed Services Provider to Expand the Value of Their Offering Without Hiring Additional Staff


As a managed security provider, this customer needed an efficient way to keep up with newly-exposed breach data, both to identify clients’ account takeover risks and expand their visibility into threat actor activity.

Scroll to Challenge


With SpyCloud, the customer now alerts clients when employee credentials have been exposed on the criminal underground and uses SpyCloud Investigations to help identify, track, and profile specific threat actors to guide recommendations to clients.

Scroll to Solution


SpyCloud enabled the customer to offer credential monitoring to their clients to prevent ATO, as well as increase the quality of their threat intelligence reports — all without hiring additional staff.

Scroll to Result

About the Customer

This case study examines an anonymous SpyCloud customer that acts as a managed services provider for IT teams, supporting a set of Fortune 100 organizations. Their comprehensive security offering includes a whole suite of services such as security operations, threat intelligence, hunting, red teaming, and incident response.


Collect Breach Data Efficiently at Scale

MSSPs accumulate their clients’ challenges. When providing security services to thousands of subscribers around the world, agility and data quality are critical factors for remediating clients’ vulnerabilities before they can be exploited, and providing recommendations on evolving threats so clients can set up proactive defenses.

According to the vice president of threat intelligence services at the company, the customer knew they needed access to the breach data available to cybercriminals in order to protect their clients effectively. They carefully considered the time and resources required to gather that type of data efficiently on their own.

“How much is a person capable of collecting? To be able to scale you need to be able to collect as much data as possible and make sure it’s good quality. You need to have dedicated people to do that.”

Before turning to SpyCloud, the customer considered building their own internal service that would collect breach databases and monitor for client data. 

However, meeting their own needs for data volume and quality may have been prohibitively expensive and required additions to the team (or a whole new team). The customer understood that building this service themselves meant delaying a critical security service their clients needed.

“We knew how much and how long it would take to be able to do that and we wanted a solution that would help us hit the ground running right away.”


Leverage SpyCloud Data for Faster, Better Visibility

The customer was not collecting breach data on their own before using SpyCloud, but did know what data they wanted and how they would make it valuable to clients. When choosing a vendor to collect and operationalize this data for them, the customer says they considered several SpyCloud competitors but were impressed by the scale and quality of SpyCloud’s data.

“SpyCloud gave us an easy and quick way to offer credential monitoring to clients that subscribe to our service. When a breach is made public, our clients worry about whether or not their information is included in the breach. Being able to collect data quickly to answer that question, then get it in the clients’ hands to remediate vulnerabilities before is crucial.”

SpyCloud has recovered over 100 billion breach assets from the cybercriminal underground, and as the company and its data resources have grown, the customer says they’re experiencing an increase in quality and availability of data.

“Knowing I have a dedicated system I can rely on to tell me if we have credentials exposed gives me peace of mind.”

The organization finds SpyCloud’s speed in recovering data after a breach particularly valuable. 

“Every minute counts. Once a set of data is made available, we know there is a fast turnaround before bad guys get their hands on it and start attacking organizations using those accounts.”

In addition, the customer uses SpyCloud Investigations to help them identify, profile, and track threat actors in order to make security recommendations for their clients. This is another area where the quality and scale of SpyCloud’s data gave the customer an advantage: SpyCloud helps the team connect threat actor personas and TTPs into more comprehensive profiles.

“Having access to SpyCloud’s data lake related to PII supports a lot of research that we do. We can make connections between threat actors’ personas, the services they sell, malware they use, or specific attacks.”



Gain Critical Insights Without Increasing Team Size

SpyCloud’s ATO Prevention and Investigations solutions help this customer identify exposed credentials across their client organizations. This capability comes without the substantial investments of time and capital the customer would need to add dedicated staff who could collect, analyze, and operationalize breach data.

“I would need a bigger team without SpyCloud.”

Additionally, SpyCloud Investigations helps make the customer’s threat intelligence reports more valuable to their clients. And better data helps the customer build better profiles of threat actors. Their clients can use these profiles to more easily identify when certain TTPs are relevant to their organization and what changes are needed to close gaps in their security posture.

“SpyCloud really helps our research in connecting dots between a persona that we have and one that we don’t.”

Providing security services to support a set of Fortune 100 organizations requires agility. With SpyCloud’s solutions, this customer and their team can move from research to action more quickly and provide insight on evolving threats at the crucial time before attacks begin.

“I really like to be able to connect dots between identities and personas and that’s only possible because we have SpyCloud. We can cover a lot of ground with it, and we can cover a whole set of third-party places that are exposed in a breach. That really helps, especially for certain actors that we track. The reach that we have in SpyCloud in terms of collection is really helpful.”

“Because of the collection capabilities [SpyCloud has], we can do more at a bigger scale.”

“I sleep well at night knowing that I have SpyCloud.”

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.


Download the PDF version of the case study to print or share with others.





Transforming Information Security with a New Vision and a New Model

About the Company

Zscaler is a cloud-based security company that is completely transforming the way companies approach information security. Many of the world’s largest and most forward-thinking companies rely on Zscaler to move their security off the network and into the cloud. Gartner has named Zscaler a leader in its Magic Quadrant for SWGs for seven consecutive years and the company recently went public. Clearly, Zscaler is moving the needle.

For the past decade, Zscaler has brought its revolutionary vision to a rather fixed mindset. It realized early on that employees had begun working differently than in the past. They weren’t attached to a static office and they weren’t consistently on a secure, corporate-controlled network using company-owned devices. The traditional security models were no longer aligned with culture. Today, mobility and the cloud enable all of us to be more productive and agile, yet it poses a new problem for security. How do you protect users, data, systems and applications when they aren’t always visible? How do you control security when traffic isn’t going through the traditional security stack?

Changing How Information Security is Viewed

While many business systems have moved to the cloud, security has been slow to transition. The hesitation comes less from cost or efficiency concerns, as most companies realize the cloud improves both, but more from the questions of complexity and scope. Zscaler recognized the opportunity to make modern security not only attainable, but comprehensive, with the scalability to encompass all of the ways people now work. The company took security hardware out of the enterprise data center and built its own multi-tenant, cloud-based stack around the globe, enabling companies to step away from managing their own stack and forwarding their traffic through the Zscaler stack instead.

Zscaler has been attractive to many of the world’s largest companies with distributed workforces and multiple locations. Smaller companies have taken notice as well, realizing they can finally afford an enterprise-grade security platform they don’t have to manage themselves. Zscaler is also a preferred partner for service providers who want to offer security to their customers through a SaaS-based platform.

For Sutton, attracting customers and partners is only a small part of the vision. Changing how information security (IS) is viewed is the bigger goal. “Gone are the days when IS dictates security within the company. Users have so much power now and IS doesn’t have the control or visibility they once had. CISOs have to rethink how they achieve their mission and find ways to empower users instead of being the “Office of No” that employees will just bypass. Security can be flexible without giving up protection.”

The Zero Trust Model

Visibility is a fundamental challenge for many in IT and IS. Protecting what isn’t seen is a common pain point. From BYOD, remote employees and cellular networks, to uploading data and unsanctioned apps, security leaders are hard pressed to control this seemingly rogue atmosphere. Even if they could gain visibility into all of this traffic, much of it today is encrypted and therefore unusable.

“You can’t control what every employee is doing—it’s simply not possible and companies will waste an inordinate amount of energy trying to do so,” says Sutton. “We built Zscaler with this perspective in mind. We don’t care where employees work, which device they use, or how they choose to connect. We had to build a solution that would enable IS to see all of the traffic, inspect it appropriately, and be alerted of anything suspicious. The zero-trust model insists we treat all devices and all websites as untrusted until they can be authenticated and users can be authorized. It’s not about changing the user habits. It’s about changing the IS model.”

Radically Rethinking Security

Changing perspectives is never easy, yet companies large and small are accepting the zero-trust model and taking steps to incorporate it into their methodology. Zscaler solutions are intentionally built to make this process easier and more adoptable. Zscaler built its security stack from the ground up and all of its capabilities are tightly integrated, so there is only one proxy through which all traffic runs. Controls as simple as blacklisting a site to more complex sandboxing can be performed through one system, making security more efficient and easily visualized.

As Zscaler continues to lead the cloud security market, it is taking a top-down approach. “It’s no longer selling a product to a line-level person in charge of firewalls,” Sutton says. “It’s so much bigger than that. We are pitching a new vision that C-level executives can champion to lead the transformation into the cloud. Zscaler is helping companies take their security to the next level—not with a specific product, per se, but by radically rethinking their approach to security.”

About Michael Sutton

Being the CISO at a security company is what Michael Sutton compares to being a skating coach on a hockey team. Everyone at Zscaler is a security pro, making his job unconventional. Instead of convincing employees to adopt his security protocols, he spends his time selling his vision and best-practice expertise to companies who he believes need to rethink their entire approach to internal security. Sutton is also a mentor and advisor to the next generation of security startup founders at Mach37. He has been with Zscaler since its inception in 2008, starting as vice president of security research. Prior to Zscaler, Sutton was a security evangelist at Hewlett-Packard and SPI Dynamics.

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.


Download the PDF version of the case study to print or share with others.

A Large US University


A Large US University


A Large US University Freed Up Precious Resources and Solidified its Account Protection Using the Automated Capabilities of SpyCloud


With few resources to dedicate to account takeover prevention, this large US university was settling for a mediocre security solution that required too much manual effort.

Scroll to Challenge


The university leverages SpyCloud’s seamless integration with Splunk to automate its account takeover prevention strategy, enabling the institution to strengthen its security stance.

Scroll to Solution


Using SpyCloud automation and data, the university consistently discovers more account exposures and remediates in a fraction of the time as before and with fewer resources.

Scroll to Result

A Large US University Finds More Exposed Credentials 10X Faster with SpyCloud


Keeping Information Accessible While Protecting Accounts

This featured university takes cyber security seriously and is aware of the constant threats to its students, faculty and staff. Like many higher education institutions, however, this university has few dedicated security professionals on staff to implement and manage technologies and processes.

For security professionals at higher education institutions, there is often an identity access management dilemma. On the one hand, they want to restrict account access to only authorized individuals, yet they also want to remain “open” for students and staff to get any information they may need. This transparent framework fosters self-reliance and efficiency, but it makes it challenging to limit and control security.

The university understands account takeover is a pervasive problem throughout the college systems that is growing exponentially. They believed they were addressing threats with a product, but it failed to live up to its sales pitch, leaving them to perform additional work to get the most from the solution. “We had to do so many manual tasks after finding any issues and knew we might be missing other ATO threats. These efforts took time away from performing other necessary tasks in our security cycles,” says a manager in the Office of Information Technology at the university. “We were introduced to SpyCloud and were eager to compare credential matches. Even more so, we wanted to see how the integrations would speed remediation with fewer resources.”


Integrate SpyCloud and Splunk for Automation Efficiencies

The institution chose SpyCloud for several reasons, including the fact that the SpyCloud API could dump their robust breach data into its Splunk instance. According to the manager, integration into Splunk was key. “Our previous tool lacked Splunk integration, forcing us to use up resources to investigate suspicious accounts and take manual action in Splunk,” he says. “Splunk scripts pull in the SpyCloud data automatically to provide instant visibility into which of student’s or staff’s credentials have been exposed. The quantity and quality of their data is amazing, we’ve never seen anything like it.”

The Splunk integration means developers no longer have to take extra manual steps to consume the SpyCloud data. The SpyCloud API provides an efficient and reliable way for the Office of IT to access their exposed credentials that are being traded in underground communities.

Many other account takeover prevention solutions and tools find exposed credentials only after they are on public forums, much too late for remediation efforts to secure accounts.

“As a higher education institution with students, faculty and staff using school emails to access everything from financial aid to housing data to meal plans, we have a responsibility to protect those accounts as best we can from cyber criminals who hope to gain access to those accounts,” says the manager. “With SpyCloud, we feel like our security staff finally have the tool they require to know the who, what, when and where as it relates to compromised accounts.”


Faster, More Reliable Results with Fewer Resources

Since implementing SpyCloud, the school finds more exposed credentials than ever before. Thanks to the seamless API integration with Splunk, they are finding those exposures and taking action ten times faster than in the past.

“We have to do more with fewer resources every year,” says the manager. “SpyCloud digs deeper into the dark web and cyber underground than other tools and finds more stolen credentials sooner. We have more hits than we did with the other system because SpyCloud data is fresher and more complete.”

Exposures found 10X faster than with previous tools

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.


Download the PDF version of the case study to print or share with others.

Oklahoma University


University of Oklahoma


OU Remediates 1,000 Exposed Email Accounts in Less than 24 Hours with SpyCloud


With few internal resources or sufficient tools to identify and remediate exposed student, faculty and staff email accounts, OU was at constant risk for accounts being compromised.

Scroll to Challenge


OU chose SpyCloud for its user-friendly API and comprehensive and operationalized exposure data it could quickly compare with its Active Directory accounts to automatically stop bad guys from compromising accounts.

Scroll to Solution


OU is now able to take proper remediation action based on reliable SpyCloud data and student employee ingenuity, saving thousands of accounts from being taken over and causing harm to users and the university.

Scroll to Result

University of Oklahoma Remediates 1,000 Exposed Email Accounts in Less than 24 Hours with SpyCloud

Founded in 1890, the University of Oklahoma (OU) is a public research university located in Norman, Oklahoma. With just over 21,000 undergraduate students, 6,000 full-time employees and 80,000 active accounts, the institution realizes the potential for cybercrime activity is a constant threat. It approaches security with a proactive stance but needed automation and good data to make a real difference.


Establishing Internal Means of Identifying Exposed Accounts

OU faces the same challenge that most higher education institutions face: students and staff use school email accounts for personal use, often reusing their OU passwords on multiple sites. When they do, they make it easy for cyber criminals to get into not only the personal sites but find their way into the school accounts as well.

OU knew some of its 80,000 active accounts were periodically exposed to cyber criminals. It just didn’t have an effective way to monitor these accounts and discover all of the exposures. It was relying on third parties, and open source resources such as Pastebin and Have I Been Pwned sites.

“We look at Pastebin and they will alert us of exposed credentials, but that only gives us part of the story because not everything gets posted publicly when there’s a data breach,” says Aaron Baillio, deputy CISO at the University of Oklahoma. “There are a lot of dark web and non-public sites that have our information but we can’t see it using open sources. We had to find a more reliable way to get alerts and manage exposures.”

Managing those credential exposures was no easy feat. Even when OU received a breach alert, they didn’t have the resource capacity to investigate and determine if all of the accounts belonged to active students or staff, if the exposed password matched their current OU password, or when the exposure occurred. The institution also had no password policy in place to secure active accounts. Baillio and his team made it a priority to protect the institution on the front and back ends.


Use SpyCloud API to Integrate SpyCloud Data with Internal Tools

The first thing OU did was establish a campus-wide password policy. Students, faculty and staff are obligated to reset their passwords every year with an eight-character minimum and complexity requirements. The same password cannot be reused for five cycles. Once good password habits were enforced, the school moved on to automating account takeover precautions.

OU had a few credential exposure products in their security stack but none with the scale and capabilities they required. They chose SpyCloud because the solution not only shows them where the credentials are located but gives them plaintext passwords and hashes so exact matches can be more easily found. It also reveals exposures in the dark web, those that aren’t listed in open sources. By catching the exposures before they are on public forums, OU can take more preemptive actions before criminals do harm.

“We don’t want to block an account if we don’t have to, so having such detailed and usable data from SpyCloud helps our security team be more discerning,” says Baillio. “We see the date of the breach, when the exposure was discovered, and its severity. If SpyCloud flags an incident with 10 emails affected but leaked more than a year ago, we hope our password policies forced a reset already and we wouldn’t need to lock the account.”

OU decided to integrate SpyCloud with its internal SOAR platform (security, orchestration, automation and response). Using the SpyCloud API, they pull SpyCloud breach data into their platform. When there is an alert about a particular data breach or credential leak, a ticket is automatically created.

As part of their practical application initiative, instead of using the SpyCloud Active Directory Guardian to generate automated scripts, the school selects a few SOC student employees to practice their skills to create homegrown scripts that check the SpyCloud data against the school’s Active Directory. These scripts determine if active accounts and passwords are the same.

“The SpyCloud API automates the heavy lifting and data gathering for us,” says Baillio. “Our student employees integrate SOAR and SpyCloud so we can quickly react. Having the API documentation in Apiary clearly defined, allows our team and students who have limited security experience to build effective automations. We can’t get that with other platforms out there.”


Fast Remediation with Minimal Resources

Using the SpyCloud API, a student employee was able to take a list of more than 7,000 exposed emails from SpyCloud, run it through their own script, and discover over 1,000 Active Directory accounts with matching passwords.

“Before SpyCloud, if we were alerted to 7,000 exposed passwords to manually check, we would most likely have had to ignore them due to a lack of resources,” says Baillio. “With SpyCloud, we can get that information in less than 30 minutes. We passed that information along to our help desk and in a matter of hours, 1,000 accounts were secured. Using SpyCloud and the ingenuity of our student employees, we are legitimately preventing bad guys from compromising accounts.”

Baillio believes the university is in a much better place now that they have SpyCloud in their security stack. Because SpyCloud enables them to quickly and efficiently identify compromised accounts using their own tools and in-house integrations, they can make decisions and remediate much quicker.

He and his team are focusing on training and outreach to educate students, faculty and staff on the dangers of password reuse, as well as phishing campaigns he says can generate up to a 60 percent click rate from students. “If you get your password compromised in one place, you can bet it’s compromised everywhere you reuse passwords. We need users to understand the many dangers that are inherent with emails and passwords. OU is striving to be a place of learning that goes beyond the classroom and impacts their everyday lives.”

7,000 emails checked with 1,000 exposed password matches found in less than 30 minutes

About Aaron Baillio

I’ve spent the first 10 years of my career with the Department of Defense. With them I traveled the world and supported both in garrison and deployed network operations and information assurance. I’ve written compliance documents for AF accreditation and NIST accreditation including policy and technical documents. I’ve also spent a lot of time performing security engineering through the system development process. Currently, I am the managing director of security operations at the University of Oklahoma. We cover the whole range of security operations from day to day sustainment to incident response. We’ve planned for and developed tool sets for malware detection, DNS security, vulnerability discovery and remediation and incident response maturity. We support the entire university in security operations and advise on departmental security projects.

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.


Download the PDF version of the case study to print or share with others.