Dark Web Monitoring
BleedWatch Dark Web Monitoring tracks your organization's exposure across credential leak databases, stealer logs, paste sites, and ransomware leak sites. It alerts you when employee credentials or company data appear in underground sources.
What BleedWatch Monitors
| Source | What It Covers | Check Frequency |
|---|---|---|
| HIBP (Have I Been Pwned) | Known data breaches where your email domain appeared | Every 6 hours |
| Paste Sites | Pastebin and similar sites where credentials are publicly posted | Every 6 hours |
| Stealer Logs | Credentials exfiltrated by infostealer malware (Redline, Raccoon, Vidar, LummaC2) | Every hour |
| Ransomware Leak Sites | Listings where ransomware groups publish victim data | Every 30 minutes |
BleedWatch never tests leaked credentials against live systems, attempts authentication, or probes your infrastructure. All monitoring is passive intelligence — analyzing data that is already publicly available.
Understanding Stealer Logs
What Are Stealer Logs?
Stealer logs are databases of credentials and browser data stolen by infostealer malware. When an employee's machine is infected, the malware exports all saved browser passwords, session cookies, autofill data, and authentication tokens. These logs are then sold on dark web marketplaces and distributed through cybercrime channels.
Why Stealer Logs Matter
Stealer logs are one of the most dangerous credential leak sources because they often include:
- Plaintext passwords — Not hashed, immediately usable
- Session cookies — Allow attackers to bypass multi-factor authentication (MFA) entirely
- The exact login URL — Attackers know exactly which service to target
Findings that include stolen session cookies are more dangerous than plain password leaks. Stolen cookies give attackers immediate account access that bypasses MFA. Prioritize these findings for immediate response.
HIBP Integration
BleedWatch queries the Have I Been Pwned database for data breaches affecting your email domain. Each breach result includes:
- Breach name and date
- Number of accounts affected
- Types of data compromised (passwords, email addresses, phone numbers, security questions, auth tokens)
- Verification status — Whether HIBP has verified the breach is legitimate
Breach Severity Classification
| Severity | Criteria |
|---|---|
| Critical | Verified breach with passwords or credentials exposed |
| High | Unverified breach with passwords, or auth tokens exposed |
| Medium | Email addresses plus additional PII exposed, but no credentials |
| Low | Minimal data exposure, or breach marked as fabricated/spam |
Interpreting Severity
Credential Findings (Stealer Logs)
Severity is determined by:
- Whether the plaintext password was available
- Whether session cookies were stolen (highest risk)
- Password strength (weak/medium/strong)
- The infostealer malware family involved
Paste Site Findings
| Severity | Criteria |
|---|---|
| Critical | Full credential combos (email:password patterns) detected |
| High | API keys, tokens, or partial credential patterns found |
| Medium | Multiple email addresses from your domain but no credentials |
| Low | General domain mention only |
Dark Web Mentions
| Mention Type | Typical Severity | What It Means |
|---|---|---|
| Ransomware listing | Critical | Your organization appeared on a ransomware group's leak site — the attack has already happened |
| Initial Access Broker sale | Critical/High | Someone is selling access to your infrastructure |
| Forum discussion | Medium | Your organization is being discussed on cybercrime forums |
| Telegram post | Medium/High | Your data or credentials appeared in a cybercrime channel |
Responding to Found Credentials
When BleedWatch alerts you to a credential leak, follow this response workflow:
Step 1: Treat Every Credential as Compromised
Do not wait for additional validation. Assume the credential is already in attacker hands.
Step 2: Force Immediate Password Reset
Use your identity provider (Okta, Google Workspace, Active Directory) to force a password reset for the affected account.
Step 3: Revoke Active Sessions
If the finding includes stolen session cookies or auth tokens, revoke all active sessions for the affected account — a password reset alone is not sufficient.
Step 4: Check for Credential Reuse
Determine if the same password was used on other systems. Credential stuffing attacks use leaked passwords to try logging into every service an employee might use.
Step 5: Cross-Reference with Shield Findings
Check if the leaked credential matches secrets found in your codebase or build artifacts (Shield findings). A credential appearing in both dark web leaks and your source code is a critical convergence point.
Step 6: Mark as Remediated
Once the password reset and session revocation are confirmed, update the finding status to Remediated.
Finding Statuses
| Status | Meaning |
|---|---|
| New | Just detected, no action taken |
| Confirmed | Verified as a real credential leak |
| Remediated | Password reset and/or session revocation completed |
| False Positive | Not a real credential leak |
| Accepted Risk | Acknowledged but no action planned (requires justification) |
| Expired | The credential is no longer valid or the breach is stale |
Cross-Source Correlation
BleedWatch's correlation engine cross-references dark web findings with EASM findings from Shield and other modules. For example:
- An AWS token found in a public NPM package + the same developer's credentials in a stealer log = compound Critical alert with full context
- A database password in a Docker image + an open database port discovered by Sentinel = escalated attack path
This cross-source correlation turns isolated data points into actionable intelligence.
Troubleshooting
No Dark Web Findings
If you see no findings, verify that your monitored domains are correctly configured in Settings. BleedWatch searches for credentials matching your registered email domains.
High Volume of Low-Severity Findings
Low-severity findings (domain mentions, unverified breaches) can be noisy. Use the severity filter on the dashboard to focus on Critical and High findings first. Consider configuring alert routing rules to only notify on High+ severity.
Stale Findings
Historical credential leaks may resurface on new marketplaces. If a finding references a breach you've already remediated, mark it as Remediated or Expired to keep your dashboard current.