Leaked Credential Monitoring.
Leaked Credential Monitoring continuously scans the dark web, through our data partner, for credentials that have leaked in breaches and infostealer logs. Every finding is tied to one of your organizations by domain and classified by risk, so you can focus on the credentials that actually unlock your environment.
How findings tie to your organizations
Findings connect to your organizations through domains. Each Customer Organization has one
or more monitored domains (for example yourcompany.com), and every leaked credential is
attached to the domain it belongs to. Monitoring is toggled per domain, so an organization
is only scanned on the domains you have enabled. Because each credential connects to a
domain, and each domain belongs to a Customer Organization, every finding rolls up cleanly
to the right organization.
The three categories of leaked credential
Each credential is classified automatically by where the leaked login actually works (its login domain):
| Category | Code | What it means | Direct risk |
|---|---|---|---|
| Employee credentials, own domain | CD | The leaked login points at one of your monitored domains, or at a corporate identity provider you sign in through (Microsoft 365 / Entra, Okta, Google Workspace). These are keys to your own systems. | Highest |
| Service-user credentials | CC | Credentials tied to service or customer-facing accounts, surfaced by the dedicated service-user scan and keyed on the domain itself. | Varies |
| Employee credentials, external platforms | OD | An employee used their corporate email address to register on a third-party site (a forum, SaaS tool, or marketplace) that was later breached. The login works on someone else's platform, not yours. Useful for spotting password-reuse exposure. | Lower |
How classification works
The classification is automatic. If the leaked login domain matches one of your monitored domains or a known corporate identity provider, the credential is own domain (CD). Otherwise it is treated as external (OD). Service-user findings come in as service-user (CC).
Liberty91 surfaces counts and metadata only. It never displays the leaked passwords, and it never exports them. The CSV records only whether a password was hashed, never the password itself.
Where to go next
To decide who hears about which findings, and to see what the alert email and CSV attachments contain, read Configure leaked-credential alerts. Monitored domains belong to your Organizations.
Frequently asked questions
Why does monitoring leaked credentials matter?
Stolen and leaked credentials are one of the most common ways attackers get into organizations. In MITRE ATT&CK this is Valid Accounts (T1078): attackers sign in with legitimate credentials instead of exploiting a vulnerability, so they bypass controls and blend in with normal activity, which makes them hard to detect. Verizon's 2025 Data Breach Investigations Report ties stolen credentials to roughly a third of breaches. Finding an exposed credential early lets you reset it before it is used.
What is MITRE ATT&CK Valid Accounts (T1078)?
It is the technique where adversaries obtain and abuse the credentials of existing accounts to gain initial access, persist, escalate privileges, or evade defenses. Because the activity uses a real login, it often avoids malware and looks legitimate, which makes it harder to spot. Leaked and infostealer-sourced credentials are a primary supply for this technique, so monitoring your exposed credentials is a direct countermeasure.
Does Liberty91 ever show the leaked passwords?
No. The platform and the alerts show counts and metadata only. Passwords are never displayed and never exported; the CSV records only whether a password was hashed.
How are leaked credentials linked to my organizations?
Through domains. Each Customer Organization has one or more monitored domains, and every finding is attached to the domain it belongs to, so it rolls up to the right organization.