Account Takeover Integration

Breached Credentials

This page gives you an overview of our breached credential database and how it can be used to stop account takeover.

On this page:

What are breached credentials?

Breached credentials are used by fraudsters when committing credential stuffing attacks. Attackers get credential combinations (usernames and passwords) from data breaches. They can then automatically try all these combinations against your login page to see if there are any matches.

Unfortunately, because a lot of people use the same password across multiple services there may be matches and fraudsters can gain access the accounts.

You can read more about how fraudsters use breached credentials in our Ravelin Insights Guide.

Ravelin’s breached credentials database

Ravelin maintains a breached credentials database containing over 3.2 billion leaked username and password combinations. The credentials are found in cracking forums and the dark web. The database also includes commonly used passwords which are considered “breached”.

Any credentials that appear in our database should be considered very risky as they are widely available for attackers to use.

Checking credentials in our database

We check whether usernames and passwords are in our database when you send a request to our Login endpoint.

The response will contain a credentialStatus field which indicates whether the credentials are in our database.

If the credentials were breached, we will return a response similar to the one shown below:

{
    "credentialStatus": {
        "passwordBreached": true,
        "usernameBreached": true,
        "numBreachedPasswords": 2
    }
}

This response shows that the given username and password were breached.

It also shows that a total of two passwords used with the username have been breached.

If the passwordBreached field is true the credentials have been breached, and you should follow our advice below.

Breached credentials advice

If credentials are breached we generally recommend allowing the customer to continue to log in because of the impact on conversion.

However, there are several actions you could take:

  • Force the customer to reset their password
  • Prompt the customer via email or SMS to reset their password
  • Require two-factor authentication (2FA) or an additional measure to verify the customer

You can also create rules that look at whether the username and password for a customer is breached. For example, you might choose to challenge logins using breached credentials from new devices and new IP addresses.

We take into account whether credentials are breached in our account takeover machine learning models, so this will be considered when evaluating whether we believe a login is an account takeover attempt.

Next steps

Learn how to request account takeover recommendations

Test your account takeover integration

Feedback

© Ravelin Technology Ltd. All rights reserved