Account Takeover Integration

Breached Credentials

This page gives you an overview of what our breached credential database is and how it can be used to stop account takeover.

On this page:

What are breached credentials?

Breached credentials are used by fraudsters when committing credential stuffing attacks. Attackers get credential combinations (usernames and passwords) from data breaches. They can then automatically try all these combinations against your login page to see if there are any matches.

Unfortunately, because a lot of people use the same password across multiple services there may be matches and fraudsters can gain access the accounts.

You can read more about how fraudsters use breached credentials in our Ravelin Insights Guide.

Ravelin’s breached credentials database

Ravelin maintains a breached credentials database containing over 3.2 billion leaked username and password combinations. The credentials are found in cracking forums and the dark web. The database also includes commonly used passwords which are considered “breached”.

Any credentials that appear in our database should be considered very risky as they are widely available for attackers to use.

Checking credentials in our database

You can check whether usernames and passwords that your customers are using are in our database at different points in the customer journey. We advise you to do this at registration, login and when a customer updates their password.

To do this, send a request to our Lookup Credential Check Endpoint. The request should contain the username and the SHA256 hash of the password.

An example request for the password “1234” is shown below:

Authorization: token ...
Content-Type: application/json

  "username": "",
  "passwordHash": "03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4"

Passwords are extremely sensitive, so it is critical that you do not send us plaintext passwords. Hash the password with SHA256 and hex encode it before sending it. We do not store the hashed password, we discard it immediately after processing your request.

If the credentials were breached, we will return a response similar to the one shown below:

  "usernameBreached": true,
  "passwordBreached": true,
  "numBreachedPasswords": 2

This response shows that 2 passwords used by the username “” have been breached, and that the hashed password in the request was either one of them, or was one of the most commonly used passwords. In this case the example password was “1234” and is one of the most commonly used passwords.

If the passwordBreached field is true the credentials have been breached and you should follow our advice below depending on when the password was used.

Check at login

You can check whether a customer is trying to log in with a username and password which has been breached. Generally we recommend taking no action at login if credentials are breached, because of the impact on conversion.

However, there are several actions you could take:

  • Force the customer to reset their password
  • Prompt the customer via email or SMS to reset their password
  • Require two factor authentication (2FA) or an additional measure to verify the customer

You can also create rules that look at whether or not the username and password for a customer is breached. For example, you might choose to challenge logins using breached credentials from new devices and new IP addresses.

We take into account whether credentials are breached in our account takeover machine learning models, so this will be considered when evaluating whether we believe a login is an account takeover attempt.

Check at registration and on password update

If a customer is trying to register for an account or update their password using credentials that appear in our breached credentials database, we advise that you do not allow them to use the password. If we have the password in our database, attackers will have it too. You should prompt the customer to enter a different password.

If you prompt the customer to change their password at any point because of the breached credential database, we suggest informing them that the password has been compromised and that they should change it wherever else they use it.

Please see below for example text:

“The password you are attempting to use has been part of a data breach on another service. To secure your account, please choose another password. If you’re using this password anywhere else, we strongly recommend that you change it.”

Breached credentials database testing

If you want to test how your system handles breached credentials you can use one of the following examples:

  • Use the SHA256 hash of a common password like “password1” or “password” in the passwordHash field to produce a "passwordBreached": "true" response.
    For example: "0b14d501a594442a01c6859541bcb3e8164d183d32937b851835442f69d5c94e".

  • Use an email such as “” in the username field to produce a "passwordBreached": "true" response.

These examples for breached credentials are available in your live account as well as your sandbox account.

Next steps

Learn how to request account takeover recommendations

Test your account takeover integration


© Ravelin Technology Ltd. All rights reserved