This page gives you an overview of our breached credential database and how it can be used to stop account takeover.
On this page:Breached credentials are used by fraudsters when committing credential stuffing attacks. Attackers get credential combinations (usernames and passwords) from data breaches. They can then automatically try all these combinations against your login page to see if there are any matches.
Unfortunately, because a lot of people use the same password across multiple services there may be matches and fraudsters can gain access the accounts.
You can read more about how fraudsters use breached credentials in our Ravelin Insights Guide.
Ravelin maintains a breached credentials database containing over 3.2 billion leaked username and password combinations. The credentials are found in cracking forums and the dark web. The database also includes commonly used passwords which are considered “breached”.
Any credentials that appear in our database should be considered very risky as they are widely available for attackers to use.
We check whether usernames and passwords are in our database when you send a request to our Login endpoint.
The response will contain a credentialStatus field which indicates whether the credentials
are in our database.
If the credentials were breached, we will return a response similar to the one shown below:
{
"credentialStatus": {
"passwordBreached": true,
"usernameBreached": true,
"numBreachedPasswords": 2
}
}
This response shows that the given username and password were breached.
It also shows that a total of two passwords used with the username have been breached.
If the passwordBreached field is true the credentials have been breached, and you should follow our advice below.
If credentials are breached we generally recommend allowing the customer to continue to log in because of the impact on conversion.
However, there are several actions you could take:
You can also create rules that look at whether the username and password for a customer is breached. For example, you might choose to challenge logins using breached credentials from new devices and new IP addresses.
We take into account whether credentials are breached in our account takeover machine learning models, so this will be considered when evaluating whether we believe a login is an account takeover attempt.
Learn how to request account takeover recommendations
Test your account takeover integration
Was this page helpful?