Account Registration Abuse Integration

Breached Credentials

This page gives you an overview of our breached credential database.

On this page:

What are breached credentials?

Breached credentials are used by fraudsters when committing credential stuffing attacks. Attackers get credential combinations (usernames and passwords) from data breaches. Fraudsters can then automatically try all these combinations against your login page to see if there are any matches.

Breached credentials pose a significant risk at the point of account registration. Allowing users to create accounts with breached credentials increases the risk the account will be compromised in a future ATO attack.

You can read more about how fraudsters use breached credentials in our Ravelin Insights Guide.

Ravelin’s breached credentials database

Ravelin maintains a breached credentials database containing over 5 billion leaked credentials. Ravelin sources credentials from cracking forums, the dark web, and via weekly updates from our third-party providers. The database also includes commonly used passwords that are considered breached.

Any credentials that appear in our database should be considered very risky as they are widely available for attackers to use.

Checking credentials in our database

We check whether usernames and passwords are in our database when you send a request to our Registration endpoint.

The response will contain a credentialStatus field which indicates whether the credentials are in our database.

If the credentials were breached, we will return a response similar to the one shown below:

    "credentialStatus": {
        "passwordBreached": true,
        "usernameBreached": true,

This response shows that the given username and password were breached.

If the passwordBreached field is true then the credentials have been breached and you should follow our advice below.

Breached credentials advice at Registration

If a customer does provide breached credentials in an account registration attempt, we recommend allowing the customer to create the account to avoid negatively impacting conversion. However, we strongly recommend prompting them to change the password. For example, by:

  • requiring the customer to reset their password immediately after registration or at their first login; or
  • prompting the customer via email or SMS to reset their password.

You should advise customers not to reuse passwords when creating a new account on your service.