Account Takeover Integration

Breached Credentials

This page gives you an overview of our breached credential database and how it can be used to stop account takeover.

On this page:

What are breached credentials?

Breached credentials are used by fraudsters when committing credential stuffing attacks. Attackers get credential combinations (usernames and passwords) from data breaches. Fraudsters can then automatically try all these combinations against your login page to see if there are any matches.

Unfortunately, because a lot of people use the same password across multiple services there may be matches and fraudsters can gain access the accounts.

You can read more about how fraudsters use breached credentials in our Ravelin Insights Guide.

Ravelin’s breached credentials database

Ravelin maintains a breached credentials database containing over 5 billion leaked credentials. Ravelin sources credentials from cracking forums, the dark web and via weekly updates from our third-party providers. The database also includes commonly used passwords which are considered breached.

Any credentials that appear in our database should be considered very risky as they are widely available for attackers to use.

Checking credentials in our database

We check whether usernames and passwords are in our database when you send a request to our Login endpoint.

The response will contain a credentialStatus field which indicates whether the credentials are in our database.

If the credentials were breached, we will return a response similar to the one shown below:

    "credentialStatus": {
        "passwordBreached": true,
        "usernameBreached": true,
        "numBreachedPasswords": 2

This response shows that the given username and password were breached.

It also shows that a total of two passwords used with the username have been breached.

If the passwordBreached field is true the credentials have been breached, and you should follow our advice below.

Breached credentials advice

If the credentials used for a login attempt are breached, we generally recommend allowing the customer to continue to log in. This is because it may prevent legitimate users from logging in and have a negative impact on conversion.

However, there are several actions you could take to verify the login attempt is from the real account owner and secure the account:

  • Force the customer to reset their password
  • Prompt the customer via email or SMS to reset their password
  • Require two-factor authentication (2FA) or an additional measure to verify the customer

You can also create rules that look at whether the username and password for a customer is breached. For example, you might choose to challenge logins using breached credentials from new devices and new IP addresses.

We take into account whether credentials are breached in our account takeover machine learning models, so this will be considered when evaluating whether we believe a login is an account takeover attempt.

Next steps

Learn how to request account takeover recommendations

Test your account takeover integration