FAQ Leak Checker

Why did I receive an email?

To ensure the security of your company and its infrastructure, a threat analysis was performed based on the company’s domain. As a result of this analysis, the respective e-mail address and possibly further data (e.g. user name and password) were found. This data was collected from various sources in the so-called darknet and is therefore also available to attackers. Complete login data represent a real security risk, as they can be used for unauthorized access to company resources (e-mails, files, etc.) or external portals of cooperating partner companies.

What should I do now?

Keep calm. Carefully check the details in the received email as follows. For each entry in the email: Try to remember the full password based on the provided first and last characters. Use the service name provided only as a memory aid; the password may belong to another service. Only if you recognize one of your currently used passwords is there an acute threat situation. A threat is present and you have recognized a currently used password:

1. Use details from the provided data and your memory to identify all services and accounts where you use the recognized password. At best, make a list of these services.
2. Make sure that the password is no longer used on any of these services and change it so that it is clearly different from the previous password. We recommend using a separate password for each service and using a password manager to generate and store the new passwords.
3. Note that the recognized password no longer provides protection and must not be used on any service in the future.

You have recognized a previously used password:

1. Use details from the provided data and your memory to identify other services and accounts where you may use the recognized password but have not yet changed it. At best, make a list of these services.
2. Make sure that the password is no longer used at any identified service and change it so that it is clearly different from the previous password. We recommend using a separate password for each service and using a password manager to generate and store the new passwords.
3. Remember that the recognized password no longer provides protection and must not be used in the future.

If you cannot recognize any password from the given clues there is no threat and not action necessary.

What is a good password?

A “good” password should meet two criteria: It should be long and hard to guess. It is often claimed that a password should necessarily contain special characters and numbers. It is true that special characters and numbers increase the number of possibilities for a password, however, the number of possibilities is increased significantly more by additional characters added to a password. It is also important not to use words from a dictionary, as attacks often try out the words found in dictionaries in different combinations. Further information on choosing a secure password can be found here and on changing a password here.

How long should a password be?

The longer a password is, the better it protects the account from specific attacks. Even though some services still allow 4- to 8 digit passwords, these are far too short from a security perspective. A password should have at least 12 digits. However, it is optimal if a password has 16 or more digits. Further important information on the properties of a password can be found here.

Where does the data come from?

We obtain the identity data leaks by searching different parts of the Internet with our methods. Some of this data is collected automatically by our systems, others we download manually. Important: We do not buy any data! We only use publicly and freely available data! However, the majority of identity data leaks are also freely available and thus do not need to be bought.

In the notification I see passwords that I have never used. How can this be?

In our results emails, we display the first and last characters of the password that is included in the leak data. If you can’t match these characters to any of the passwords that you use, then it can be due to several reasons:

1. This password was used a long time ago and you forgot that you used it before.
2. There is a wrong password in our dataset, e.g. one that an attacker arbitrarily assigned to the email address. Criminals sometimes fill gaps in their records with invented data, so our result emails may contain this information.

It is not possible to verify the authenticity of the data in our databases. Whether the data is correct and still valid can only be decided by the person concerned - you.

In the notification I see accounts that I have never used. How can this be?

In our result email we show details which we extracted from the collected leak data. Individual entries carry references to specific services (e.g. Twitter, Facebook, LinkedIn, etc.). However, the assignment of leaked data to an affected service is never possible with absolute certainty. Nevertheless, it provides an initial starting point for identifying affected and thus threatened accounts.

A clear assignment of leaks to affected services is not exact for several reasons:

1. Indicators for assignment are not available. Leaks are often shared in single files. Such files can have names e.g. “twitter.txt” or just “1000_newest_logins.csv”. So, in the first case, the file name may provide an indicator of a specific service, but not in the second.
2. Hackers share data across a wide variety of platforms. In the previous 1st example, it is also conceivable that a hacker shared or traded leak data on the Twitter platform and named the file “twitter.txt” for this purpose. However, this does not then mean that there is account data for Twitter accounts within this file.

It is often the case that hackers merge account data from many different leaks. This login data then comes from different sources and it is no longer possible to assign it to a single service. Such aggregated datasets are often referred to as “collections”.

Independent of these details from the Darknet, other explanations are possible:

1. The respective service was used a long time ago and this was forgotten.
2. A service has changed its name.
3. In rare cases, hackers use stolen identity data, such as account names, email addresses and the like, to prepare or carry out fraudulent actions. As artifacts of such actions, accounts may have been created at services that the real person does not use.

It is not possible to verify the authenticity of the data in our databases. Whether the data is correct and still valid can only be decided by the person concerned - you.

In the notification I see accounts that I have never used. How can this be?

It is possible that an attacker has tricked you with a phishing attack and you have revealed login information on a manipulated website. It is therefore important to be cautious when handling login information. In particular, you should choose complex and unique passwords for each service individually and not share them with others. Recognizing phishing attacks is not always easy, different methods of attackers and how to recognize them are presented here.

It is also not unlikely that you have done nothing wrong yourself. So how could this happen? Attacks or vulnerabilities in web stores or services are often the source of leaked data. The basis for this is therefore past registration with a service or webshop. When you logged in, your data was stored in the service’s user database. Due to a security incident, such as a hacker attack or an insecure configuration of the database, parts of the user database might have then been stolen or at least made publicly accessible. Even if you had chosen a different password, such an attack would not have been prevented.

Is it allowed to use a password more than once?

This is a question that cannot be answered directly and clearly. In general, it is of course much safer to use a different password everywhere - and we, most researchers and colleagues also advise everyone to do so.

However, it is understandable if someone feels that he or she cannot remember the large number of passwords and therefore uses passwords more than once.

So what does it mean from a security perspective if you use one password on multiple services? In this case, each of those services potentially has the ability to log in to the other services with that password as well. If your password is stolen from one service, then all the other services where you also use that password are immediately threatened. Therefore, think carefully about which accounts you want to use the same passwords for. If your password, which you use for several online services, has nevertheless been leaked, you should change it immediately. Not just for the leaked account, but for all those using this password. The best way to do this is to use a password manager that generates and manages your passwords. To ensure that no unauthorized access is attempted, the use of two-factor authentication is recommended.

Critical accounts like an email account should be protected with a unique password in any case, because passwords can be reset at most services via the email account.

In employment, there are usually regulations that require unique passwords. Details on this can usually be found on the intranet or can be obtained from the IT security officer or supervisor.

What can I do if I no longer have access to my account or e-mail?

Unfortunately, we cannot help in such cases. However, you have the option of contacting the online service or email provider to report such incidents. You should also contact the police and file a complaint. If possible, you should immediately change all passwords for important services such as online banking, payment services or online stores and set individual passwords. If, after using the Leak Checker, you discover that you no longer have access to your e-mail account, it is unfortunately not possible for us to send you the results to another e-mail address for data privacy reasons.

What is the difference between Identeco’s offering and other Leak Checker services or “Darknet Spy” services?

Identeco’s offering provides automated and, if desired, fully integrated protection of employee accounts against the threat of leaked login data from the darknet.

Existing solutions on the market are not early warning systems in the true sense of the word. Rather, in the best case, you get raw data sets that have to be processed manually.

Identeco’s approach is different: By integrating it into existing account management processes (e.g. Active Directory), the setting of insecure passwords that are already known on the Darknet can be prevented. A continuous check of already set passwords against the constantly growing leak database completes the offer.

Furthermore, the protection of customer accounts is innovative, enabling platform operators to gain real added value for the protection of their own infrastructure and the respective customer accounts.

Trust: Customers can rely on you for account protection. Because by using Identeco to protect their platform’s user accounts, end users do not have to trust any additional service to protect their identity data. Instead, the increased security and warning of insecure login data boosts users’ confidence in the services they use.

Data quality: Through feedback regarding the criticality of individual leaks, we continuously improve and prioritize the leak data shared for review. This means that you always receive the leak data with the highest hit rate as a priority.

Direct communication and warning of those affected: An employee or user of the platform of a company protected by Identeco, can be informed of an acute account threat directly when logging in or logging on to the platform. Using our tools, you can communicate clearly and directly:

1. What data is specifically threatened,
2. To what extent the account is affected and
3. What immediate measures should be taken to restore account security.

Data protection: All data is encrypted. We do not require any personal data to create our domain-based leak report and still allow companies to directly assess their threat situation.

Specific employee or customer accounts can only be identified in the company’s own infrastructure.

If the account security of an account is compromised, then necessary information to regain account security is reported exclusively to the respective affected user.

The IT security department of a company or the specific platform operator is best suited to protect the infrastructure and support the affected parties, as a relationship of trust already exists here.

Together with our partners, we can inform all customers if their account security is compromised. Our goal is to connect as many partners as possible and thus increase account security for all.

What data is in the Identeco database?

There is only encrypted data in the database that Identeco cannot decrypt. The determination of threatened accounts is only possible for Identeco customers within their own infrastructure. This serves the purpose of protecting their own infrastructure and the accounts of their employees and customers.

A research project (EIDI) conducted in advance at the University of Bonn looked not only at digital identities, but also at other identity data.

Explicitly not processed are data that can be assigned to the so-called “special categories” according to Art. 9 of the GDPR.

Although the data covered by Art. 9 of the GDPR is highly relevant for data subjects and they presumably have a particularly high interest in protecting this data as well, this cannot be reconciled with data protection due to the nature of our implementation.