Keeper Security has released BreachWatch, a utility which searches the Dark Web for login credentials exposed through a public breach. BreachWatch is available as an add-on for existing Keeper Security customers at US $20 per user per year. Given the impact and costs of a credential stuffing or account takeover attack, it seems a very low price to pay.
According to Darren Guccione, CEO and Co-founder of Keeper: “With BreachWatch, businesses are notified of stolen credentials from public data breaches and can take immediate action to mitigate a threat. BreachWatch provides businesses with continuous visibility into their password security and helps protect their organizations against cybercriminals.”
How does BreachWatch work?
It’s relatively simple. There are billions of usernames and passwords sitting on the Dark Web. Many of these are pulled into collections by cyber criminals who then sell them on. BreachWatch searches through those collections and identifies any that relate to a business. It then warns the business so that it can get users to change their passwords.
This is not a one off search. Keeper claims that BreachWatch is in continuous scan mode so it can catch new credential breaches as they occur. We sent some questions over to Keeper about some of the mechanics of how BreachWatch works. At the time of going to press, there was no response. What we asked was:
How quickly can BreachWatch catch new breaches? As customer usage increases and mega breaches continue, it takes time to search for the relevant data. Is there a guarantee that credentials will be spotted within a day, week, month or year of being posted?
Does BreachWatch do more than just identify the username? For example, does it seek to decrypt passwords so that organisations can see how recent the credentials are and if they are still a threat? If it is picking up old outdated credentials that force users to change their login details, this could be a never ending story.
Are there any plans to extend what BreachWatch gathers? This is as much a user as a business requirement. Additional data will help identify where the breach came from. If a cloud service then it could affect lots of other users. If it is from a business partner then it could be a supply chain issue.
Enterprise Times: What does this mean
There is an increasing number of utilities that offer a way to check if credentials have been stolen. Perhaps the most used is HaveIBeenPwned. This tells a user if their email address has been found in a breach. It also tells the user what the breach was, when it occurred and what other data was taken.
There is another service on the site that allows a visitor to check if a password has been found. It doesn’t tie this to any particular email address and does not mean that the password is not sitting in a breach. The two are not linked so they do not provide a way to compare a username and password combination.
If BreachWatch can be more effective than HaveIBeenPwned then it has a serious benefit for the business. However, it must include the context of where and when the credentials were breached so that the business and the user are not in a perpetual state of password change.