In our previous post on third party breaches, we talked about the risk of public compromised credential leaks providing attackers with another ingress vector. This August, InsightIDR, armed with knowledge from a partner, identified a “Very Large Credentials Dump”. Very large? Over 800 million compromised credentials including usernames, passwords, and password hashes were exposed. This pool includes publicly known credential dumps as well as those where the breach source has not been disclosed, but they are available for attackers to re-purpose.

Across our hundreds of customers using InsightIDR to monitor their ecosystem

  • 177 alerts were generated across our U.S. customers
  • 50 alerts were generated across our EMEA & APAC customers

Many customers have already reached out to us to learn more about the alert and, whenever possible, we can provide the exposed passwords and hashes to your team. Below is an example of the alert in InsightIDR (click to expand):


By highlighting this security risk, teams can proactively reset passwords before attackers try their hand. Even better, this is only one of the many detections built in InsightIDR to help you find threats earlier in the attack chain, before intruders breach critical assets.

Related Resource: [Video] Understanding the Attack Chain to Detect Intruders


If any users are identified at-risk, one click brings up their user page to see authentications, asset info, cloud services, and more.


Today, our corporate emails not only log into network services, but also cloud services such as Office 365, Salesforce, and Box. As InsightIDR has direct API integrations with those services, you'll know about any suspicious authentications, whether it be from an unusual location or anomalous admin activity.

By applying User Behavior Analytics to link together IP Addresses, Assets, and Users, InsightIDR detects the top attack vectors behind breaches, including phishing, compromised credentials, and malware.

I received this alert. What can I do?

  • For affected accounts, we recommend resetting the account password & adding the user to the InsightIDR Watchlist.
  • If you'd like more on the credential dump, please use the in-app feedback button, which automatically opens an InsightIDR support ticket. Alternatively, feel free to email support@rapid7.com. If available, we can further share the exact passwords and hashes in the dump upon request.

  • As an added value, if you have other company-owned domains, we can add the domain name to be monitored for future third party breaches.

I want to receive these alerts. What can I do?