How are domains I add to my watchlist handled in your service?
Assuming you own the domain 'acmeinc.com', we'll monitor for ALL email addresses that match against it (email@example.com, firstname.lastname@example.org, etc.), regardless of the number we find.
What if I need to upgrade at a later date to add more domains/emails/etc?
No problem, you can upgrade at any time. Just contact us at email@example.com and our accounts team will get you set up.
What if I'm a service provider and want to monitor for credential reuse among my customers?
Many of our large service provider customers are not only interested in monitoring for breaches from within their organization. They also want to be proactive detecting fraud and identity theft for their customer's accounts, especially if they've been compromised in a botnet or from a third party breach. Please get in touch at firstname.lastname@example.org to discuss our API and pricing if this applies to your organization.
What are "personal" email addresses in the watchlist?
Many of us often use a personal email for professional services at work (e.g. Dropbox, LinkedIn, etc.). In the unfortunate situation that one of these services is breached, it's fairly common for hackers to try and reuse the same username/password on other sites (including your company's sites).
Your Gmail, Hotmail, Yahoo, etc. addresses are typically those that should be added to the 'Personal Email Watchlist'. We provide monitoring for a limited number of these non-corporate email addresses for your executive team and other high profile employees.
Personal email addresses are typically considered those that do not match any of the domains in your Domain Watchlist. Since we monitor all email addresses associated with the domains in your Domain Watchlist, it is not necessary to add your work emails in the Personal Email Watchlist, we've already got them covered.
Is there a downside to adding my corporate email to the personal email watchlist?
In the case we're already monitoring your corporate domain (e.g. example.com) and you add your work email (email@example.com), you might get two notifications when your email pops up on our radar in a new breach.
If you don't actually have authorization to monitor all of example.com, then adding your work email is a simple way for you to keep tabs on breaches affecting you at work.
How do I verify a domain after adding it to the Domain Watchlist?
Because of the sensitive nature of breach details, we need to ensure that only authorized representatives from a company are able to see ALL records for their particular domain.
We will verify ownership of domains as you add them. Most people ask us to manually verify the domains (which is mentioned below), but there are other automated options available.
After adding a domain to the Domain Watchlist:
How do you monitor for my assets?
We have a world-class team of intelligence analysts that finds stolen credentials and other assets primarily through human intelligence tradecraft. We acquire hundreds of millions of records every month from dark corners around the world. These records impact individuals and organizations globally. We validate and ingest these records into a central database. We then analyze and match which assets match items in your watchlist. When we find a match, we notify you immediately so you can limit further damage.
What's different about ScoutCloud?
We created ScoutCloud to identify and stop breaches that occur outside of your network. You don't need to install any software; simply give us which domains you use, your personal email addresses, and any other information you would like us to monitor and we will inform you when your assets are exposed. We are laser focused on our core competency - cybercrime. We do not spend time in other intelligence domains (such as nation-state, physical security, etc.). Because of this, we find artifacts related to cybercrime at a massive scale, mostly from private sources and the results are immediately useful and specific to our customers.
What types of information can you find?
Here's an example of the type of information we find by scanning for your domain (partial list):
Examples of the type of information we find by scanning your personal email addresses (partial list):
How often should I expect to receive an alert from ScoutCloud?
We load hundreds of new breached databases (mostly from private sources) into our system every month. Each of these databases contains potentially millions of compromised records. On a busy month, we can exceed a billion stolen artifacts in a single month. Given our rate of collection, for large enterprises, it is common to receive a handful of alerts each month. Small companies should expect to receive an alert every few months.
Do you work with law enforcement, ISACs and CERTs?
Given our tradecraft, we run into artifacts that fall outside of our area of focus. We work with law enforcement in these situations. We work with in-country CERTs, ISACs and other information sharing communities often to reach breached victims. If the victim is a customer, they will receive the breach notice immediately directly from ScoutCloud. If they are not a customer, our outreach is manual in nature, best effort and will be subject to the normal time it takes to find the right contact and exchange the information.
Which dates are used to plot points on my timeline?
We track 3 dates for every breach (all are included in the export to CSV):
The dates we use for the timeline are:
What happens if breach data from a private source eventually becomes public?
Since we found the information in advance of it becoming known publicly, we keep the private marking even after it is known publicly. This way our customers can see the date that the information was available in the underground (the date that they were exposed) vs. when the public learned about the breach.
How do I act on the information you share with me?
We include remediation advice for the various types of breaches that we find. Remediation advice can be seen from the detailed view of each breach (in the portal). If you have any questions about a breach or need further remediation advice, please feel free to contact our support firstname.lastname@example.org.
How do I get started and get the most out of the system?
Please watch our guided tour and tutorial video for a detailed walk through.
In summary, to get the most out of the system:
Once these steps have been taken, we will notify you moving forward when we find your exposed assets. You do not need to login to the portal to recognize the value, we will contact you as needed.
Why should I trust ScoutCloud with my email address?
All our employees go through background checks and have been in the intelligence community for many years. They are proven, trusted individuals that have built their careers around handling sensitive information appropriately. In addition, we go to great lengths to secure the information that you add to the system:
What is the difference between a Private and a Public breach data source?
Private Data Source - We often gain access to stolen information by interacting with criminals on forums that are not available to the general public. Using private forums, data thieves may trade or sell their information on the underground. Private information is typically not available for purchase by legal entities. Information from these sources is typically urgent or critical in nature.
Public Data Source - Public sources include sites that anybody on the Internet can easily visit to download or purchase a list of leaked records. This data includes pastebin links, public leak forums, and direct downloads on file sharing networks.
How is severity determined?
What two-factor authentication apps do you support?
We support most common two-factor apps such as Authy, Duo Mobile, Google Authenticator, and Microsoft Authenticator.