Back to Blog

SpyCloud Spots Stolen Credentials with Deep Dives into the Dark Web

Of all the anxieties of cybersecurity, the spectre of your personal credentials sitting in some digital warehouse on the dark web is probably near the top of the list. Every breach we read about in the news, whether it is at a retail business, a financial institution or even a government agency, brings this fear back the fore.

SpyCloud, a cyber security firm out of Austin, Texas that won Best of Show in its Finovate debut last month, takes a unique approach to this problem. The company’s Exposed Credential Monitoring and Alert Service, on display at FinovateFall, enables both institutions and individuals to find out if their exposed credentials are being actively traded on the dark web.

Left to right: SpyCloud Head of Business Development Chris LaConte and CEO and Co-Founder Ted Ross demonstrating the SpyCloud Exposed Credential Monitoring and Alert Service.

SpyCloud’s current focus is on providing its technology to the enterprise, especially in the financial, technology, and healthcare sectors. These verticals have been repeatedly targeted by cybercriminals who use techniques such as “credential stuffing” – in which stolen account credentials are used to access user accounts in large-scale, automated login requests – to compromise employee and consumer accounts, alike.

SpyCloud’s solutions and services include:

  • Corporate Credential Exposure Notifications that provide matching historical breach exposure instantly and include SpyCloud’s monitoring of the underground for stolen assets.
  • ATO (Account Takeover) for Employees which provides an Active Directory monitor tool for a single device and automatically compares new stolen credentials to a list of active users.
  • ATO for Customers which integrates the SpyCloud API into the customer login to identify customers with exposed credentials

Additionally, SpyCloud’s technology helps identify users that have been exposed to credential-stealing malware, resetting accounts or initiating further security precautions. The company also provides support for investigators via data mining through tools such as Maltego.

With our focus on security this month, we thought SpyCloud’s innovative approach – including actually interacting with the dark web’s nefarious characters to learn more about their tactics and strategies – was worth learning more about. After speaking with Ted Ross, CEO of SpyCloud, during the week of FinovateFall 2017, we followed up with a few questions by e-mail. Here are our questions and his responses.

Finovate: You began your Best of Show-winning presentation with a question about how secure we believed our personal credentials to be? Why start the conversation about security at this point?

Ted Ross: I started with this question because credential theft is a problem that affects people on a personal level – not just at work. Those who do not work in the cybersecurity space, are not regularly thinking about how exposed their credentials may be. It’s not until large-scale breaches like Equifax, Yahoo, etc. that most people begin thinking about their PII being in the hands of the wrong people. Our job is to not only educate companies on their employee and customer exposure, but to proactively alert to prevent any repercussions that may come from compromised personal credentials.  

Finovate: We are seeing a lot of new responses to the challenge of cybersecurity. SpyCloud’s approach seems unique– How did you come up with the idea?

Ross: A few years ago, I noticed the increasing trend of 3rd party data breaches and realized how these credentials put unsuspecting organizations and individuals at risk. I also realized that there wasn’t an effective solution to stop this problem. Most solutions to address this problem were/are heuristic or behavior-based solutions. From experience, behavior-based technologies are prone to false positives.  There was a need for a solution that compares existing credentials to exposed credentials with “an exact match”. No false positives, no calls to the help desk and can gracefully snap into and improve behavior based solutions.

Finovate: What is “human intelligence tradecraft” and how does it help you “interact with the bad guys and capture the information they are stealing before they post it to public forums or paid sites”?

Ross: Human intelligence (HUMINT) tradecraft is essentially the techniques, tactics and procedures used by our research team to social engineer threat actors. We don’t share details of our tradecraft for operational security reasons. At a high level, the tradecraft is used to infiltrate and maintain connections to covert threat groups/actors. We make use of HUMINT to gain access to stolen information before it can be posted to a public forum or sold/traded on the underground. Our goal is to recover this information before it can be used against our customers.

Finovate: Just how bad is the problem of stolen credentials on “the underground” as you called it? Is the problem getting worse?

Ross: The problem is getting much worse. It’s easy to see how the problem has progressed over the last 5 years with our breach timelines. When customers add their domains, they can see the number of 3rd party breaches that contained credentials that map to their employees. They can see that between 2011-2014, they were impacted by one or two breaches a year. Now, we are finding 10 new breached databases (from private sources – you won’t read about these in the press) every working day! We find so many credentials that we typically ingest about 40 million new credentials every week (and this is after we scrubbed out the duplicates). At this point, we have credentials for just about every enterprise with a digital presence. 

Finovate: What about your background encouraged you to tackle this challenge, particularly as it related to cybersecurity in financial services?

Ross: Having built a threat sharing platform in a past role, I was able to experience the various threat feeds that are available today. Most of them revolve around Indicators of Compromise (IoCs).  Something that requires a trained cyber security professional to create and use. In parallel, companies are looking for solutions that are easy to understand, easy to operationalize, effective, and priced fairly.  We created SpyCloud to address these issues. Our solution helps global enterprises, large financial institutions as well as smaller organizations and individuals. We realized up front that if it helped individuals at a personal level, then the aggregate would be something that is important for financial organizations. In aggregate, we are in a strong position to protect any organization with an online presence (i.e., financials and retailers) from customer account takeovers.     

Finovate: What’s next for SpyCloud? What are the company’s plans over the balance of 2017 and heading into 2018?

Ross: We’ve experienced tremendous growth in 2017 and don’t see that slowing down. Our Q3 results exceeded expectations. Among our enterprise wins this year, we brought on four of the largest companies in the world (within their respective industries). Q4 looks to be even stronger than Q3 and our pipeline is growing at somewhat unbelievable rates. Going into 2018, we are hiring additional security researchers and developers. In 2018, we have a few new surprises for our customers – something that will significantly strengthen their security posture while maintaining our core tenants of easy to use, highly effective and priced to be disruptive.   


SpyCloud CEO and founder Ted Ross and Head of Business Development Chris LaConte demonstrating SpyCloud Exposed Credential Monitoring and Alert Service at FinovateFall 2017.