Do you monitor for leaked corporate credentials in breach data and paste sites?
Demonstrate that the organization actively monitors external sources for leaked corporate credentials and has established processes to respond when exposures are detected.
Description
What this control does
This control involves the continuous monitoring of publicly available breach databases, paste sites (e.g., Pastebin, GitHub Gists), dark web forums, and credential dump repositories for corporate credentials such as email addresses, usernames, and passwords associated with the organization's domains. Organizations typically implement automated tooling or third-party services that scan these sources, alert security teams when corporate credentials are discovered, and trigger incident response workflows including forced password resets and user notification. This proactive detection reduces the window of opportunity for attackers to exploit compromised credentials before the organization can remediate.
Control objective
What auditing this proves
Demonstrate that the organization actively monitors external sources for leaked corporate credentials and has established processes to respond when exposures are detected.
Associated risks
Risks this control addresses
- Attackers use compromised credentials from public breaches to gain unauthorized access to corporate systems through credential stuffing or password spraying attacks
- Employees reusing passwords across personal and corporate accounts enable lateral access when personal credentials are exposed in third-party breaches
- Privileged account credentials leaked on paste sites provide direct pathways to critical infrastructure and sensitive data repositories
- Prolonged exposure of valid credentials in public repositories allows reconnaissance and targeted phishing campaigns against the organization
- Credential leaks from acquired companies, subsidiaries, or legacy domains remain undetected and exploitable
- API keys, service account credentials, and tokens exposed in code repositories enable unauthorized access to cloud resources and third-party integrations
- Failure to detect credential exposure delays incident response, extending attacker dwell time and increasing breach impact
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's credential monitoring policy or procedure documentation, noting scope of monitored domains, email patterns, and monitored sources
- Identify all monitoring tools, services, or third-party vendors currently deployed for credential leak detection, including service contracts and scope agreements
- Request configuration exports or screenshots from credential monitoring platforms showing monitored domains, alert thresholds, and notification settings
- Review alerting and notification workflows to verify that security operations, incident response, and identity management teams receive timely alerts when credentials are detected
- Select a sample of credential exposure incidents from the past 12 months and trace each through alert generation, investigation, and remediation including password reset evidence
- Interview security operations personnel to validate their understanding of response procedures when corporate credentials are discovered in breach data
- Test monitoring coverage by verifying that all active corporate domains, subsidiaries, and merger/acquisition entities are included in the monitoring scope
- Verify integration between credential monitoring systems and identity management platforms to confirm automated or semi-automated password reset capabilities exist