Credential Exposure Monitoring
The One Protect monitors for leaked credentials across known data breaches and alerts your team when client credentials are found, enabling rapid response before compromised credentials are exploited.
How It Works
Credential monitoring operates on multiple data sources:
- Breach databases — Known breach datasets are checked against your monitored email addresses and domains
- Paste sites — Public paste sites are monitored for credential dumps containing your monitored addresses
- Dark web feeds — Threat intelligence feeds report newly discovered credential exposures
Monitoring runs continuously. New exposures are detected within hours of appearing in monitored sources.
Monitored Entities
Credential monitoring covers the same domains and email addresses configured in Dark Web Monitoring. No additional setup is needed — enabling dark web monitoring for a domain or email automatically enables credential monitoring.
Exposure Alerts
When leaked credentials are detected, an alert is created with:
| Field | Description |
|---|---|
| Affected Account | The email address found in the breach |
| Source | The breach or data dump where the credentials appeared |
| Exposure Date | When the credentials were first detected |
| Data Types | What was exposed (email + password hash, email + plaintext password, etc.) |
| Severity | Critical (plaintext password), High (password hash), Medium (email only) |
Integration with Security
Credential exposure alerts can automatically create incidents in The One Security:
- Navigate to Protect → Settings → Integrations → Security
- Enable Create Security Incident on Credential Exposure
- Select the severity threshold
- Credential exposure incidents appear in the Security Command Center with full context
The Security incident includes:
- The affected user account
- The breach source and date
- Recommended response actions
- Link back to the Protect alert for detailed findings
User Notification Workflows
Configure automated notifications when credentials are exposed:
Internal Notifications
- MSP security team — Immediate notification via email and Hub
- Account manager — Email notification with client impact summary
- Help desk — Auto-created PSA ticket for credential reset
Client Notifications
- Client admin — Notification via Portal with recommended actions
- Affected user — Optional direct email notification (configurable per client)
Configure notification workflows in Protect → Settings → Notifications → Credential Exposure.
Response Actions
When credentials are exposed, recommended response actions include:
- Force password reset — Via RMM integration or manual notification to the user
- Enable MFA — If not already enabled on the affected account
- Review account activity — Check for signs of unauthorized access
- Revoke active sessions — Force re-authentication on all devices
- Update related accounts — If the user reuses passwords, prompt them to change all related accounts
Reporting
Credential exposure data is included in:
- Client Reports — Monthly exposure summary per client
- Compliance evidence — Credential monitoring status satisfies breach detection controls
- Trend analysis — Exposure trends over time per client and across your portfolio