HackedList.io
Log in

FAQ

HackedList.io is a service that allows you to determine if your organization's or customers' data has been stolen by infostealer malware and made available on the darknet.

Without registration and for free, it allows anyone to check the status of their organization and find out if there has been a leak of login credentials associated with the specified domain in the past. More information is available upon registration. Paying customers are provided with all the details necessary for effective incident response, including consultation services.

HackedList.io and Have I Been Pwned (HIBP) are both services that allow individuals and organizations to check if their data has been compromised, but there are some key differences: our service (HackedList.io) primarily focuses on identifying data stolen by infostealer malware and made available on the darknet, while HIBP is known for a broader focus on various types of data breaches (mostly public or semi-public leaks of databases), not specifically tied to malware or darknet activity.

HackedList.io is targeted towards organizations looking for protection from threats coming from direct infostealer malware breaches (be it your employees or clients), while HIBP is more suited for notifying individuals that their password of personal data have been leaked through compromised third-party service (monitoring your domain through HIBP is still a good idea though - it's just not sufficient).

Results from our service are usually more actionable - if we say you (or your employees, or clients) have been breached, it literally means that your device was hacked and passwords (and possibly other sensitive data, such as documents, browsing history or VPN accesses) have been stolen directly from it. If HIBP says you have been breached, it usually means that some third-party service you some time in the past registered on was compromised (and unless you re-used leaked password elsewhere, impact is limited to that specific site alone).

Enter your domain on the main page of HackedList.io. In a moment, you will find out whether a user, whose computer was infected with infostealer malware, has logged in to your domain or any of its subdomains. You will also see the number of such detected accesses, a list of countries from which users accessed the domain, and the time interval from which the detected data leaks originate.

For more information about specific cases, you need to register and verify the domain using an HTML tag or DNS record. Detailed information on how to perform verification can be found directly in the customer portal after registration.

Paying customers are provided with all information about compromised users, including usernames and leaked passwords, as well as support in investigating security incidents.

HackedList.io allows you to detect the leakage of login credentials or other sensitive information of your organization before they are misused.

Using our data, you can enhance the security of your organization (prevent misuse of leaked employee accounts) and the safety of your own customers (prevent fraud using leaked customer accounts).

We allow anyone to see anonymized account breaches in our customer portal for free (in the Unverified domains section under Breaches). If you want to see detailed credentials and information about the breached computer, you have to choose one of our pricing plans in the Billing section (and also verify ownership of the domain).

We send summary reports with newly detected leaks to paying customers once a day. The form of reporting and the information contained in the report can be customized in the customer portal.

It is a type of malicious code that extracts stored passwords, cookie files, sensitive documents, and other information from the infected device and sends it to the attacker.

The motivations of actors spreading infostealer malware can vary, as can the methods they use. Often, their goal is quick financial gain, especially the misuse of banking access and cryptocurrency theft. Subsequently, the attacker offers the rest of the data cheaply for sale or for free to others. Sophisticated actors use this information for activities like ransomware attacks.

Information that infostealer malware can extract from a device typically includes:

  • All passwords stored in the browser
  • Cookie files
  • Screenshots
  • Browsing history
  • List of downloaded files
  • Autofill information saved by the user
  • Sensitive documents stored on the disk
  • VPN access
  • Access to email accounts (Outlook, Thunderbird, etc.)
  • Access to IM applications (Telegram, Discord, etc.)

It is evident that if an employee is compromised, the attacker often gains access to a large amount of corporate services and internal data, which can be easily exploited for further attacks. While it is not 100% possible to prevent infostealer malware infections, HackedList.io can detect if such obtained information is available on the darknet and help you take appropriate measures.

The darknet typically refers to a part of the internet hidden from the average user, often operated on the Tor anonymization network. It can also include various untraceable forums, chat channels, or automated marketplaces accessible only by invitation.

Due to the anonymity the darknet provides, it is often used for criminal activities, including the sale and sharing of data obtained through infostealer attacks.

The data we process can be divided into two types:

  • Records of specific users on automated marketplaces, indicating that data related to your organization has been leaked
  • Publicly or semi-publicly available bundles of leaked data, which we directly import into our database

In the case of records on online marketplaces, we will notify you that data associated with your organization is likely being sold and, at your request, we will facilitate their acquisition.

Additionally, we continuously monitor darknet forums and chat rooms where bundles of leaked data are traded or exchanged in bulk, and we automatically download and process them into our database. If data related to your organization appears in such a bundle, we will immediately notify you in the customer portal.

Our database contains several tens of terabytes of data, obtained from hundreds of different sources. The list of these sources is continuously changing and is available to our customers after signing an NDA.

Data is continuously uploaded to the system as it appears on monitored channels. These changes are immediately reflected in the customer portal and API.

Summary reports are sent via email to our customers once a day, typically at 9 AM CET.

Yes, we provide an API for paying customers at api.hackedlist.io. Once you register and verify your domain(s), you can create an API key through our customer portal.

Yes, our service operates fully in compliance with the legal system of the Czech Republic. The service is operated by CyWeTa DNS s.r.o., registered at the municipal court in Prague. We provide confidential data only to verified customers based on a valid contract.

Pay increased attention to unusual activity on the subdomains we mark as compromised. If you are our client, you have all the information you need to effectively handle the situation available through the portal. We recommend blocking compromised accounts as soon as possible, changing the respective passwords, and if possible, implementing 2FA, or performing a forensic analysis if the compromised device had access to the internal network.

Through the portal, you can also request our assistance in investigating how the user was compromised and what measures can be taken to prevent a recurrence.

Unfortunately, most devices we detect as compromised in our database have some form of antivirus protection. Attackers are aware of this fact and adapt their techniques to overcome this obstacle. Even expensive enterprise solutions do not provide reliable protection.

Infostealers generally extract not only stored passwords from the device but also cookie files and other information necessary for the complete identity theft of the compromised user. Therefore, two-factor authentication does not prevent unauthorized access in all cases.

Moreover, records captured by infostealer malware contain other information or sensitive internal documents that can be exploited, for example, in spear-phishing campaigns.