About Breach Intelligence

Breach Intelligence is a feed for third party risk teams to identify, track, and respond to breach-related incidents based on public news sources as well as the threat underground. Events are shown chronologically for only the organizations you are subscribed to in your portfolio.

 

 

Recommended Steps

Recommended steps are generated based on a combination of event type and severity. Users should use these as a guide as they do not override their organization’s breach-responses processes. 

Filters

User are able to filter this feed on the following data sets:

• Severity: learn more about severity types.
• Event Type: learn more about types of breach intelligence events.
• Industry: Filter by an industry
• Geography: Filter by a country or territory
• Company: Filter by a named company
• Date: Filter by a specific date range

Severity Types

Severity types can range between:

• Critical
• High
• Medium
• Low. 

Severities can be assigned due to the nature of their event type (e.g. Ransomware & Breach events are often critically severe) and the number of records that are disclosed as a result of the event. 

Event Types

• Breach: Dark web exposure of this entity signals that internal assets or sensitive records have been exfiltrated, increasing the risk of supply chain attacks. Exposed PII or credentials create immediate vulnerability to targeted phishing and credential stuffing campaigns against associated stakeholders.
• Ransomware: A successful ransomware attack means a high probability of network compromise and data exfiltration. Since threat actors list victims after failed negotiations or for double extortion, sensitive proprietary data, PII, or supply chain documentation faces an imminent risk of public release.
• Cyber Crime: A news outlet identified [third party] as the victim of a financially-motivated attack, indicating a high-profile event.
• State-Sponsored Operations: A news outlet identified [third party] as the victim of a state-sponsored attack, indicating a high-profile event.
• Hacktivism: Vendor was posted as a victim of a hacktivist attack; possible breach or denial-of-service. Ideologically-motivated actors are targeting vendors, as reported by a news article or by the actors themselves.
• Human Error: An incident involving unintentional actions that directly compromise a sensitive asset
• Lost / Stolen Asset: An incident where an information asset went missing, whether through misplacement or malice
• Unsecured Database: A database is left unsecured due to error and the data is accessible by third parties
• Privilege Abuse: An unapproved or malicious use of organizational resources beyond what is authorized
• Web Apps: An incident in which a web application was the attack vector, including code level vulnerabilities in the application and thwarted authentication mechanisms
• Espionage: An incident of unauthorized network or system access exhibiting the motive of state-sponsored or industrial espionage, where trade secrets or IP are frequently targeted
• Denial of Service (DOS): An attack intended to compromise the availability of networks and systems
• Crimeware: An instance of malware installed for the purpose of acquiring unauthorized data or assets
• ATM / Skimmer: A physical attack involving unauthorized access to an ATM, or the use of a skimming device to gather data from payment cards
• POS (Point-of-sale): Remote attacks against the environments where retail transactions are conducted, specifically where purchases are made
• Intrusion: Unauthorized access which does not involve exfiltration of records or other resources
• Account Takeover (User): An attacker gains unauthorized access into a service through the use of a user's account credentials
• Incident Type Undisclosed: A security incident where certain classification details pertaining to the event are unknown
• Other Incident: A security incident that does not fall into one of the other categories
• Social Engineering: An attack which uses deception to trick individuals into divulging unauthorized information or access
• Ransomware: An attack designed to block access to a computer system until a sum of money is paid
• Phishing: An attack in which fraudulent email is used to mimic the access of an authorized employee or legitimate contact
• Other Disclosure: A disclosure that does not fall into one of the other categories
• Lost / Stolen Asset (Encrypted): An incident where an encrypted asset went missing, whether through misplacement or malice, with no evidence of encryption compromise
• Account Takeover (Employee): An attacker gains unauthorized access into a service through the use of employee's account credentials
• Internal Incident: An incident discovered by the company in question and remediated with no apparent compromise
• DNS Incident: A DNS-related security incident
• Fraud: An incident where a company was tricked into releasing information, funds, or other resources to an unauthorized party, not necessarily involving systems intrusion.
• DNS Finding: A self-disclosed DNS event

Source Types

• Public Disclosure: Public disclosures represent human-reviewed security incidents that are evaluated in the Bitsight Security Rating (learn more here)
• Twitter: Twitter post
• Telegram: Telegram post
• Ransomware Leak Site: A ransomware leak site (often called a Dedicated Leak Site or DLS) is a public-facing website on the dark web—typically accessed via the Tor network—used by cybercriminals to publish data stolen from victims who refuse to pay a ransom. These sites are a cornerstone of "double extortion" tactics, where attackers not only encrypt files to disrupt operations but also steal sensitive data to threaten public exposure.
• Paste Site: A paste site (or pastebin) is an online content-hosting service that allows users to store and share plain text—such as code snippets, logs, or configuration files—by generating a unique URL for that content. While useful for developers to share code, they are frequently used for anonymously sharing leaked data, stolen credentials, or malicious content.
• Darkweb Forum: Dark web forums are decentralized, online discussion platforms located on encrypted networks (primarily the Tor network) that require specialized software to access. Unlike surface web forums, they offer high anonymity, making them the primary infrastructure for cybercriminal ecosystems to trade stolen data, share hacking techniques, and coordinate attacks
• Breach Forum: Breach forums (like BreachForums) are a type of illicit community focused specifically on trading stolen data and hacking. Breach forums can exist in a variety of locations on the internet, which include the dark web, surface web, or alternative channels like Telegram
• FBI: US Federal Bureau of Investigation
• Cyber News Feed: A cyber news feed is a continuous, real-time stream of information focused on cybersecurity threats, vulnerabilities, and technology updates. These feeds provide essential "breaking news" for security professionals and regular users to stay ahead of emerging attacks like ransomware and data breaches
• Government Body: Governing bodies like CISA may disclose important news in the cyber security landscape.
• Blog: Security vendor blogs often publish news around breach and ransomware events.