I found out that my company's data or credentials are for sale on the dark web
O que fazer agora
Do not access the listing or pay the criminal. First, confirm the scope of the leak legally and for free: run the credential-exposure, dark web and domain-reputation scan in Decripte's free Threat Management plan at https://decripte.com.br/intelligence-center (no card, no technical team). In parallel, force a reset of all potentially affected passwords, invalidate active sessions and enable MFA. If personal data is involved, you may have to notify the ANPD within 3 business days from awareness. If there is already a sign of misuse, engage Decripte's 24/7 Incident Response at https://decripte.io/contato, with a SOC and containment within 1 hour.
SOC 24x7 e SLA de contenção de até 1 hora. A Decripte é especialista em resposta a incidentes para fintechs, crypto, apps, e-commerces e empresas de todos os tamanhos.
Sinais de alerta
- ›You received an email, message or call claiming to have your company's data or access for sale, sometimes with a real sample attached.
- ›A monitoring service, partner or customer warned you that credentials of your domain appeared in a leak.
- ›Employees report login attempts they did not make, unexpected MFA alerts or passwords that stopped working.
- ›Email forwarding rules, filters or connected apps appeared that no one on the team created.
- ›Logins from countries, IPs or times incompatible with the operation appear in the access reports.
- ›Customers or suppliers report billing messages, scams or phishing supposedly coming from your company.
- ›API tokens, access keys or service credentials appear in public searches, repositories or pasted in pastebins.
Primeiros passos — o que fazer agora
- 1
Confirm the scope without accessing illegal sources
Do not enter dark web forums or pay for samples: it is risky, may constitute an offense and funds the attacker. Use Decripte's free Threat Management scan at https://decripte.com.br/intelligence-center to find out, legally, which emails, passwords and assets of your domain appear in leaks and on the dark web.
- 2
Rotate and force a reset of all affected credentials
Immediately change the passwords of the identified emails, panels and accounts. If a password leaked, consider compromised all accounts where it was reused. Force a mass reset through your identity provider (Google Workspace, Microsoft 365, Active Directory) and invalidate active sessions and tokens, because a new password does not expel someone already logged in.
- 3
Enable MFA on everything critical
Enable multi-factor authentication (preferably an authenticator app or physical key, not SMS) on corporate email, VPN, cloud panels, bank and administrative tools. MFA neutralizes most of the value of a leaked credential, even if the password is already in the criminal's hands.
- 4
Hunt for misuse of the credentials
Review the login logs of the affected accounts for access from atypical IPs, countries or times, new devices, email forwarding rules created without authorization and recently generated API tokens. Terminate every suspicious session and revoke third-party access you do not recognize.
- 5
Preserve the evidence before cleaning up
Before deleting malicious emails, rules or logs, preserve copies with date and time. This evidence supports the forensic investigation, the notification to the ANPD and any police report. Record right away the exact moment you became aware of the incident.
- 6
Assess the duty to notify (personal data)
If the leak includes personal data of customers or employees with relevant risk or harm to data subjects, the LGPD and Resolution CD/ANPD No. 15/2024 require notification to the ANPD within 3 business days from awareness, in addition to notice to the affected data subjects. Document the date and time of the discovery to support the deadline.
- 7
Engage 24/7 Incident Response if there is active activity
If you already see fraud, unauthorized access, emails going out in your name or improper financial movement, this is an active incident. Engage Decripte's 24/7 Incident Response at https://decripte.io/contato: the SOC works with containment within 1 hour and leads the forensic investigation preserving evidence.
- 8
Establish continuous monitoring
Leaks are not one-off events: new credential combinations reappear for months. Keep continuous monitoring of the dark web and domain exposure active (the free Threat Management plan does this) to be warned of reappearances before they turn into fraud.
O que NÃO fazer
- ✕Do not pay the criminal for a sample or to have them delete the data: there is no guarantee of compliance, you fund new attacks and you may be committing an offense.
- ✕Do not access dark web forums or marketplaces on your own: beyond the legal risk, you expose yourself to malware and may alert the attacker that you noticed.
- ✕Do not just change the password that leaked and ignore reuse: the same password on other accounts keeps them all open to the attacker.
- ✕Do not rely only on SMS MFA for critical accounts: SIM swap and interception make SMS the weak link; prefer an authenticator app or a physical key.
- ✕Do not delete logs, suspicious emails or evidence before preserving: you may destroy the proof needed for the investigation and to support the notification to the ANPD.
- ✕Do not leave the notification to the ANPD for later without recording the date of awareness: the 3-business-day deadline runs from the moment you become aware of the incident.
First: confirm whether the leak is real and how big it is
Before panicking or spending energy rotating the wrong things, you need to know what actually leaked. Dark web listings mix real data, old reused data and pure bluff to extort. The worst reaction is to access the listing, ask for a sample or negotiate: that exposes you legally, may infect your machine and signals to the criminal that they hit a nervous target.
The correct and legal way to confirm the scope is to cross-reference your domain and the company's emails with leak databases and dark web sources already collected by those who do it in a controlled way. Decripte's free Threat Management plan (Decripte Intelligence Center) at https://decripte.com.br/intelligence-center does exactly that: it scans credential exposure, dark web presence and your domain's reputation, with no credit card and requiring no technical team. In minutes you go from rumor to a concrete list of accounts to handle.
With the scope in hand, you prioritize: accounts with administrative power, corporate email, financial and cloud access come first. This map is what turns a chaotic reaction into a focused containment plan.
Containment: cut off the attacker's access before eradication
Containment, in the NIST incident-response model, is stopping the bleeding before cleaning the wound. In practice, with leaked credentials this means three simultaneous moves: forcing a password reset on all affected accounts, invalidating active sessions and tokens (a new password does not expel someone already logged in) and enabling MFA where there was none.
Password reuse is the multiplier of the damage. If an employee's email password leaked and they used the same one in the cloud panel and at the bank, you have three incidents, not one. That is why the reset cannot be too surgical: treat as compromised any account that shares a credential with something that appeared in the scan. Also revoke API keys and integration tokens, which are often forgotten and grant silent access.
If, while reviewing the access, you find signs of active use, such as forwarding rules created by the attacker, foreign logins or financial movement, stop improvising and engage Decripte's 24/7 Incident Response at https://decripte.io/contato. The SOC operates with a containment SLA of up to 1 hour and leads the investigation preserving the evidence.
Cada minuto conta. Comece o diagnóstico gratuito agora e veja o que já vazou.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
Hunting for misuse and eradication
Changing passwords is not enough if the attacker has already created ways to return. The eradication phase consists of removing those persistence points: malicious email forwarding rules and filters, OAuth apps connected without authorization, new administrative users, access keys added in the cloud and trusted devices you do not recognize.
Comb the authentication logs of the compromised accounts looking for the intruder's pattern: where they logged in from, what they accessed, what they exfiltrated. This work answers questions you will need for the legal notification and for the customers: which data was actually exposed and for how long. Documenting with date and time is part of the process, not bureaucracy.
When there is evidence that data was actually accessed or copied, and not just that credentials leaked, the forensic investigation gains legal weight. This is where the experience of a team that has already responded to incidents in fintechs, exchanges and e-commerces shortens the path between chaos and a defensible response.
Recovery, notification and continuous monitoring
To recover is to return to normal operation with the certainty that the attacker was expelled: passwords changed, universal MFA, persistences removed and monitoring active to catch a recurrence. Before declaring the incident closed, confirm there are no more suspicious open sessions nor new credentials of yours circulating.
If personal data is involved, the legal dimension cannot be ignored. Resolution CD/ANPD No. 15/2024 requires the communication of security incidents to the ANPD within 3 business days from awareness, when there is relevant risk or harm to data subjects, in addition to communication to the affected data subjects themselves. The deadline runs from the moment you find out, which is why recording the date of awareness right at the start is decisive. If the exposure leads to financial fraud, especially in Pix payments, contact the bank immediately to trigger the MED (Special Return Mechanism), whose window is short, and file a police report.
Finally, treat monitoring as permanent. Leaked credential combinations reappear in new packages for months and give rise to fraud long after the initial listing. Keeping Decripte's free Threat Management plan active at https://decripte.com.br/intelligence-center ensures you are warned when something of yours reappears, before it becomes the next incident. That is the lesson learned that separates those who put out fires from those who stop having fires.
Obrigações legais (Brasil)
If the leak involves personal data with relevant risk or harm to data subjects, Resolution CD/ANPD No. 15/2024 requires notification to the ANPD within 3 business days from awareness of the incident, in addition to communication to the affected data subjects; record the date and time of the discovery right away. If there is associated financial fraud, in Pix payments there is the MED (Special Return Mechanism), with a short window, so contact the bank immediately and file a police report. This guidance is informational and does not replace specialized legal advice. These rules and deadlines (ANPD/LGPD) are Brazilian.
Termos importantes
- Credential leak
- The exposure of username-and-password combinations (and sometimes other data) that start circulating in leaks, combo lists and dark web marketplaces, allowing third parties to try to access your accounts.
- Dark web
- A layer of the internet accessible only through anonymity networks, where forums and marketplaces that trade leaked data and access also operate. It should not be accessed on your own during an incident.
- MFA (multi-factor authentication)
- An extra layer of verification beyond the password, such as a code from an authenticator app or a physical key. Even if the password leaks, without the second factor the attacker does not get in; that is why it is the most effective defense against leaked credentials.
- Credential rotation
- The process of changing potentially compromised passwords, keys and tokens, invalidating the old ones. It includes forcing a mass reset and terminating active sessions, since a new password does not disconnect someone already logged in.
- Notification to the ANPD
- An obligation provided for in the LGPD and detailed in Resolution CD/ANPD No. 15/2024 to notify the National Data Protection Authority, within 3 business days from awareness, of security incidents with personal data that bring relevant risk or harm to data subjects, also notifying those affected.
- Incident Response (IR)
- Specialized action to contain, investigate and eradicate an active attack. Decripte operates 24/7 Incident Response with a SOC and a containment SLA of up to 1 hour, following the NIST cycle: preparation, detection, containment, eradication, recovery and lessons learned.
Perguntas frequentes
How do I know if my data is really for sale on the dark web without accessing a criminal forum?
You do not need to, and should not, access the dark web on your own. Use a service that already collects that data in a controlled way and cross-references it with your domain. Decripte's free Threat Management plan at https://decripte.com.br/intelligence-center scans credential exposure, dark web presence and your domain's reputation with no credit card, showing which of your company's accounts appeared in leaks.
Should I pay the criminal so they do not sell or so they delete the data?
No. There is no guarantee they will comply; it is common to sell even after payment or to extort again. Paying funds new attacks and may constitute an offense. The right path is to confirm the scope, contain the access by rotating credentials and enabling MFA, and handle the incident technically instead of negotiating.
An email password leaked. Is it enough to change that password?
It is not enough. If that password was reused on other accounts, they are all compromised. Change the leaked password, change it anywhere it was reused, invalidate active sessions (a new password does not disconnect someone already logged in) and enable MFA. Then check whether the attacker created forwarding rules or new access.
Do I need to notify the ANPD for a credential leak?
If the exposed credentials or data involve personal data and there is relevant risk or harm to data subjects, yes. Resolution CD/ANPD No. 15/2024 provides for notification to the ANPD within 3 business days from awareness of the incident, in addition to notifying the affected data subjects. Record the date and time you discovered the leak, as that is when the deadline starts to run.
What is the difference between the free Threat Management plan and engaging Incident Response?
The free Threat Management plan (https://decripte.com.br/intelligence-center) is for diagnosis and continuous prevention: it shows credential exposure, the dark web and domain reputation. 24/7 Incident Response (https://decripte.io/contato) is for when there is an active attack in progress, with a SOC and containment within 1 hour and forensic investigation. In your case, start with the free plan to confirm the scope and engage IR if you find misuse.
Is SMS MFA enough to protect the affected accounts?
It is better than nothing, but it is not ideal for critical accounts. SMS is vulnerable to SIM swap and interception. For corporate email, VPN, cloud panels and financial access, prefer an authenticator app or, better yet, a physical security key. Reserve SMS only for low-risk accounts when there is no alternative.
How do I find out if the attacker is already using the leaked credentials?
Review the authentication logs of the affected accounts looking for logins from unusual IPs, countries or times, new trusted devices, email forwarding rules no one created and recently generated API tokens. Any of these is a sign of active use. Terminate the suspicious sessions, revoke the access and, if you confirm activity, engage Decripte's Incident Response at https://decripte.io/contato.
The leak was months ago. Do I still need to worry?
Yes. Credential packages are resold and recombined for a long time, and fraud usually happens well after the original leak. Even if you have already changed passwords, keep continuous monitoring active to be warned if your credentials reappear in new batches. The free Threat Management plan covers that vigilance at no cost.
Incidente em andamento?
Comece agora pelo diagnóstico gratuito — e ative SOC 24/7 e resposta a incidentes nos planos pagos.
Veja em minutos o que já vazou da sua empresa. Quando precisar, a Decripte assume a contenção, a investigação forense e a recuperação do ambiente com SLA de contenção de 1 hora.
