Dark Web ID compromise types

Accidental Exposure:

The compromise of data is attributed to an unintentional disclosure by non-malicious actors on a web page, social media, or peer-to-peer site.

Bot:

The compromise of data is attributed to botnet activity.

Breach:

This data was compromised as part of an organization's data breach.

BOT Prefixes
s_	sinkhole
l_	webserver compromise
w_	webserver attack
c_	miscellaneous

Combolist:

Credential and password pairs (username:password or email:password) found on paste sites, forums, or combolists — often without attribution to a specific breach. Many contain recycled credentials from older exposures or breached datasets.

Data Dump:

A consolidated collection of new and/or previously compromised credentials were made available for bulk consumption.

Dox:

The data was disclosed as a part of a Doxing effort. Doxing is the research, collection, and broadcast of private or personally identifiable information (PII) about an individual or organization. Doxing may be carried out for various reasons, including extortion, coercion, inflicting harm, harassment, and online shaming.

Exfiltrated:

Breaches exfiltrated by threat actors from an identifiable organization, often including customer records, user databases, or internal employee info. Typically has a known breach name and metadata.

Exposed:

Publicly accessible or misconfigured data stores (e.g., open S3 buckets, FTPs) — found unintentionally but can contain sensitive credentials or personal data.

Keylogged / Phished:

The compromise of data is attributed to entering into a phishing website or extracted through software designed to surreptitiously harvest personally identifiable information (PII)

Malware:

Data captured from infected machines, including login credentials, cookies, autofill data, browsing history, wallet credentials, and device fingerprinting. Collected using infostealer malware such as Redline, Raccoon, Vidar, etc. This is the richest and most behaviorally complete dataset type.

Not Disclosed:

The corresponding metadata associated with the collected information is currently insufficient to accurately attribute to a specific compromise type.

Phished:

Credentials harvested through phishing campaigns, kits, or spoofed login portals. Often limited in structure but high-fidelity in intent.

Sample:

The data that was disclosed by an individual or organization to prove its validity of an exploit/breach.

Scraped:

Usernames, emails, and account metadata scraped from public websites (e.g., social media, forums) — not stolen directly, but aggregated at scale.

Tested:

The data was legally tested to determine if it is live/active data.

MPD:

Spam server that presents as multiple unrelated domains.

MISC:

Spam server that presents a broken value.

BOGUS:

Spam server that presents an invalid value.

LH:

Spam server that presents as localhost.

FAM:

Spam server that presents identity we know to be valid, but not them.

LOC:

Spam server that presents as the destination server.

NEVER:

Spam server that presents a forged value.

BSIP:

Spam server that presents as a different IP.

SSIP:

Spam server that presents as own IP.

NOHELO:

Spam server that does not present an identity.

Source type

Asprox:

The IP address has been identified as associated with the Asprox botnet, also known by its aliases Badsrc and Aseljo, and is mostly involved in phishing scams and performing SQL injections into websites in order to spread malware

C2 Server:

The IP address has been identified as being associated with a Command-and-control (C2) Server. Command-and-control servers are used by attackers to maintain communications with compromised endpoints within a targeted network. These compromised endpoints collectively are referred to as a botnet. This is achieved through infecting endpoints with malware. Botnets are leveraged by attackers to conduct malicious activity (send spam, distribute malware, etc) without the knowledge of the system owner.

Chat Room:

This data was discovered in a hidden Dark Web internet relay chatroom (IRC).

Cutwail:

The IP address has been identified as associated with the Cutwail botnet and is mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo. It affects computers running Microsoft Windows.

File-Sharing:

The IP address has been identified as associated with malicious file-sharing activities.

ID Theft Forum:

This data was discovered being exchanged on a dark web forum or community associated with ID theft activities.

P2P File:

This data was discovered as part of a file being exchanged through a peer-to-peer file sharing service or network.

Public Web Site:

This data was discovered on a publicly accessible web forum or data dumpsite.

Social Media:

This data was discovered being shared as a post on a social media platform.

Webpage:

This data was discovered on a hacker website or data dumpsite.

Zero Access:

The IP address has been identified as associated with the Zero Access botnet. At the time of discovery, the ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems (2012).

Website:

Not Disclosed:

The origin of the breach has not been disclosed for one of two reasons: The name of the site has not yet been determined or the breached organization has not yet publicly acknowledged a cyber incident.

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.