Find employee credentials in breach data before attackers do.
When employees reuse passwords, a breach at any third-party service becomes a potential entry point to your organisation. Nano EASM runs daily checks for email addresses linked to your enrolled domains against known breach databases — surfacing exposures the moment they're confirmed, so you can act before an attacker does.
What we detect
- Employee email addresses found in known breach datasets, with breach name and breach date.
- Plaintext password exposures — the highest-risk class, where the credential is immediately usable for account-takeover or credential-stuffing attempts.
- Hashed password exposures — salted hashes still at risk when the underlying password is weak or common.
- Multi-breach overlaps — the same employee email appearing in multiple distinct breach datasets, indicating a persistent credential-reuse problem.
- Recently surfaced breaches — new breach dumps are incorporated continuously, so exposures appear as findings close to the breach date, not months later.
Why it matters
Credential stuffing is now the dominant technique for account takeovers. Attackers buy breach data, run automated tools against every login endpoint they can find, and succeed at rates well above 1% on average. For a 200-person company, 1% of 200 accounts is a meaningful breach. Employees who reuse their corporate email as a login for other services expose the whole organisation the moment any of those services is breached — regardless of how well you've hardened your own infrastructure. The average time between a credential appearing in a breach dataset and its first use in an attack is measured in hours.
How Nano EASM detects it
Enrol a domain from Monitoring → Credential Monitoring. Nano EASM runs daily sweeps, checking addresses associated with that domain against breach intelligence data. Email addresses are displayed masked in the UI — the raw address is used only for the lookup and is never stored in plaintext. When a match is found, a finding is created with the breach name, breach date, exposure type (plaintext or hashed password), and remediation steps. The check runs on a staggered schedule to avoid congestion when multiple domains are enrolled simultaneously. Deduplication ensures a finding is created only once per unique email + breach combination — re-checks don't generate duplicate alerts.
Common scenarios
Employee reuses work password on a third-party portal
An employee signs up for a vendor service with their corporate email, reuses their work password. That vendor is later breached. The daily check picks up the email address in the breach dataset, creates a high-severity finding flagged as a plaintext exposure, and the employee is prompted to rotate their corporate password before any attacker automation reaches the login endpoint.
Departing employee's account shows up in a new breach dump
A former employee's account was disabled in the IdP, but their corporate email address surfaces in a fresh breach dataset. The finding gives the security team confidence to confirm the account is fully offboarded across all downstream services — not just the primary IdP — and to monitor for any related abuse.
Compliance audit requires evidence of credential-exposure monitoring
The findings list for the Compromised Credentials category — with breach names, breach dates, exposure types, and remediation timestamps — becomes audit evidence for controls around compromised-credential monitoring. Export to PDF via the reports module.
Available with a free account
Compromised Credentials monitoring opts a tracked asset into continuous weekly scanning, so it's not available via the anonymous Quick Scan flow. Create a free account, add your root domain, and toggle it on from the asset detail page.
Plan-tier limits apply — see the plan comparison for the number of watched domains per tier.