Your organization’s credentials appeared on the dark web. Here’s exactly what to do to protect your business, staff, and clients. This guide expands on the essentials with practical, business-focused steps and quick wins.

What happened—and what it means

We identified company-related information (e.g., employee emails, names, phone numbers, addresses, and/or passwords) appearing in a breach dataset traded or shared on dark-web forums.
This doesn’t always mean your systems were accessed, but it does mean adversaries have ammunition to attempt phishing, account takeovers, or lateral movement.

If a password was exposed—even hashed/encrypted—treat it as compromised. Change it everywhere it was used.

1) Change exposed & reused passwords

  • Prioritize email, identity providers (Microsoft 365, Google Workspace), remote access tools, and admin accounts.
  • Require employees to set strong, unique passwords (16+ characters, passphrases, or manager-generated).
  • Check for password reuse across platforms and rotate credentials accordingly.

Pro tip: Roll out a business-grade password manager (e.g., 1Password Business, LastPass Enterprise, Keeper, Bitwarden) to enforce unique, complex passwords across the organization.

2) Enforce Multi-Factor Authentication (MFA)

  • Enable MFA across all email, financial, payroll, VPN, cloud, and admin systems.
  • Require app-based or hardware-based MFA rather than SMS where possible.
  • Review and update MFA policies in your identity provider for consistency.

Pro tip: Don’t just recommend MFA—enforce it through policy. Partial adoption leaves gaps attackers can exploit.

3) Heighten awareness for fraud & phishing

Compromised information often fuels targeted spear-phishing or business email compromise (BEC).

Red flags to watch for:

  • Unusual wire transfer or payment requests.
  • “CEO fraud” or urgent instructions from executives.
  • Unexpected MFA prompts (MFA fatigue attacks).
  • Vendors suddenly requesting bank account changes.

Actions to take:

  • Run a phishing awareness refresher for staff immediately.
  • Implement or tighten email filtering/DMARC enforcement.
  • Verify financial requests out-of-band (phone call, internal chat, etc.).

Pro tip: Consider implementing an internal “suspicious email” reporting button integrated into Outlook or Gmail.

4) Review recovery options & security questions

  • Audit account recovery settings (backup email/phone, trusted devices).
  • Replace any guessable recovery questions/answers with unique, non-public information.
  • Confirm IT administrators maintain centralized account recovery procedures to prevent lockouts.

5) Scan endpoints & servers for threats

Sometimes credentials leak not from a database breach but from malware on an endpoint.

  • Run full antivirus/EDR scans across all business endpoints.
  • Check for keyloggers or malicious browser extensions.
  • Ensure OS, browsers, and security software are fully updated.

Pro tip: If malware is detected, re-change all passwords on a clean device afterward.

6) Notify IT & document the incident

  • Log details of what was found, when, and where.
  • Notify your IT/security team or MSP immediately.
  • Keep an incident record for compliance, cyber insurance, and audits.
  • If applicable, follow your incident response plan or escalate to leadership.

7) Review vendor & third-party access

  • Check whether exposed accounts tie into vendor portals, SaaS apps, or shared logins.
  • Rotate or disable any shared/role-based credentials.
  • Reconfirm vendors handling sensitive data follow proper security practices.

How Strive can help

  • Credential audit & rotation: Identify where exposed passwords are used and enforce changes.
  • MFA rollout & enforcement: Configure across your identity provider and critical apps.
  • Phishing protection: Filtering, DMARC alignment, and employee awareness training.
  • Endpoint security: EDR deployment, scanning, remediation, and hardening.
  • Incident documentation: Compliance-ready reports for regulators or insurers.
  • Vendor risk review: Identify and mitigate third-party security gaps.
  • Ongoing monitoring: Continuous dark web scans with guided response playbooks.

Need immediate assistance? Call us at (303) 963-2301.

Quick checklist for businesses

  • Rotate any exposed or reused credentials (email/admin first).
  • Enforce MFA everywhere—no exceptions.
  • Brief staff on fraud & phishing awareness.
  • Audit and update account recovery options.
  • Run EDR/antivirus scans and patch systems.
  • Document incident details and notify IT/leadership.
  • Review vendor/third-party access and credentials.
  • Schedule ongoing dark web monitoring with Strive.

FAQs

Does this mean we’ve been breached?
Not necessarily. Exposure means adversaries may attempt to use the data. We treat it as a potential entry point.

What’s the biggest risk for businesses?
Business email compromise (BEC), which often leads to fraudulent wire transfers or payroll diversion.

How quickly should we act?
Immediately. Passwords and MFA changes can block most follow-up attacks.

Do shared accounts pose a problem?
Yes. Shared logins complicate audits and increase risk. Rotate them and transition to individual accounts with proper role-based access.

Need immediate help?

Call us now at (303) 963-2301