Credential Stuffing Lure — Fake Breach Notification

How This Attack Works

Criminals send fake breach notification emails claiming your password was found in a recently leaked database. The email includes a realistic-looking partial password (often sourced from old, public breach databases) to establish credibility. Victims are directed to a phishing page disguised as their email provider or a popular service to "reset" their now-compromised password — handing live credentials directly to the attacker.

Red Flags to Watch For

• ✗
  Email claims your password was exposed and shows a real but old password you once used
• ✗
  Password reset link goes to a domain that is not the official service
• ✗
  Notification arrives for a service that has not publicly announced a breach
• ✗
  Urgent deadline: "Reset within 24 hours or your account will be locked"
• ✗
  Legitimate breach notifications never ask you to enter your current password to reset it
• ✗
  Sender address is not the official security@[service].com address

Known Malicious Domains

These domains have been associated with this attack. Never click links going to these addresses.

• security-breach-notification.comMALICIOUS
• your-password-exposed.netMALICIOUS
• account-breach-alert.comMALICIOUS
• data-leak-password-reset.netMALICIOUS

Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.