Threat Intelligence Directory
Phishing

Credential Stuffing Lure — Fake Breach Notification

Attack Trigger

Fear of being hacked, combined with a real or fabricated reference to a data breach

What Attackers Want

Full account takeover; credential resold on dark web for $2–$100 per account

How This Attack Works

Criminals send fake breach notification emails claiming your password was found in a recently leaked database. The email includes a realistic-looking partial password (often sourced from old, public breach databases) to establish credibility. Victims are directed to a phishing page disguised as their email provider or a popular service to "reset" their now-compromised password — handing live credentials directly to the attacker.

Red Flags to Watch For

  • Email claims your password was exposed and shows a real but old password you once used
  • Password reset link goes to a domain that is not the official service
  • Notification arrives for a service that has not publicly announced a breach
  • Urgent deadline: "Reset within 24 hours or your account will be locked"
  • Legitimate breach notifications never ask you to enter your current password to reset it
  • Sender address is not the official security@[service].com address

Known Malicious Domains

These domains have been associated with this attack. Never click links going to these addresses.

  • security-breach-notification.comMALICIOUS
  • your-password-exposed.netMALICIOUS
  • account-breach-alert.comMALICIOUS
  • data-leak-password-reset.netMALICIOUS

Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.

How Glance Stops This

  • Domain similarity analysis catches lookalike sender addresses at millisecond speed
  • SPF / DKIM / DMARC validation flags authentication failures before you ever see the email
  • VirusTotal + Google Safe Browsing checks every link in real time
  • Urgency language detection scores the email higher for manual review
  • Known malicious domain blocklist updated continuously from live scan data

Don't wait to get hit.

Glance scans every incoming email against 12 detection layers — including the exact tactics described above — before it reaches your inbox.

Protect My Inbox — Free