Definitions and Terminology

Learn the key terms used across the Breachsense platform and dark web monitoring.

Dark web monitoring involves specialized terminology that’s easy to confuse. A ‘data breach’ and a ‘data leak’ aren’t the same thing. ‘Stealer logs’ and ‘combo lists’ come from completely different sources.

This page defines the terms you’ll encounter across our site and platform. If you’ve ever wondered what a ‘ransomware leak site’ actually is or how session tokens differ from passwords, you’re in the right place.

Definitions are grouped by category so you can find what you need fast.

What Does This Page Cover?

Security teams deal with dozens of specialized terms when evaluating dark web monitoring platforms. Vendors don’t always use these terms consistently.

This page standardizes the terminology you’ll find across the Breachsense site. Each definition explains what the term means and why it matters to you. For details on our specific sources and methods, see the dark web monitoring methodology.

What Are the Key Dark Web Infrastructure Terms?

These terms describe where stolen data lives and gets traded.

Dark Web

The dark web is a layer of the internet hosted on encrypted networks like Tor. Sites use .onion domains and can’t be reached through normal browsers. Criminal marketplaces and forums operate here because it provides anonymity.

Deep Web

The deep web is everything not indexed by search engines. Your email inbox and bank portal are both deep web. It’s not inherently criminal. People often confuse the deep web with the dark web, but they’re very different. Learn more about the deep web vs dark web.

Dark Web Marketplace

A dark web marketplace is an online store on the Tor network where criminals buy and sell leaked credentials and hacking tools. These markets operate like e-commerce sites, complete with ratings and escrow. Breachsense monitors active darknet markets for your exposed data.

Hacker Forum

A hacker forum is an online community where criminals share tools and trade stolen data. Some forums are public. Others require vetting or payment to join. Breaches often surface on forums before hitting mainstream news.

Paste Site

A paste site is a text-sharing platform like Pastebin. Criminals use paste sites to dump stolen credentials and data samples, often as proof of a breach. These dumps can contain thousands of email-password pairs.

What Are Credential Threat Terms?

These terms describe how stolen login credentials get used against you.

Combo List

A combo list is a file containing username-password pairs compiled from multiple data breaches. Criminals package credentials from different sources into a single list for credential stuffing attacks. A single combo list can contain millions of entries. Read more about dark web combo lists.

Credential Stuffing

Credential stuffing is an automated attack where criminals test stolen username-password pairs against other websites. It works because people reuse passwords. Attackers use combo lists as input and automated tools to test thousands of logins per minute.

Account Takeover (ATO)

Account takeover happens when an attacker gains unauthorized access to a user’s account. It usually starts with stolen credentials from a breach or stealer log. The attacker then locks out the real user and exploits the account.

Compromised Credentials

Compromised credentials are login details exposed through a data breach or stealer log. They include usernames and passwords. Some also contain session tokens. Credential monitoring detects these before attackers use them.

Password Spraying

Password spraying tests a small number of common passwords against many accounts at once. Unlike credential stuffing, which uses known password pairs, password spraying relies on people choosing weak passwords like “Password123.”

What Are Malware and Stealer Terms?

These terms describe the malware that steals credentials from devices.

Infostealer Malware

Infostealer malware infects a device and harvests every credential it can find. It grabs saved passwords from browsers and active session cookies. It also captures autofill data and cryptocurrency wallets. Common families include RedLine and LummaC2.

Once a device is infected, here’s what attackers actually get.

Stealer Logs

Stealer logs are the output of infostealer malware. Each log represents one infected device and contains everything the malware extracted. Millions of logs trade hands daily on infostealer channels. They’re especially dangerous because they contain fresh credentials and active session tokens.

Session Token

A session token is a temporary authentication credential your browser stores after you log in. It proves you’ve already authenticated, so you don’t re-enter your password on every page. Infostealers capture these tokens, letting attackers hijack your active sessions.

Session Hijacking

Session hijacking happens when an attacker uses a stolen session token to take over your active session. Because the token represents a session that already passed authentication (including MFA), the attacker bypasses password and MFA requirements entirely.

What Are Breach and Leak Terms?

These terms describe how data gets exposed.

Data Breach

A data breach is unauthorized access to and extraction of data from a system. Someone broke in, whether through stolen credentials or a vulnerability. Breaches are intentional and involve an attacker. See data breach examples for real cases.

Data Leak

A data leak is accidental data exposure. A misconfigured database left open to the internet. An employee emailing sensitive files to the wrong address. Leaks don’t involve an attacker breaking in. The data was simply left unprotected.

Ransomware Leak Site

A ransomware leak site is a website run by a ransomware gang where they publish data from victims who don’t pay the ransom. These sites are how attackers pressure companies into paying. Breachsense tracks over 100 groups on our ransomware gangs page.

Third-Party Breach

A third-party breach is when one of your vendors gets compromised, and your data is exposed as a result. You didn’t get breached directly. Your vendor did. But your credentials or files were in their systems. Third-party risk management monitors for this.

Exposed Database

An exposed database is a misconfigured server (often Elasticsearch or MongoDB) accessible on the open internet without authentication. Anyone who finds it can download the contents. Breachsense detects these before criminals do.

What Are Monitoring and Detection Terms?

These terms describe how security teams track and respond to threats.

Dark Web Monitoring

Dark web monitoring is the continuous, automated process of scanning criminal sources for your organization’s data. Unlike a one-time scan, monitoring runs 24/7 and alerts you when new data appears. See how Breachsense monitors the dark web for our full methodology.

Dark Web Scan

A dark web scan is a point-in-time check of your exposure. You enter a domain or email, and it checks existing breach data for matches. It shows what’s already leaked but won’t catch new exposures after the scan.

Attack Surface Management

Attack surface management (ASM) discovers and monitors your internet-facing assets. It finds forgotten subdomains and exposed services targeting your brand. You can’t protect assets you don’t know about.

OSINT

OSINT stands for open source intelligence. It’s intelligence gathered from publicly available sources like forums and social media. In security, OSINT monitoring tracks criminal marketplaces and forums for mentions of your organization.

Indicators of Compromise (IOCs)

IOCs are evidence that a security breach has occurred. They include suspicious IP addresses and malicious file hashes. Security teams use IOCs to detect and investigate incidents.

Threat Intelligence

Threat intelligence is analyzed information about current and emerging threats. Raw data becomes intelligence when it’s processed and made actionable. A threat intelligence platform turns dark web data into alerts you can act on.

What Are Common Attack Terms?

These terms describe attack methods related to dark web monitoring.

Phishing Domain

A phishing domain is a lookalike website designed to steal credentials. Attackers register domains that look similar to yours and create fake login pages. When employees or customers enter their credentials, the attacker captures them.

Typosquatting

Typosquatting is registering domain names that are common misspellings of legitimate sites. If your domain is “example.com,” an attacker might register “exmaple.com.” Users who mistype your URL land on the attacker’s page instead.

Homoglyph Attack

A homoglyph attack uses characters that look identical to legitimate ones but are technically different. For example, replacing a Latin “a” with a Cyrillic “а” in a domain name. The URL looks correct to the human eye but resolves to a completely different server.

Initial Access Broker

An initial access broker (IAB) is a criminal who specializes in breaking into networks and selling that access. They don’t deploy ransomware or steal data themselves. They sell the entry point to whoever pays. When an IAB lists your organization’s access for sale, ransomware is often weeks away.

Ransomware Gang

A ransomware gang is a criminal group that encrypts victim data and demands payment for the decryption key. Many also steal data before encrypting it and threaten to publish it on leak sites. You can browse active groups on our ransomware gangs page.

Conclusion

This page covers the core terminology used across the Breachsense platform and site. Knowing these definitions helps you evaluate monitoring tools accurately and understand exactly what’s being detected.

Key takeaways:

• Dark web infrastructure terms describe where compromised data gets bought and sold
• Credential threats describe how stolen logins get weaponized against you
• Stealer logs are the fastest-growing source of compromised credentials
• Monitoring means continuous. A scan is a one-time snapshot.

For details on what Breachsense specifically monitors, see our methodology page. To check your current exposure, run a dark web scan.