Stolen credential databases have grown to staggering scale — some collections contain billions of username-password pairs harvested from years of infostealer malware operations, phishing campaigns, and data breaches. For an attacker targeting a specific company, sifting through this volume of data was historically a significant operational barrier.
That barrier is collapsing. Threat intelligence firm Flare has documented an emerging underground market segment that offers targeted credential search as a paid service — allowing attackers to query stolen credential databases for specific companies, domains, or individual accounts without having to acquire or process the raw data themselves.
How the Market Works
The "Search Your Target" model operates similarly to legitimate data enrichment services — except the underlying datasets are entirely stolen. Underground services in this space typically offer:
- Domain-based queries: "Show me all credentials where the email domain is
@targetcompany.com" - Company-specific searches: Targeting employees of a named organization across multiple breach datasets
- Account lookups: Verifying whether specific email addresses appear in breach data, often with associated passwords or session tokens
- Bulk packages: Purchasing all available credentials for a given target domain
Pricing varies by service and scope. Some services offer individual queries for a few dollars; targeted bulk packages for specific organizations can run into hundreds of dollars. The economic model mirrors legitimate SaaS — the service handles infrastructure, aggregation, and search; the customer just pays per query.
The Data Underneath
These services draw from multiple sources that have been pooled and indexed by criminal aggregators:
- Infostealer logs: Data harvested by malware like RedLine, Raccoon, Vidar, and LummaStealer from compromised machines, including saved browser credentials, session cookies, and authentication tokens
- Historical breach data: Records from major breaches dating back years, often including plaintext or weakly-hashed passwords
- Phishing kit captures: Credentials harvested by phishing-as-a-service platforms like Tycoon 2FA and Kali365
The quality and recency of the data varies significantly by service, but even older credential sets retain value when employees reuse passwords or when session tokens haven't been invalidated.
Why This Matters for Enterprise Security
Targeted Attacks Become Cheaper
Previously, a threat actor targeting a specific mid-size organization might need to acquire large breach dumps, set up infrastructure to process them, and dedicate time to filtering relevant records. The "Search Your Target" model collapses this to a simple query. The operational cost of a targeted credential attack is now close to zero for anyone willing to pay a few dollars.
Work Email Addresses Are Particularly Dangerous
Employees who have registered work email addresses on external services — social media, gaming platforms, shopping sites, or any of the thousands of smaller services that have been breached — may have those credentials indexed in these databases. Even if the password used on the external site isn't the same as their work password, it may reveal patterns that enable password guessing, or the email address itself may be enough to trigger spear-phishing.
Session Tokens Are More Dangerous Than Passwords
A significant portion of modern infostealer captures include session tokens rather than just passwords. A valid session token for a SaaS platform, cloud console, or internal tool doesn't require knowledge of the password and can bypass MFA entirely. These tokens have shelf lives — they expire when the session ends or the user logs out — but in many environments they remain valid for days or weeks.
Identity Is the New Perimeter
The existence of this market is further evidence that the concept of a network perimeter has become secondary to identity. An attacker who can purchase valid credentials for your environment doesn't need to exploit a vulnerability or deliver malware — they can simply log in.
Defensive Recommendations
For Security Teams
- Subscribe to breach intelligence services — Tools like Have I Been Pwned's API, Flare, Recorded Future, or SpyCloud can alert you when employee credentials appear in breach data, enabling proactive password resets
- Deploy phishing-resistant MFA — FIDO2/passkeys are resistant to session token theft via standard phishing; SMS and TOTP are not
- Implement session token management policies — Set shorter expiry windows for sensitive applications; require re-authentication for high-privilege actions
- Monitor for impossible travel and anomalous logins — Identity providers like Entra ID and Okta can flag sign-ins from unusual locations or devices that don't match a user's historical patterns
- Audit external SaaS registrations — Policies limiting use of work email addresses for non-work services reduce the credential exposure surface
For Individuals
- Use a password manager and never reuse passwords across services
- Enable passkeys wherever supported — they cannot be phished or captured by infostealer malware in the traditional sense
- Periodically check your email addresses against breach notification services
- Log out of sessions on devices you don't regularly use — this invalidates any stolen session tokens
The Broader Picture
The "Search Your Target" market is a symptom of a larger structural problem: the sheer volume of stolen credentials has made traditional authentication fundamentally insecure for any organization that hasn't moved beyond username-password login. The attack surface isn't a vulnerability in any one system — it's the aggregate of every service an organization's employees have ever used with a work email address.
This is the threat model that makes credential hygiene, MFA enforcement, and breach monitoring not optional security nice-to-haves, but baseline operational requirements in 2026.