A monitoring tool from Kraft Kennedy

CredentialWatcher by Kraft Kennedy is a monitoring tool that parses publicly available records to identify whether someone in your firm has been implicated in a breach. If a user’s credentials or personal information have been compromised in a breach, we will notify you.

LinkedIn, Adobe, Dropbox—these are a few of the popular websites that have recently suffered major data breaches, and it’s likely that somebody in your firm signed up for one of them using a work email account. Hackers trade and exploit such data to gain privileged access to organizations’ assets.

CredentialWatcher alerts both the individual and the administrator responsible for cybersecurity at your firm in the event of a breach. While the primary focus of CredentialWatcher is your firm’s security, we can also, if requested, include personal accounts in our monitoring.

Contact us to sign up. 


What is a breach?

A breach occurs when a database of personal account information is hacked and made public.

What is a level 1, 2, and 3 breach?

To help you decide how to respond to a breach, we have categorized them into three levels:

Level 1 (Critical) – We designate Level 1 breaches as “critical” because these include usernames and passwords. Exposure of these credentials presents the most risk for firms. Implicated users should review their accounts at the breached site and change their passwords. If the same username/password combination is in use at other sites—whether it be your firm’s corporate network, or Gmail, Amazon, etc.—those should be changed as well.

Level 2 – These breaches do not implicate passwords but do expose potentially sensitive information that users may want to keep private. Kraft Kennedy advises that users review the details of the breach and consider the potential implications of having this information available in the public domain.

Level 3 – These breach does not involve passwords. Users should be aware, however, that the released data may include personally identifiable information.

How Often Should We Change Our Passwords?

We recommend to our clients that they change their passwords every one to three months. Periodic password changes limit the window of time during which hackers can exploit credentials that have been illegally obtained and publicized.

We also advise that firms mandate a minimum password length and require users to use cycle through a minimum number of unique passwords before reusing them. Advise your employees not to use the same passwords across various platforms, especially the ones they use for their professional accounts. Password manager products can be helpful for keeping track. As with other security precautions, it is up to you to determine the balance of security and convenience your firm is comfortable with.

Contact us if you have further questions about cybersecurity best practices. Kraft Kennedy’s security analysts are leaders in their fields and can help you with policies, prevention, remediation, and awareness training.

Can CredentialWatcher be used for non-business accounts?

Yes. CredentialWatcher will only monitor the email accounts and usernames that you supply. You can choose to provide all or some of your firm’s emails as well as personal accounts and usernames (e.g., Gmail, Yahoo!, Instagram).

What does it mean that a breach is “sensitive”? Will you report sensitive breaches?

About 10% of breaches are categorized “sensitive.” We will only monitor these if you request that we do so for firm emails (no personal emails). This will require Kraft Kennedy to have administrator access to your domain.

Why does CredentialWatcher point out if a breach happened more than two years ago?

While it’s important to be aware of older breaches, especially because the information gleaned from them may have been released into the public domain recently, it is likely that you have changed your password since the breach occurred, or in some cases have been required to do so by the website itself. We point this out so that users can be aware of the breach and review their accounts accordingly without causing undue alarm.

I would like more information.

Feel free to contact us for more information or to try out CredentialWatcher.