Introduction
HackNotice’s End User Credential Monitoring service helps organizations protect their executives, customers, employees, contractors, and other high-value users from identity-driven threats. By continuously monitoring the dark web for compromised credentials and exposed personal information, the service enables proactive defense against:
Account takeover (ATO)
Spear-phishing and social engineering attacks
Identity theft and fraud
Unauthorized access to business systems
Abuse of leaked API keys, authentication tokens, and account numbers
This service is designed to safeguard the people and assets most important to your organization—before threat actors can weaponize their information.
Helpful Links:
For common operational examples, see the End User Monitoring Playbook (link).
To visualize aggregated exposure trends for your monitored users, refer to the End User Dashboard article (link).
To customize and filter your alerts, utilize the Tiers functionality at Business → Account → Tiers (reference article).
Managing Your End User Watchlist (Business → End User → Watchlist)
The Watchlist is where you add the identifiers you want HackNotice to monitor for dark web exposure. An identifier can be:
Email address
Username
Phone number
API key
Authentication token
Account number
Or any sensitive string tied to an individual or system
Adding an Identifier
In the Watchlist page, enter the identifier into the “Enter value” field under Add End User.
Click Add.
Optionally, assign tags to the identifier (you can add as many as needed).
Tags are especially useful for:
Linking multiple identifiers to a single person (e.g., one user with 5 emails/usernames)
Routing alerts to different teams
Organizing identifiers by department, business unit, or customer account ID
Once added, identifiers appear immediately in the Watchlist.
Note: Please allow up to 4 hours for newly added identifiers to populate historical results on the Timeline. All future exposures will appear in real time.
End User Timeline (Business → End User → Timeline)
Once your Watchlist is configured, the Timeline displays all historical and newly discovered exposures tied to your monitored identifiers.
What to Expect
All historical dark web records associated with your identifiers will populate automatically.
New exposures appear instantly and trigger notification workflows (email, push, or API depending on your settings).
You may experience a short delay (up to 4 hours) for initial backfill after adding a new identifier.
The Timeline layout and functionality work exactly like the First Party timeline experience. For reference, see the First Party Timeline article (link).
Exploring an Alert
Click any alert to open the detailed alert view. Each alert includes:
The identifier that triggered the alert
The detection and file dates
The original dark web file name (Leak Name)
All exposed information related to your term
Metadata such as IP addresses, phone numbers, reset answers, locations, device details, etc., when present
HackNotice does not filter or remove metadata—if it was in the original collected file, you see it. This ensures teams can assess exposure severity and evaluate phishing, impersonation, or ATO risks with full context.
To customize and filter your alerts, utilize the Tiers functionality at Business → Account → Tiers (reference article).
Sharing Alerts
Use the Share Alert (article link) option to securely share an alert with colleagues or external partners—even if they do not have a HackNotice account. This is particularly helpful for:
Helping an exposed customer reset credentials
Alerting an executive assistant or security team
Coordinating with a vendor or managed service provider
Summary
The End User Monitoring Service provides continuous, actionable visibility into compromised identities across your customer base, workforce, executives, and partners. With real-time alerts, easy Watchlist management, detailed Timeline insights, and strategic reporting via the End User Dashboard, your organization can detect and respond to credential exposures before they escalate into security incidents.
Comments
0 comments
Please sign in to leave a comment.