The Identity Pack: How Breaches Without Credentials Fuel Executive Targeting

On 4 July 2024, a user operating under the handle "ObamaCare" posted a compilation to BreachForums containing roughly ten billion unique plaintext passwords, assembled from more than 4,000 breaches stretching back two decades. The file was named RockYou2024. Most coverage focused on the password count. The more consequential detail sat one layer beneath: the same actor had been posting and reselling non-credential datasets — employee records, conference attendee lists, student applications — for weeks prior. The passwords were the headline. The surrounding personal data was the product.

This article is about that product. It is about what happens when a breach notification tells you "no passwords were exposed" and why, for anyone with an executive title, the absence of credentials is not the reassurance it sounds like. We call the resulting artefact an identity pack: a cross-referenced profile assembled from several low-value leaks, accurate enough to drive wire fraud, travel-based approaches, and convincing impersonation of people the target already trusts. For a broader view of how identity exposure plays out at the executive layer, our Executive Digital Privacy hub collects the full series.

The "no credentials leaked" fallacy

Breach notifications are written by lawyers. The first paragraph almost always mitigates: no Social Security numbers, no financial data, no passwords. Sometimes that is true. More often, it is true only in the narrow sense that the specific high-severity field was not in this particular leak.

The reassurance obscures a different question. Not "what was in this breach," but "what does this breach add to everything already out there." An email address on its own is low-signal. An email address tied to a specific hotel chain, a specific travel window, a specific dietary requirement, and a specific corporate title becomes something else. Each breach is a tile. Targeting is built from the mosaic.

The Campbell Conroy & O'Neil ransomware incident disclosed in July 2021 is a useful reference point. The firm advised Ford, Boeing, Honda, General Motors, British Airways, and other Fortune 500 defendants in product liability matters. The data accessible in the intrusion included names, dates of birth, driver's licence numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, and biometric data. The press coverage framed it as a law firm breach. Operationally, it was a pre-built identity pack on a population of executives, witnesses, claimants, and counsel.

What a low-value breach actually contains

When a public breach disclosure says "limited personal information," the fields most often in scope are:

• Partial or full name, and variants (given name, preferred name, historical surname)
• Email address — usually the most durable pivot attribute an attacker has
• Mobile and office phone numbers
• Date of birth, or year and month
• Employer and job title at time of capture
• Physical city or region, sometimes full address
• Travel dates, booking references, loyalty programme numbers
• Purchase records and transaction metadata
• Device fingerprints, IP at time of interaction, browser user-agent
• Dietary requirements, accessibility needs, seating preferences
• Family member names (from genealogy, shared-plan, or beneficiary fields)
• Assistant or executive-assistant contact details (from conference registrations and travel bookings)

None of these fields is a credential. Each is "non-sensitive" in the language of the notification letter. In aggregate they are the raw material of a targeted approach.

The enrichment pipeline

The technique of combining breaches to build a profile is not new. Compilations such as Collection #1, COMB, and RockYou2024 exist precisely to make this work faster. The process is straightforward enough that it is used by both offensive and defensive analysts, and the steps are the same in either direction.

It starts with a seed identifier — typically an email address or phone number. The seed is checked against every accessible breach corpus. Each match adds fields. The resulting set is validated against public records: companies registry data, professional directories, property records, court filings, social media. Where the public record confirms something the breach data also contains, confidence rises. Contradictions get pruned.

Email is the primary key because it survives. People change employers; personal email addresses persist across a decade of breaches. Phone number is the secondary key — useful for collapsing duplicate records and for validating that two "John Smiths" are in fact the same person. A physical address, particularly a long-held home address, is the validator that ties the digital identity to a real person.

For a picture of how this pivoting looks when investigators do it legitimately, see our write-up on what a paid investigator sees in a standard OSINT pass. The attacker toolkit is not meaningfully different.

A worked example: family-office director

The following is a synthetic composite. No real individual or firm is being described. The point is to make the mechanics concrete.

Imagine a director at a mid-sized European family office. Four breach sources, each "low-value" in isolation:

Source A — boutique legal CRM. A small law firm that handles trust restructuring suffers a ransomware incident. The stolen CRM export includes client contact cards: partial name, work email, firm name, matter category. Nothing that would trigger a mandatory notification under most thresholds. The director appears as "D. [Surname], Director, [Family Office]."

Source B — luxury hotel chain. A loyalty-programme breach. Full name, mobile number, passport country, frequent destinations, dates of past stays, next confirmed reservation in six weeks' time. Published sample leaked to Telegram.

Source C — industry conference registration. An event organiser's WordPress CMS is compromised. Attendee records include title, employer, badge name, assistant's email (because the assistant registered the principal), dietary requirement (kosher), and a private dinner RSVP.

Source D — genealogy service. A DNA-testing company is breached. Surname, home region, family tree with named siblings and an adult child, approximate age bracket.

Individually, each leak would produce a notification letter emphasising the absence of passwords and financial data. Combined, an analyst has:

• A verified executive identity with firm affiliation and matter exposure
• A known forward travel window to a specific city, with hotel
• A named assistant and a convincing pretext (the conference, the dinner)
• A dietary signal that narrows impersonation risk in a restaurant approach
• Family-tree context that makes a "your son has been in an accident" vishing call survivable for longer than it otherwise would be

This is the identity pack. It is not theoretical. It is what FireEye documented in 2014 when they named the group FIN4: actors targeting more than a hundred firms, roughly 20% of them legal and M&A advisors, building dossiers on C-suites and counsel specifically to trade ahead of market-moving events. It is the same methodology Kaspersky has tracked under DeathStalker since 2018 — a hack-for-hire operation whose explicit client brief is cyberespionage against law firms, fintech companies, and financial advisors.

What the identity pack enables

The pack is not an end in itself. It is the precondition for a short list of specific operations.

Whaling and direct executive phishing. With title, employer, calendar context, and a known vendor relationship, a phishing email stops looking like phishing. Our earlier piece on whaling reconnaissance and data removal walks through the reconnaissance ladder in detail.

Assistant-targeted spear phishing. The assistant is often easier to reach and operates under time pressure. An email purporting to come from the principal, routed through a look-alike domain, referencing a real meeting that is really on the calendar, is materially harder to refuse.

CEO fraud and wire fraud. The FBI's Internet Crime Complaint Center attributed $2.9 billion in 2023 losses to business email compromise alone. The cumulative figure through mid-2024 stood at more than $55 billion. Identity-pack quality is the difference between a generic CEO-fraud email that gets ignored and one that names the counterparty, the deal, and the closing date.

Vishing with context. A voice call referencing genuine details — the school the daughter attends, the investment manager's first name, the trip last month — bypasses the reflex to hang up. The caller does not need to know everything. They need to know enough to create the impression they could.

Travel-based approaches. Physical proximity is a capability an attacker rarely has by accident. Known travel dates convert it into a capability they can plan.

Family pressure vectors. Kidnap-for-ransom and virtual kidnapping scams depend on contextual accuracy about family members. Genealogy breaches have made this accuracy a commodity.

Why small-office breaches are gold

The Grubman Shire Meiselas & Sacks incident in May 2020 is the clearest public example of the boutique-law-firm pattern. The REvil affiliate exfiltrated 756 GB of internal files and demanded $21 million, later doubling the demand. The firm's client roster spanned entertainment figures and major media and technology clients. The firm had a several-floor Manhattan office and a roster that would be at home at a top-five firm. Its internal security posture was sized for the former, not the latter.

This is the structural problem. High-net-worth individuals cluster in boutique firms by preference — smaller teams, higher discretion, partner-level attention. Those same attributes correlate with:

• Under-reporting. Many small-office breaches fall below mandatory disclosure thresholds, or are handled through confidential insurance channels. They do not reach the attacker-intelligence dataset the way large breaches do, but the data still exfiltrates.
• Minimal in-house security capability. The Mossack Fonseca intrusion in April 2016, which produced the 11.5 million-document Panama Papers release, was made possible by an unpatched WordPress Revolution Slider plugin and Drupal weaknesses on the firm's public-facing site. The firm ultimately closed. Most boutique firms operate the same way Mossack Fonseca did in 2016.
• High trust-to-control ratio. A partner handling a restructuring has sensitive inbox contents and limited willingness to tolerate security friction.
• Concentrated verticals. Wealth management, family office administration, and trusts-and-estates practice are the three verticals with the highest signal-to-noise for HNWI identity data per compromised system.

Deloitte's 2024 Family Office Cybersecurity Report put the numbers on the pattern. Forty-three per cent of family offices globally reported a cyberattack in the preceding 12 to 24 months. The figure rose to 57% in North America and 62% for offices managing more than a billion dollars in assets. Ninety-three per cent of victims were hit via phishing.

The Clop group's exploitation of the MOVEit file-transfer vulnerability, which began on 27 May 2023, eventually reached more than 2,700 organisations and the personal data of roughly 93 million people. Law firms appeared among the defendants in the consolidated Massachusetts proceeding, not because law firms were specifically targeted, but because they used the same managed file-transfer tool as everyone else. The point is not that law firms are the primary victim. The point is that they are consistently somewhere in the victim list, and that each incident adds tiles to the mosaic.

The defensive gap

Most executive privacy programmes we audit are built around credentials. Password managers, multi-factor authentication, dark-web monitoring services that alert when a password appears in a paste. This is necessary and it is not sufficient. It addresses the smallest slice of what the attacker is actually assembling.

Credential monitoring — including stealer-log services — is oriented toward finding username/password pairs. Our piece on stealer logs and infostealer malware covers the economics and the coverage gaps in detail. Stealer logs do catch some PII — autofill data, form inputs — but the enrichment pipeline pulls from a much broader set of sources: corporate directories, conference registrations, loyalty programmes, genealogy and health services, data-broker resale. None of those sit in the services an executive would typically subscribe to. The mosaic is built in blind spots.

The practical consequence is that an executive can receive a clean HIBP report and still be walking around with a complete identity pack on them. Our earlier analysis of the mosaic effect in OSINT expands on the distinction between credential exposure and composite exposure.

This is also why we operate on a 48-hour cryptographic deletion policy for case findings and a 30-day retention ceiling for contact data. A professional services firm that retains client records indefinitely is building the exact asset the attacker community is looking for. The industry norm is to retain; our data purge policy is designed so that we are not that asset.

What to do

The defensive response to identity-pack risk has four components, none of which is purely technical.

Exposure mapping. Before any control is useful, an executive needs to know what the current composite actually contains. This is the scope of our Mirror service: assemble what a capable adversary would, with the same sources and the same sequence, and deliver it as a written briefing. The finding is usually less about which breach appeared and more about which pivot attribute holds the profile together. Breaking the pivot is cheaper than suppressing every record.

Vendor breach disclosure auditing. Small-office breaches often surface in litigation filings, state-AG notifications, or client-only letters rather than mainstream press. A structured review of law firms, wealth managers, conference organisers, and travel vendors the executive has used over the previous five years will typically surface at least two disclosed incidents that the executive does not remember receiving notification for.

Family and assistant exposure assessment. The attack path is frequently the staff, not the principal. Any executive privacy assessment that excludes the executive assistant, the spouse's email account, and the adult children's social media footprint is measuring the wrong surface. Our work on executive doxxing prevention in Europe discusses the family-surface question in more detail.

Longitudinal reduction and monitoring. Once the composite is mapped, reducing it is not a one-time exercise. Data brokers relist. New breaches add tiles. Structured removal and continuous monitoring is the scope of the Eraser engagement and of ongoing retainer work. For organisations, a corporate credential and leak assessment captures the staff layer.