The Lockdown answers one question: based on what is circulating right now, which of your accounts are at realistic risk of takeover — and exactly what to do about each one.
What the Lockdown addresses
Most credential compromise is invisible at the moment it matters. A breach at a retailer, an employer, a platform you use — the data leaves that organisation's systems, enters a market, and begins circulating. You may be notified weeks or months later, or never. By the time you know, the credential has often already been tested against your other accounts.
This is not an automated scan. It is a human-led investigation into what is actively circulating — and what it puts at risk.
The Lockdown investigates publicly known and client-provided exposure indicators. Active malware analysis, incident response, and criminal investigations fall outside its scope and are referred to specialist partners.
How takeover actually happens
Account takeover does not require sophisticated hacking — it requires a credential that works. Three routes in.
Credential replay. A breach database or stealer log contains your email and the password you used at the time. If you reused that password elsewhere — SpyCloud's 2026 analysis puts reuse at 51% of accounts — the attacker does not guess. They enter the credential and the login succeeds.
Session cookie theft. Infostealers copy the session cookies that keep you logged in. A stolen cookie needs neither your current password nor your MFA — it presents as an already-authenticated session. Changing your password afterwards does not invalidate cookies copied before you knew.
The password-reset chain. Access to an inbox — current or abandoned — opens every account that accepts a reset to that address. Old inboxes are the specific risk: an address you stopped using may still be the registered contact for banking, SaaS, or a former employer.
Why your history extends your exposure surface
Your exposure does not begin and end with your current passwords. Every employer is a potential breach source — corporate dumps circulate long after an incident and often contain credentials never named in a public notification. Every platform you ever registered with a personal email has contributed to a profile that may have changed hands many times since.
The exposure surface is the sum of everything registered to your email addresses — including those you no longer use or have forgotten you own. A Lockdown investigation maps what is identifiable across it.
Discreet by default. Data purged after delivery.
Anonymous enquiries and aliases are accepted, and all communications are encrypted. Case findings are cryptographically deleted within 48 hours of final delivery.
Four data surfaces most self-directed searches cannot reach — and for each finding, a classification that tells you whether it is an active risk or just noise.
What we examine
For each surface the finding type matters as much as the presence: an isolated email mention carries different risk from a live credential pair, and a session token carries different risk again.
Beyond Have I Been Pwned — multiple breach corpora and raw dump indexes that draw from a far broader source set, including corporate-tier dumps.
Recent infostealer output — browser-saved passwords, session cookies and tokens traded on channels HIBP does not index.
Older credential circulation in closed forum threads and paste repositories — mapping the identifiable history of your exposure.
Employer breaches cross-referenced against your history — where a previous employer's dump becomes your personal account risk.
What a finding means
Not every match is an active risk. The Lockdown does not assume every leaked credential is still live — its purpose is to determine what is exposed, what still matters, and what to do next. The investigation classifies each finding into one of four states.
A live credential pair or session token creating a direct login path to a current account. Immediate action.
A reused-password pair, or an address still an active reset route. Action required within days.
An old credential for a password you no longer use, or a closed address. Logged, no immediate action.
A mention without a usable credential, or a dataset too low-confidence to act on. Noted for context.
What we produce
| Credential Exposure Report | Every circulating reference: source, data type (email / credential pair / session token), estimated capture date, and the accounts it puts at risk — classified by the four states. |
| Account Risk Assessment | For each active or at-risk finding, the specific accounts exposed, why that credential creates access, and what an attacker's entry path looks like. |
| Personalised Action Plan | An Immediate / Short-Term / Long-Term list — specific steps per account based on what was found and which authentication methods fit your situation. |
The Lockdown does not end with a list of problems. It ends with a step-by-step action plan — specific to what was found, ordered by urgency, written for the accounts you actually hold.
What changes
For every active or at-risk finding: what to do, on which account, in which order, and why the sequence matters. Not "change your passwords" — the specific credential to rotate.
Per-account instructions
If a reused pair was found, the instruction walks each likely-affected account. If a session token was found, it covers invalidating active sessions — not just a password change.
Recovery where needed
Some findings require account recovery first — old addresses, orphaned accounts, inherited reset chains. The instruction covers the recovery path as well as the hardening step.
Tool recommendations
Matched to what we found — the authenticator that fits the at-risk platforms, the password manager that suits how you work, the alias pattern that closes a reset-chain exposure.
After delivery
Direct analyst access for 24–48 hours after the report lands — for questions on findings, clarification on any instruction, or a second pass where something needs more context.
What comes next
Where significant people-search or data-broker exposure surfaces alongside the credentials, The Eraser removes the underlying records. The two engagements are designed to work in sequence.
How the Lockdown compares
The Mirror vs The Lockdown
The Mirror tells you what is publicly visible and what has been exposed in breaches. The Lockdown goes a layer deeper — into what is actively circulating in corporate dumps, credential markets and closed forums — and assesses which accounts are at realistic takeover risk, with recommendations tied to those findings.
Why free tools aren't enough
Have I Been Pwned checks known public breach databases, but it does not cover closed credential markets, corporate data dumps, or dark-forum references. A Lockdown investigation checks all of these and tells you which accounts are at realistic risk based on what is actually circulating — not just what has been publicly disclosed.
What to do immediately after a breach
Rotate the passwords you know were included and enable two-factor authentication on any account sharing those credentials. Beyond that, an investigation tells you what is specifically circulating and which of your accounts are at realistic risk — so you act on evidence, not the company's notification.
How serious is my breach?
It depends on what was taken and where it ended up. An email address alone is low risk; a full credential pair circulating in a market is immediately actionable. Most breaches feed long-tail attacks that emerge months later. The question is not how serious the breach was — it is what has been done with your data since.
Lockdown FAQs
The Mirror tells you what's publicly visible and what's been exposed in breaches. The Lockdown goes one layer deeper — into what's actively circulating in corporate data dumps, credential markets and closed forums. It also assesses which accounts are at realistic takeover risk, and provides personalised recommendations tied to those findings.
Specific to what we found — not a generic checklist. If we found a plaintext password in a corporate dump, we tell you which accounts to rotate and what password manager to use. If we found your email in a credential market, we tell you which services are at risk and how to lock them down.
Delivery is typically within 5 business days. The investigation includes all Mirror-scope work plus the deeper credential and forum search layers. Priority support (24–48hr response) is included throughout.
It depends on what was taken and where it's ended up. An email address alone is low risk. A cracked password hash is higher. A full credential pair circulating in a market is immediately actionable. The question isn't how serious the breach was — it's what's been done with your specific data since.
Takeovers often begin quietly — credential testing, session hijacking, or a slow build-up of profile data. Free tools check public breach databases only; they don't cover closed markets, corporate dumps or dark-forum references. A Lockdown investigation checks all of these and tells you which accounts are at realistic risk.