Popular Keywords

Categories

No Record Found

View All Results
Free Exposure Check
Request a Demo

Identity Protection SaaS Eliminates a Recycled-Credential Coverage Gap and Cuts Net Churn by 26%

Executive Summary

A consumer identity protection SaaS with 1.6 million subscribers was losing customers to a problem its own data could not explain. Subscribers were receiving exposure notifications from competitors days before the provider sent its own, and the gap clustered around one category: recycled credential dumps, the repackaged combo lists and reposted leaks that keep valid credentials in circulation long after the original breach. The provider’s data source indexed named breaches well but did not see credentials resurfacing across the wider ecosystem. After layering Constella’s monitoring API as an additive intelligence source, the provider closed the coverage gap, cut net churn by 26%, and launched an infostealer alert category that drove a new premium tier.

The Challenge: A Detection Gap Hidden Inside Credential Reuse

The provider’s churn surveys carried a consistent and specific complaint. Departing subscribers named an exposure event and the competitor that had alerted them to it first. When the team traced those events, a pattern emerged. The missed exposures were rarely brand-new breaches. They were old credentials reappearing inside new compilations, paste-site reposts, and combo lists, the recycled credential dumps that drive a large share of account-takeover attempts.

The provider’s existing feed was organized around a catalog of named breaches. It performed well when a subscriber’s data appeared in one of those known events. It did not surface the same email address and password resurfacing months or years later in a recirculated dump, because that resurfacing was never tied to a new named breach. The provider was, in effect, blind to reuse, which is exactly where ongoing risk lives.

A second gap compounded the first. The product had no infostealer monitoring. Infostealers harvest credentials and session data from infected devices and distribute them through criminal markets, and subscribers were beginning to ask whether the product covered that category. The honest answer was no.

The Solution: Layered, Pre-Indexed Coverage as an Additive Source

Rather than rip out the existing feed, the provider layered Constella’s monitoring API on top of it as an additional intelligence source. Constella’s coverage is built by continuously hunting breaches across the surface, deep, and dark web, including the recirculated dumps and combo lists that named-breach catalogs do not track. That breadth of breaches hunted, rather than a fixed catalog of named events, is what let the provider catch credential reuse it had been missing. The integration ran in three phases over eight weeks:

  • Coverage augmentation. Constella’s breach and credential monitoring was added to the alert pipeline against subscriber email address(es) and phone numbers. Constella alerts were deduplication-checked against the existing feed before delivery, so subscribers received one notification per exposure regardless of source.
  • Recycled-credential detection. Because Constella pre-indexes the broader ecosystem, credentials resurfacing in new compilations were flagged as fresh exposure events, closing the reuse gap that had been driving churn.
  • Infostealer alert category. Infostealer-sourced compromise was activated as a new alert type, with payload context such as malware strain and the application where a session was captured, and a dedicated notification template explaining what the alert means.

The Result: 26% Lower Net Churn and a New Premium Tier

  • Net subscriber churn fell by 26% in the two quarters after full deployment, attributed primarily to closing the recycled-credential detection lag that competitors had been exploiting.
  • The infostealer alert category launched as a premium tier and reached a 19% upsell attachment rate in its first six months, well above the internal projection.
  • Inbound support queries asking whether the product covered a specific exposure fell by 34%, because the broader coverage now answered most of those questions automatically.
  • Time-to-notify on reuse-driven exposures moved from trailing competitors to leading them on the majority of tracked events.
What is a recycled credential dump?

A recycled credential dump is a compilation of previously leaked usernames and passwords that is repackaged and recirculated across forums, paste sites, and combo lists long after the original breach. The credentials are often still valid because people reuse passwords, which is why this so-called zombie data continues to expose subscribers years later.

Why do named-breach catalogs miss credential reuse?

Catalogs built around a fixed set of named breaches only flag a subscriber when their data appears in one of those known events. They do not see the same credentials resurfacing inside new combo lists, infostealer logs, or recirculated dumps, so reuse-driven exposure slips through. Pre-indexed coverage of the broader breach ecosystem catches that resurfacing.

How does pre-indexed breach coverage reduce subscriber churn?

Subscribers churn when a competitor notifies them of an exposure first. Pre-indexed coverage of the wider breach and infostealer ecosystem closes the detection lag that competitors exploit, so the provider notifies first more often, which is the single largest driver of retention in identity protection products.

Conclusion

Consumer identity protection products are retained on coverage and lost on gaps. For this provider, the gap was not a missing breach, it was missing the reuse of credentials it had technically already seen. Pre-indexed coverage of the wider ecosystem, added without disrupting the existing pipeline, closed that gap and turned a churn problem into a retention and upsell story.

Ready to close the coverage gaps that drive subscriber churn?

Explore Partnership Options