Popular Keywords

Categories

No Record Found

View All Results
Free Exposure Check
Request a Demo

Identity Theft Protection Provider Scales to 8 Million Monitored Identities and Reduces Churn by 29%

Executive Summary

Consumer identity protection products live and die on detection coverage. Subscribers pay for the assurance that if their identity is exposed somewhere on the internet, they will be the first to know, before the attacker acts on it. When a competitor’s notification arrives before the provider’s, the subscriber relationship is at risk. When the provider misses an entire category of compromise, the risk is existential. 

This case study examines how a consumer identity theft protection provider with 2.3 million subscribers used Constella’s OEM monitoring API to address two simultaneous threats to its business: detection gaps causing subscriber churn, and the complete absence of infostealer monitoring in a product that a growing segment of the market was beginning to ask about. The integration scaled monitored identity coverage from 2.3 million to 8 million, reduced net churn by 29%, and launched an infostealer monitoring premium tier that achieved a 22% upsell attachment rate in its first six months. 

The Challenge: Detection Gaps and a Missing Capability Category 

The provider’s monitoring product was built on a single breach data vendor with whom it had maintained a multi-year relationship. The vendor’s coverage had been adequate when the contract was signed. By the time of this integration, the competitive landscape had shifted materially. 

The provider’s customer success team had been tracking a specific complaint pattern in subscriber churn surveys: a meaningful percentage of churning subscribers reported receiving a breach notification from a competitor’s product that the provider had not sent. The complaints were specific: subscribers named the breach event and the competitor. Investigation confirmed that the competing product was using a different data source with earlier ingestion of certain breach events, and that the provider’s single-vendor data dependency was creating a coverage lag of 48 to 96 hours on some breach categories. 

The infostealer gap was a separate but equally significant problem. The provider’s product had no infostealer monitoring capability. Infostealers, which harvest session cookies and credentials from infected devices and distribute them through criminal markets, represent a growing proportion of credential compromise events. Subscribers asking whether the product monitored infostealer sources were receiving honest but commercially damaging answers: no. 

The provider also faced a scale constraint. Its existing data vendor’s pricing model made it economically unviable to expand monitored identity coverage beyond the subscriber base. Family members, additional email addresses, and the other identity attributes that premium subscribers routinely ask to add were being declined at the product level because the per-monitored-identity cost structure could not support the expansion. 

The OEM Integration Decision 

The provider evaluated three approaches: replacing the existing vendor with a single new vendor, layering a second vendor on top of the existing one, and pursuing an OEM integration that would allow flexible expansion of monitored identity volume without proportionate cost scaling. 

Full vendor replacement carried transition risk: the existing vendor had deep integrations with the notification and alert pipeline that would require significant re-engineering. The layered vendor approach was operationally simpler but did not address the scale constraint, since it added a second per-identity cost rather than restructuring the cost model. 

The OEM integration approach, using Constella’s monitoring API as an additive intelligence layer alongside the existing vendor, addressed all three problems simultaneously: it filled the breach detection gaps through Constella’s broader and faster coverage, it added infostealer monitoring as a new alert category through Constella’s 51.7 million package library, and it provided a cost structure that made expanded monitored identity volume economically viable. The existing vendor integration remained in place, and Constella’s data merged into the unified alert pipeline as an additional source. 

The Solution: Layered OEM Intelligence with White-Label Alert Delivery 

The integration was configured in three phases over eight weeks: 

  • Phase 1: Breach coverage augmentation. Constella’s breach and credential monitoring API was integrated into the alert pipeline, covering the subscriber base’s email addresses and phone numbers against Constella’s full breach repository. Alerts from Constella were deduplication-checked against the existing vendor’s alert history before delivery, ensuring subscribers received one notification per exposure event regardless of source. 
  • Phase 2: Infostealer monitoring activation. Constella’s infostealer monitoring was activated for the subscriber base, adding a new alert category: infostealer-sourced compromise events with payload including malware strain attribution, infected device metadata, and specific application URLs where sessions were captured. The product team designed a new alert notification template for this category, distinct from breach alerts, explaining what an infostealer infection means and what remediation steps are required. 
  • Phase 3: Monitored identity scale expansion. The OEM cost structure enabled the provider to extend monitored identity coverage from the subscriber’s primary email address to up to five email addresses, two phone numbers, and physical address monitoring without requiring the subscriber to pay a premium. Total monitored identity volume expanded from 2.3 million to 8 million across the subscriber base. 

The Result: 29% Churn Reduction, 22% Premium Upsell Attachment 

The subscriber impact was measurable across multiple dimensions in the two quarters following full deployment:  

  • Net subscriber churn rate fell by 29%. The provider attributed the reduction to two factors: the elimination of the detection coverage gap that had been cited in churn surveys (Constella’s ingestion speed and coverage breadth closed the lag that competitors had been exploiting), and the addition of infostealer monitoring, which addressed the capability gap that had been generating commercially damaging non-answers in subscriber support interactions. 
  • Infostealer monitoring was launched as a premium tier feature, the first new paid tier the provider had introduced in three years. The tier was positioned as ‘next-generation identity monitoring’ covering the malware-sourced compromise category that traditional breach monitoring cannot detect. Upsell attachment from base to premium reached 22% in the first six months, significantly above the internal projection of 12%. 
  • Monitored identity volume scaled from 2.3 million to 8 million. The expanded coverage drove a material increase in per-subscriber alert engagement: subscribers with multiple monitored addresses received more frequent, higher-relevance alerts, increasing the product’s perceived value and reducing the ‘nothing is happening’ complaint pattern that had been a secondary driver of churn. 
  • The provider’s customer support team reported a 40% reduction in inbound queries about whether the product monitored specific breach events. The Constella integration’s broader coverage addressed most of the specific breach events that subscribers had been calling about, reducing support volume while simultaneously improving product satisfaction scores.  

Key Outcomes:  

  • Net subscriber churn reduced by 29% in the two quarters following integration 
  • Infostealer monitoring premium tier achieved 22% upsell attachment rate in first six months 
  • Monitored identity volume scaled from 2.3 million to 8 million without additional infrastructure investment 
  • 40% reduction in inbound support queries about breach coverage gaps 
  • Detection coverage lag versus competitors is eliminated through Constella’s ingestion speed and breadth 
Why did the layered OEM approach outperform full vendor replacement?

Full vendor replacement would have required re-engineering the existing alert pipeline, re-seeding historical breach data for existing subscribers, and managing a transition period during which monitoring coverage might be reduced. The layered OEM approach added Constella’s coverage alongside the existing vendor without disrupting existing integrations, achieving full coverage expansion within eight weeks rather than the estimated six to nine months a full replacement would have required. For a subscription business where each week of churn is a measurable revenue event, speed of integration matters as much as quality of data. 

How does OEM pricing make monitored identity scale viable when per-identity pricing does not?

Standard per-identity pricing models charge a fixed rate for each monitored identity, making expansion to multiple email addresses per subscriber a direct cost multiplier. OEM arrangements, by contrast, are structured around volume tiers and total monitored population rather than per-identity transaction costs, enabling providers to expand monitored identity coverage across their subscriber base without a corresponding linear cost increase. The specific structure of Constella’s OEM terms for any given partner depends on the partner’s monitored population size, alert volume, and delivery requirements, and is scoped through the partner engagement process. 

What made the infostealer premium tier successful at a 22% attachment rate?

Three factors contributed. First, the product team invested in subscriber education: the infostealer alert notification was designed to explain what a malware-sourced compromise means and why it differs from a data breach, giving subscribers the context to understand the capability they were being offered. Second, the premium tier was launched at a price point calibrated to existing subscriber willingness to pay data from churn surveys, rather than a margin-driven price. Third, the timing coincided with growing consumer media coverage of infostealer malware and MFA bypass attacks, creating ambient awareness of the threat category that made the new capability feel relevant rather than theoretical. 

Conclusion

Consumer identity protection products are retained on coverage and lost on gaps. The subscribers who churn are not leaving because the product failed to catch a threat: they are leaving because a competitor caught it first, or because the product could not answer a question about a threat category the subscriber had heard about elsewhere. 

For this provider, both problems were data problems. The coverage lag was a data breadth and ingestion speed problem. The infostealer gap was a data category problem. Both were addressed through a single OEM integration that added Constella’s intelligence without disrupting the existing infrastructure and delivered the scale economics to expand monitored coverage across the subscriber base simultaneously. 

The 29% churn reduction and 22% upsell attachment were the business outcomes. The 8 million monitored identities and 40% support volume reduction were the operational outcomes. All of them followed from having the right data. 

Ready to expand your identity monitoring coverage and reduce subscriber churn?

Explore Partnership Options