Identity Risk Intelligence Glossary

A

Account Takeover (ATO)
A cyberattack in which a threat actor uses stolen or compromised credentials to gain unauthorized access to a legitimate user’s account. ATO is one of the most common outcomes of infostealer infections and credential stuffing campaigns.
More: Account Takeover Prevention

Alert Fatigue
The condition in which a security operations team becomes desensitized to alerts due to excessive volume, often caused by low-fidelity or unverified threat feeds that generate high rates of false positives. Constella’s Verified Identity Pedigree significantly reduces alert fatigue by delivering only confirmed, actionable signals.
More: Data Pedigree and Methodology

Attribute
A single data field associated with an identity record, such as email address, phone number, password hash, IP address, or date of birth. Constella’s data lake contains over 429 billion curated identity attributes across 125+ countries.
More: Intelligence API

Attribution
The process of linking an anonymous online identity, alias, or digital artifact to a verified real-world person or threat actor. Constella’s Hunter platform enables identity attribution by pivoting across breach records, infostealer logs, and dark web sources.
More: Threat Investigation

B

Brand Impersonation
An attack in which a threat actor creates fraudulent websites, social media profiles, mobile applications, or email domains that mimic a legitimate organization in order to deceive customers, partners, or employees. Constella’s Hunter+ DRP detects and automates takedowns of brand impersonation assets.
More: Brand Protection

Brand Protection
A category of Digital Risk Protection focused on detecting and removing unauthorized use of an organization’s name, logo, or identity across the surface, deep, and dark web. This includes phishing domains, rogue social media profiles, counterfeit mobile apps, and lookalike websites.
More: Brand Protection

Breach
An incident in which confidential data, including credentials, personal information, or financial records, is exfiltrated from a system without authorization. Constella tracks over 567,000 hunted breach events and ingests newly discovered breach data continuously.
More: Data Pedigree and Methodology

Breach Record
A single entry in Constella’s data lake derived from a confirmed data breach event, containing one or more identity attributes such as an email address, password, or PII field. Constella’s data lake contains over 1 trillion verified breach records.
More: Intelligence API

Business Email Compromise (BEC)
A social engineering attack in which a threat actor impersonates a company executive or trusted partner via email to fraudulently redirect payments or exfiltrate sensitive information. Executive credential exposure and digital footprint data are key enabling factors that Constella’s Executive Protection monitors continuously.
More: Executive Protection

C

Combolist
A compiled file containing large numbers of username and password pairs, typically aggregated from multiple breach sources, used as input for credential stuffing automation tools. Constella ingests and processes combolists as part of its multi-vector data collection pipeline.
More: Data Pedigree and Methodology

Credential Exposure
The condition in which a user’s login credentials, including username and password, have appeared in a breach dataset, infostealer log, or dark web listing and may be known to unauthorized parties. Constella detects credential exposures in real time across monitored corporate and consumer identity populations.
More: Account Takeover Prevention

Credential Stuffing
An automated attack that uses large volumes of stolen username and password pairs, typically sourced from breach datasets or combolists, to attempt mass unauthorized logins across target applications. Because many users reuse passwords, even a single breach dataset can enable credential stuffing across hundreds of unrelated services.
More: Account Takeover Prevention

Criminal Forum
An online community operating on the dark web or encrypted channels where threat actors buy, sell, and exchange stolen data, malware, access credentials, and attack tools. Constella monitors criminal forums continuously as part of its multi-vector dark web collection pipeline.
More: Threat Investigation

D

Dark Web
The portion of the internet that requires specific software, such as the Tor browser, to access and that is not indexed by standard search engines. The dark web hosts criminal markets, forums, and exchanges where stolen credentials, infostealer logs, and compromised access are bought and sold. Constella monitors dark web sources as part of its continuous intelligence collection.
More: Data Pedigree and Methodology

Dark Web Monitoring
The continuous surveillance of dark web marketplaces, forums, paste sites, and criminal channels for stolen credentials, personal data, and organizational intelligence associated with monitored domains or identity populations. Constella’s monitoring covers both consumer identity theft monitoring and enterprise credential exposure detection.
More: Identity Theft Monitoring

Data Lake
A large-scale repository of structured and unstructured data stored in its raw or processed form for analysis and querying. Constella’s identity data lake contains over 1 trillion verified records spanning 125+ countries, 50+ languages, and 15+ years of breach history, curated through a proprietary multi-stage verification pipeline.
More: Intelligence API

Data Pedigree
Constella’s proprietary standard for tracing every identity record to a confirmed, verified breach or exposure event. Data pedigree is the practice of documenting and validating the source, authenticity, accuracy, and integrity of each record before it enters the data lake, distinguishing verified intelligence from unvetted bulk data.
More: Data Pedigree and Methodology

Deep Web
The portion of the internet that is not indexed by public search engines but does not require special software to access. This includes password-protected forums, private databases, and closed communities where stolen data is frequently exchanged. Constella’s collection pipeline spans the surface, deep, and dark web.
More: Data Pedigree and Methodology

Deepfake
AI-generated synthetic media, typically audio or video, that convincingly impersonates a real person and is used in fraud, social engineering, and disinformation campaigns. Executive deepfakes are a growing threat vector monitored as part of Constella’s Executive Protection capability.
More: Executive Protection

Deduplication
The process of identifying and removing duplicate records from a dataset so that each identity is represented exactly once. Constella’s curation pipeline applies automated deduplication to eliminate redundant records from bulk breach data before they enter the intelligence layer, reducing false positives and noise.
More: Data Pedigree and Methodology

Digital Risk Protection (DRP)
A category of cybersecurity focused on monitoring and remediating threats to an organization’s digital presence, including credential exposure, brand impersonation, executive exposure, and account takeover risk. Hunter+ is Constella’s Digital Risk Protection platform.
More: Hunter+ DRP Overview

Doxxing
The malicious publication of an individual’s private or personally identifiable information, including home address, phone number, family details, or financial data, typically used to harass, intimidate, or endanger. Constella’s Executive Protection monitors for doxxing exposure across public and dark web sources.
More: Executive Protection

E

Entity Resolution
The process of determining that multiple records across different data sources refer to the same real-world entity, such as the same person appearing under different email addresses or aliases. Constella applies entity resolution as the final stage of its data curation pipeline to build unified identity profiles.
More: Data Pedigree and Methodology

Exposure Check
A free service offered by Constella at threatmap.constella.ai that allows individuals or organizations to check whether their email address appears in Constella’s breach and infostealer database. It is a direct entry point to understanding an organization’s identity risk surface.
More: Free Exposure Check

Executive Protection
A Digital Risk Protection capability focused on continuously monitoring the digital footprints of senior organizational leaders, board members, and high-value individuals. Constella’s Executive Protection detects credential exposures, PII leaks, infostealer infections on personal devices, and impersonation threats targeting named executives.
More: Executive Protection

F

False Positive
A security alert that incorrectly identifies a benign event as malicious, wasting analyst time and contributing to alert fatigue. Constella’s Verified Identity Pedigree process significantly reduces false positive rates by ensuring every alert is tied to a confirmed, verified exposure event.
More: Data Pedigree and Methodology

FinTech Identity Intelligence
The application of verified breach and infostealer data to FinTech-specific fraud use cases, including synthetic identity detection at onboarding, payment session fraud prevention, account takeover, and AML/BSA investigation support. Constella’s API delivers identity intelligence purpose-built for FinTech fraud and risk teams.
More: FinTech

Fraud Model
A machine learning or rules-based system used by financial institutions, e-commerce platforms, and FinTech companies to detect and prevent fraudulent transactions and account activity. Constella’s identity intelligence API provides an external data signal that enhances fraud model accuracy by surfacing known-compromised identities at decision time.
More: Use Cases (API)

H

Hash / Password Hash
A one-way cryptographic transformation of a plaintext password that produces a fixed-length string. Because many organizations store passwords as hashes rather than plaintext, attackers use cracking techniques to reverse hashes and recover original passwords. Constella processes both hashed and plaintext password exposures and supports privacy-preserving hashed query workflows.
More: Intelligence API

Hunter
Constella’s investigative platform for deep-dive OSINT, identity attribution, and dark web forensics. Hunter allows security analysts and investigators to pivot from a single email, alias, username, or IP address to a comprehensive threat actor profile by querying across Constella’s full data lake including breach records, infostealer logs, paste sites, and criminal forums.
More: Threat Investigation

Hunter Copilot
An AI-powered assistant within the Hunter platform that automates complex identity link discovery, visualizes threat actor networks, and reduces investigation time by surfacing relationship connections across Constella’s data lake. Hunter Copilot is designed to reduce investigation cycles that would otherwise require hours of manual OSINT.
More: Threat Investigation

Hunter+ DRP
Constella’s enterprise Digital Risk Protection platform that unifies workforce credential monitoring, infostealer intelligence, executive protection, brand protection, and AI-assisted threat investigation in a single managed service. Hunter+ is the Investigate path for organizations protecting their own digital perimeter.
More: Hunter+ DRP Overview

I

Identity Attribution
The process of linking an anonymous or pseudonymous online identity to a verified real-world individual using overlapping identity attributes across breach records, infostealer logs, and open source intelligence. Constella’s Hunter platform is purpose-built for identity attribution investigations.
More: OSINT

Identity Data API
Constella’s RESTful programmatic interface providing real-time access to over 1 trillion verified identity records for integration into fraud decisioning systems, security platforms, identity monitoring products, and detection stacks. The API supports querying across 70+ unique identity attributes with sub-200ms latency.
More: Intelligence API

Identity Fusion
A Constella capability that verifies data pedigree and confirms additional identity attributes from a single known input, such as an email address, with 99% confidence. Identity Fusion allows investigators and fraud analysts to rapidly expand a partial identity profile into a complete, verified picture.
More: Threat Investigation

Identity Risk
The aggregate exposure of an individual or organization to threats arising from compromised, stolen, or exposed identity data. Identity risk encompasses credential exposure, infostealer infections, PII leaks, account takeover, brand impersonation, and executive digital exposure across the surface, deep, and dark web.
More: Hunter+ DRP Overview

Identity Risk Intelligence
Constella’s core positioning and product category: actionable, verified intelligence derived from the world’s largest breach and infostealer data lake that enables organizations to detect, investigate, and respond to identity-based threats before they become incidents.
More: About Us

Identity Theft
The fraudulent acquisition and use of an individual’s personal information, typically involving stolen credentials, Social Security numbers, financial account data, or other PII, to commit fraud, access accounts, or assume the victim’s identity. Constella’s Identity Theft Monitoring solution provides real-time alerts when consumer identity data appears on dark web markets.
More: Identity Theft Monitoring

Identity Theft Monitoring
A product category that provides continuous monitoring of dark web sources, breach repositories, and criminal markets for an individual’s or organization’s personal data, alerting when stolen credentials or PII are discovered. Constella’s API powers identity theft monitoring products for consumer protection providers and enterprise security programs.
More: Identity Theft Monitoring

Infostealer
A category of malware designed to silently harvest browser-stored credentials, active session cookies, cryptocurrency wallets, SSH keys, autofill data, and system metadata from infected devices and transmit the collected data to attacker-controlled infrastructure. Infostealers are the primary source of enterprise credential compromise and session hijacking attacks. Common infostealer families include Lumma Stealer, RedLine, Vidar, Raccoon, and Stealc.
More: Session Hijacking Detection

Infostealer Log
A structured data package produced by infostealer malware containing the complete harvest from a single infected device, including credentials, session cookies, device metadata, browser history, and targeted application data. Constella processed over 51.7 million infostealer packages in 2025 and monitors criminal markets for newly listed logs matching monitored domains.
More: Session Hijacking Detection

Infostealer Sentinel
A Constella product that provides continuous monitoring specifically for infostealer package activity targeting an organization’s domains, delivering structured alerts when freshly harvested session cookies, credentials, or device metadata associated with monitored identities appear on criminal markets.
More: Hunter+ DRP Overview

Initial Access Broker (IAB)
A threat actor who specializes in obtaining initial access to target environments, typically by purchasing infostealer logs containing valid credentials or session cookies, and then reselling that access to ransomware operators or other criminal groups. The IAB economy is a key link in the infostealer-to-ransomware attack chain.
More: Ransomware Prevention

Intelligence API
See Identity Data API. Constella’s RESTful programmatic interface for accessing verified breach, infostealer, and dark web identity intelligence at sub-200ms latency, supporting 70+ queryable identity attributes.
More: Intelligence API

L

Law Enforcement Agency (LEA) Intelligence
The application of identity attribution, dark web intelligence, and breach record analysis to support criminal investigations, including the linking of online aliases and dark web handles to verified real-world identities. Constella’s Hunter platform serves law enforcement investigators with tools designed to support warrant preparation, SAR documentation, and digital forensics.
More: Law Enforcement Agencies

Lookalike Domain
A domain registered to closely resemble a legitimate organization’s domain, typically using typosquatting, homoglyph substitution, or appended words, for use in phishing, brand impersonation, and business email compromise attacks. Constella’s Brand Protection capability detects lookalike domain registrations in real time.
More: Brand Protection

M

Maltego Transforms
Native integrations that deliver Constella identity intelligence directly into Maltego link analysis sessions, allowing investigators to query Constella’s data lake without leaving the Maltego environment. Maltego Transforms are available as part of the Hunter platform.
More: Threat Investigation

MDR / Managed Detection and Response
A security service category in which a provider delivers continuous threat monitoring, detection, investigation, and response on behalf of client organizations, typically combining human expertise with technology. Constella’s identity intelligence API enables MDR providers to add infostealer detection, session hijacking signals, and pre-ransomware alerting to their service offerings.
More: MDR/XDR

MFA Bypass
A technique used by attackers to circumvent multi-factor authentication without needing the victim’s second factor. The most common enterprise MFA bypass method involves replaying stolen session cookies harvested by infostealer malware, since a valid session cookie represents a session in which MFA was already satisfied by the legitimate user.
More: Session Hijacking Detection

MSSP / Managed Security Service Provider
An organization that delivers outsourced security monitoring, management, and response services to client organizations. Constella partners with MSSPs to deliver identity intelligence as a managed service through its OEM and reseller programs, enabling MSSPs to offer credential monitoring, infostealer detection, and digital risk protection as premium service tiers.
More: Resellers and Partners

Multi-Vector Collection
The first phase of Constella’s data lifecycle, encompassing the ingestion of identity data from thousands of sources spanning closed criminal forums, dark web marketplaces, paste sites, data dump repositories, and surface web breach disclosures. Multi-vector collection ensures comprehensive coverage of the threat landscape.
More: Data Pedigree and Methodology

O

OEM Partnership
A commercial arrangement in which a technology or data provider licenses its capabilities to a partner who embeds them into their own product or service under their own brand. Constella offers OEM partnerships that allow identity protection providers, credit bureaus, and security platforms to embed Constella’s identity data lake into their own products.
More: Resellers and Partners

OSINT / Open Source Intelligence
The collection and analysis of intelligence from publicly available sources, including social media, news, public records, domain registrations, and the open web. Constella’s Hunter platform extends OSINT workflows with verified breach data, infostealer logs, and dark web intelligence to enable identity attribution at a depth not achievable through open sources alone.
More: OSINT

P

Passive DNS
A historical record of DNS query data used in threat investigations to reconstruct domain resolution history and link infrastructure to threat actors. Constella’s Hunter platform incorporates Passive DNS data as one of its pivoting dimensions for attribution investigations.
More: Threat Investigation

Password Exposure
The presence of a user’s password, in either plaintext or hashed form, in a breach dataset or infostealer log accessible to unauthorized parties. Constella’s 2026 Identity Breach Report found that 68.89% of breached credentials were exposed in plaintext, a 261% year-over-year increase.
More: Intelligence API

Paste Site
A web service, such as Pastebin or similar platforms, used to share text content publicly and often exploited by threat actors to publish stolen credentials, leaked data, and breach dumps. Constella monitors paste sites continuously as part of its surface and deep web intelligence collection.
More: Data Pedigree and Methodology

PII / Personally Identifiable Information
Any data that can be used to identify a specific individual, including name, address, date of birth, Social Security number, phone number, email address, and financial account information. PII exposure in breach records and infostealer logs is a primary driver of identity theft and fraud.
More: Identity Theft Monitoring

Plaintext Credential
A username and password stored or transmitted without any encryption or hashing, making it immediately usable by anyone who obtains it. Constella’s 2026 Identity Breach Report found that 68.89% of all breached credentials appeared in plaintext, a 261% year-over-year increase driven largely by infostealer harvesting of browser-stored data.
More: Intelligence API

R

Ransomware
Malware that encrypts an organization’s files or systems and demands payment for the decryption key. Modern ransomware attacks are almost universally identity-driven: attackers first obtain valid credentials or session cookies, typically through infostealer malware or credential stuffing, establish a foothold, conduct reconnaissance, and then deploy encryption. Constella addresses ransomware at the initial access stage, before the foothold is established.
More: Ransomware Prevention

Ransomware Precursor
A credential exposure, infostealer log, or session cookie that represents the initial access material a ransomware operator would use to enter a target network. Detecting ransomware precursors in criminal markets before they are used is the core function of Constella’s ransomware prevention capability. Research shows that 54% of ransomware victims had their credentials appear in stealer log markets before the attack.
More: Ransomware Prevention

RESTful API
An API architecture style that uses standard HTTP methods to enable programmatic access to resources. Constella’s Identity Data API is a RESTful interface delivering real-time identity intelligence queries with sub-200ms latency across 70+ supported identity attributes.
More: Intelligence API

S

SAR / Suspicious Activity Report
A regulatory filing required of financial institutions in the United States under the Bank Secrecy Act when they detect transactions or activities that may involve money laundering, fraud, or other financial crimes. Constella’s FinTech intelligence supports SAR preparation by providing verified identity data linking synthetic identity fraud campaigns to underlying breach and infostealer evidence.
More: FinTech

Session Cookie
A browser-stored token that authenticates a user’s ongoing session with a web application after the initial login, including any MFA step, has been completed. Infostealer malware targets active session cookies because replaying a stolen session cookie grants full authenticated access without requiring a username, password, or MFA response.
More: Session Hijacking Detection

Session Hijacking
An attack in which a threat actor replays a stolen session cookie to impersonate a legitimate user within an already-authenticated session, bypassing all login and MFA controls. Constella detects session hijacking threats at the infostealer package level, surfacing stolen cookies before they can be replayed against enterprise applications.
More: Session Hijacking Detection

Single Sign-On (SSO)
An authentication method that allows a user to log in once and gain access to multiple connected applications using a single identity. SSO credentials are disproportionately targeted by infostealers and Initial Access Brokers because a single valid SSO session provides access to every application integrated with the identity provider.
More: Session Hijacking Detection

Source Authentication
The second phase of Constella’s data curation pipeline, in which the provenance of each ingested dataset is verified against known breach indicators, structural analysis, and linguistic validation before the records are accepted into the data lake. Source authentication ensures that Constella’s intelligence is traceable to confirmed breach or exposure events.
More: Data Pedigree and Methodology

SSO Credential
A username and password or session token associated with a Single Sign-On identity provider such as Microsoft Entra ID, Okta, or Google Workspace. Because SSO credentials unlock access to every integrated application, their exposure in infostealer logs represents one of the highest-value targets in the enterprise threat landscape.
More: Session Hijacking Detection

Sub-200ms Latency
Constella’s API performance benchmark: query responses are returned in under 200 milliseconds, enabling real-time integration into authentication flows, fraud decisioning systems, and live detection stacks without introducing user-facing delays.
More: Intelligence API

Surface Web
The publicly accessible, search-engine-indexed portion of the internet. While the surface web is visible to everyone, it still hosts significant quantities of breach data through paste sites, public leak forums, and data dump repositories. Constella’s collection pipeline spans the surface, deep, and dark web.
More: Data Pedigree and Methodology

Synthetic Identity Fraud
A fraud technique in which a criminal creates a fictitious identity by combining real and fabricated information, such as a valid Social Security number with a false name and date of birth, to open fraudulent financial accounts or obtain credit. Constella’s FinTech identity intelligence API enables detection of synthetic identities at onboarding by cross-referencing submitted identity data against breach and infostealer records.
More: FinTech

T

Takedown
The process of removing or disabling a fraudulent digital asset, such as a phishing website, rogue social media profile, or counterfeit mobile application, typically through coordination with hosting providers, domain registrars, or platform operators. Constella’s Brand Protection capability automates takedown workflows for impersonation assets targeting monitored organizations.
More: Brand Protection

Threat Actor
An individual, group, or organization responsible for conducting cyberattacks, including credential theft, ransomware deployment, fraud, and espionage. Constella’s Hunter platform enables threat actor attribution by linking digital artifacts such as usernames, emails, and infrastructure to verified identities.
More: Threat Investigation

Threat Intelligence
Organized, analyzed, and contextualized information about current and emerging cyber threats, used to inform security decisions and prioritize defensive actions. Constella’s identity intelligence provides a specialized threat intelligence layer focused on the identity attack surface, including credential exposure, infostealer activity, and dark web market signals.
More: Hunter+ DRP Overview

Threat Investigation
A structured process of using identity intelligence, OSINT, and dark web data to investigate a threat actor or incident, typically involving pivoting from a known indicator to uncover associated infrastructure, aliases, and real-world identity attributes. Constella’s Hunter platform is the primary tool for threat investigation workflows.
More: Threat Investigation

Typosquatting
The registration of a domain name that closely resembles a legitimate brand’s domain, exploiting common typing errors, to conduct phishing, distribute malware, or intercept traffic. Constella’s Brand Protection capability monitors for typosquatted domain registrations targeting monitored organizations.
More: Brand Protection

V

Verified Identity Pedigree
Constella’s proprietary data quality standard in which every identity record in the data lake is traced to a confirmed breach or exposure event through a four-phase curation pipeline: multi-vector collection, source authentication, automated deduplication, and entity resolution. Verified Identity Pedigree is the differentiator that separates Constella’s intelligence from raw data broker feeds.
More: Data Pedigree and Methodology

VPN Credential
The username and password used to authenticate to a corporate Virtual Private Network gateway, which provides encrypted remote access to internal network resources. VPN credentials are a high-value target in infostealer logs because successful VPN authentication gives an attacker direct access to internal systems, often without triggering perimeter security controls.
More: Ransomware Prevention

W

Workforce Credential Monitoring
Continuous monitoring of a corporate domain’s employee email addresses and associated credentials across breach databases, infostealer logs, and dark web sources, with automated alerting when compromised credentials are discovered. Constella’s Hunter+ DRP includes workforce credential monitoring as a core capability for enterprise security teams.
More: Hunter+ DRP Overview

X

XDR / Extended Detection and Response
A security architecture that integrates and correlates threat data across multiple security layers, including endpoint, network, cloud, and identity, to provide broader detection and response coverage than traditional EDR solutions. Constella’s identity intelligence API enables XDR platforms to incorporate external identity risk signals that their native telemetry cannot generate.
More: MDR/XDR