Articles on: Threats

Threat Findings Explained - Hostname, Password, Occurrences

The Findings section of the Threat Details panel provides the raw evidence behind a detected exposure.

Each finding represents a unique piece of compromised data associated with the exposed identity, collected from infostealers, breaches, paste sources, or aggregated datasets.


Understanding these fields is essential for evaluating the severity of the threat and determining the correct remediation steps.


The three core elements shown in Findings are:


  • Hostname
  • Password
  • Occurrences


This article explains what each one means and how to interpret them.




1. Hostname


What is the Hostname?

The hostname identifies the device from which the exposed data was stolen — typically through an infostealer malware infection.


It reflects the name of the infected machine, usually set by the operating system or the user (e.g., workstation names, personal laptop names, device IDs).


Why Hostname matters

A hostname indicates:


  • the specific compromised device
  • whether the exposure came from malware
  • whether the infected machine may still be in use
  • whether multiple identities were stolen from the same system


Hostnames are crucial for:


  • incident response
  • forensic analysis
  • correlating multiple exposures from the same device
  • determining whether internal or customer devices were infected


If a hostname is present, the threat often carries High or Critical severity.




2. Password


Password availability

This field indicates whether a password associated with the identity was found in the leaked dataset.


Passwords may appear as:


  • plaintext (highest criticality)
  • hashed (still dangerous if reused)
  • partially redacted
  • empty / unavailable (email-only exposure)


Risk implications

If a password is present — especially in plaintext form — attackers can immediately attempt to:


  • log in to your platform
  • compromise enterprise accounts
  • reuse the password across other services
  • automate credential stuffing
  • escalate access


Passwords found in infostealer logs or recent breaches typically trigger Critical risk.


Password reuse

If the affected user reuses passwords across systems (common behavior), the exposure becomes significantly more dangerous.




3. Occurrences


What are Occurrences?

Occurrences represent how many times this identity was found across different leaked sources or datasets.


Each occurrence is shown as its own card in the Findings section.


For example:

  • 1 occurrence → single exposure
  • 5 occurrences → repeated or multi-source compromise


Interpreting Occurrences

Higher occurrence counts indicate:


  • Repeated compromise
  • Multiple infected devices
  • Multiple breach datasets
  • Password reuse across services
  • Sustained attacker access or interest
  • Cross-source correlation


Repeated appearances dramatically increase the threat severity because they suggest systemic or repeated credential exposure.




How Findings Are Used in Investigation


Security teams rely on Findings to determine:


  • whether the exposure came from malware or a breach
  • whether the device is still compromised
  • whether the password must be reset immediately
  • whether further investigation is needed
  • whether MFA should be enforced or verified
  • whether multiple employees/customers are affected by the same device or dump


Findings provide the concrete evidence behind the severity classification.




Example Use Cases


If Hostname is present

→ device compromise is confirmed

→ user should be notified immediately

→ password reset + malware cleaning recommended


If Password is present

→ immediate password reset required

→ consider forced logout or session invalidation


If Occurrences > 1

→ check for repeated exposures

→ assess for password reuse

→ investigate cross-source compromise

→ classify as High or Critical




Summary


The Findings section contains the most critical evidence related to each identity exposure.

Hostname confirms malware infection, password availability defines immediate exploitability, and occurrences indicate whether the user is repeatedly or broadly compromised.


Together, these fields allow Selki to provide accurate severity scoring and help analysts prioritize remediation efficiently.




Next Article


Article 9 – How to Resolve a Threat (Closing & Re-Opening)


Updated on: 01/12/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!