There is a video training nugget in the Trillion portal which explains this topic. Please check it out.
When you first sign into Trillion the data it initially returns via a time stamped alert is everything it thinks it already “knows” about data for your domains (historical and new).
Subsequent alerts about new data that Trillion locates after the initial alert date (and which it has never seen before) will be delivered in new time stamped alerts as Trillion has never reported on it before, therefore it will send you a NEW alerts about NEWLY LOCATED data.
It is quite possible and even likely that new alerts generated by Trillion could contain data which might have been leaked back months or years before the initial alert as quite often data does not find its way onto the dark markets for long periods after it has initially been stolen.
Because you definitely should. Our data shows us that users use the same passwords for years and years, or just use the same theme over and over (eg June 2018, June 2019 etc). Just because data may have leaked 10 years ago doesn’t mean it’s any less useful to an attacker than data that was released 10 minutes ago.
There could be a couple of reasons for this.
The first is that the Incidents feature is only available on specific subscription levels. If you’re not sure, please contact us and we can check which subscription you have.
The second is that it needs to be enabled within your console before you can use it. The default is disabled. To enable incidents you need to log in to your account and navigate to the admin setting and switch password feedback to ON. This will now add additional data questions to your end users when they are reviewing their passwords and cause an incident to be raised, depending on how they answer.
One of the ways Trillion tries to confirm if your accounts exist is through SMTP queries against you email server, but before it does that it sends a made up request. If your mail server responds that the made account exists then we know its telling porkies and isn’t going to give a reliable answer because its just going to agree to everything.
If this is the case and you want more reliable flagging of live accounts you should switch to our Active Directory Agent.
That’s fair enough, but our agent is designed to behave very securely and has been independently security tested. We’ll even share the source code with you if you have an enterprise account. Also if you prefer you can change the mode so the agent reads from a CSV file instead of Active Directory giving total peace of mind.
