A breach corpus is a collection of passwords or credentials known to have been exposed in prior incidents. Security teams use it to identify passwords that may still be accepted by systems even though attackers already know them.
Expanded Definition
A breach corpus is a curated set of previously exposed passwords or credentials used to test whether systems still accept secrets that attackers may already know. In the NHI domain, it is less about historical evidence and more about operational exposure: whether a leaked credential still grants access to a workload, pipeline, or service account.
This practice sits close to password screening, secret intelligence, and exposure remediation, but it is not the same as a generic password blacklist. A breach corpus is typically assembled from incident data, leak collections, and credential dumps, then checked against current authentication stores and secret inventories. Definitions vary across vendors on whether the corpus includes only passwords or also API keys, tokens, and certificates, but the security objective is consistent: stop reuse of known-compromised secrets. NIST frames this in terms of protecting authenticators and verifying credential quality, which makes the concept relevant to NIST SP 800-53 Rev 5 Security and Privacy Controls as a control activity rather than a one-time scan.
The most common misapplication is treating a breach corpus as a one-off password hygiene check, which occurs when teams scan only employee passwords and ignore service accounts, automation secrets, and machine credentials.
Examples and Use Cases
Implementing breach-corpus screening rigorously often introduces friction in authentication flows and secret rotation, requiring organisations to weigh faster access onboarding against the cost of repeated resets and remediation.
- At login, a directory service compares candidate passwords against a breach corpus and blocks any credential that matches a known exposed secret.
- A security team audits service account passwords against a breach corpus after reading The 52 NHI breaches Report, then forces rotation for any account that still uses a compromised value.
- Cloud operations uses the corpus to detect reused API keys and tokens after a leak, then cross-checks results with guidance in Ultimate Guide to NHIs — Why NHI Security Matters Now.
- Incident responders validate newly discovered credentials against historical breach sets before deciding whether the exposure is a contained event or an active compromise.
- Identity engineers combine corpus checks with password policy enforcement and rotation workflows, aligning them with NIST SP 800-53 Rev 5 Security and Privacy Controls.
In practice, the term is most valuable when applied to identities that never appear in a help desk queue, such as CI/CD credentials, batch jobs, and integration accounts.
Why It Matters in NHI Security
Breach corpora matter because exposed secrets rarely remain isolated to one account. Once a password or token has been seen in the wild, it can be replayed, brute-forced, or reused across adjacent systems. That risk is especially acute for NHI environments where the same secret may be embedded in scripts, orchestration tooling, or application configuration. NHIMG research on compromised non-human identities shows that two-thirds of enterprises have endured a successful cyberattack resulting from compromised NHIs, and a quarter have faced multiple attacks, underscoring how often secret exposure turns into real operational loss. The issue is not simply poor hygiene, but the persistence of trust in credentials that are already burned.
Teams often discover the value of breach-corpus screening only after a credential-based intrusion, failed automation jobs, or unexpected access from an account that should have been dormant. That is why breach corpora are a governance control as much as a detection aid, helping organizations identify where known-bad secrets still function before an attacker does. Findings in 52 NHI Breaches Analysis and the Anthropic report on AI-orchestrated cyber espionage reinforce that exposed credentials are often operationally exploitable within minutes, not days. The 2024 ESG Report: Managing Non-Human Identities highlights the scale of the problem.
Organisations typically encounter breach-corpus relevance only after a leaked secret is reused in an intrusion, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Known-compromised secrets map to improper secret management and reuse risk. |
| NIST SP 800-63 | Digital identity guidance informs how compromised authenticators should be replaced. | |
| NIST CSF 2.0 | PR.AA-1 | Identity and access assurance depends on rejecting known-compromised credentials. |
| NIST Zero Trust (SP 800-207) | IA-5 | Zero Trust requires credential hygiene and rapid invalidation of compromised secrets. |
| OWASP Agentic AI Top 10 | A2 | Agentic systems inherit risk when exposed credentials remain usable by tools or agents. |
Screen secrets against breach corpora and rotate any credential that matches a known exposure.