LCM - Leaked Credential Management

View and manage leaked credential data including breaches, leaks, and stealers (infostealers).

Commands

• lcm kpis - View LCM dashboard KPIs
• lcm breaches - List breach records
• lcm leaks - List leak records
• lcm stealers - List infostealer records
• lcm categories - View category breakdown
• lcm breaches-overview - View breaches aggregation
• lcm years - List available years

---

lcm kpis

Display LCM dashboard KPIs with total record counts by type.

mysecutec lcm kpis

API

Makes three POST /tam/v1/threats/aggregate calls with different category filters:

Breaches (exfiltrated + exposed):

{
  "group_by": [{ "path": "severity", "alias": "severity" }],
  "select": [{ "path": "id", "alias": "count" }],
  "filters": {
    "license_module": ["lcm"],
    "jsonb_filters": [
      { "path": "data.enriched.breach.category", "values": ["exfiltrated", "exposed"] }
    ]
  }
}

Leaks (combolist + phished + scraped + unknown):

{
  "filters": {
    "license_module": ["lcm"],
    "jsonb_filters": [
      { "path": "data.enriched.breach.category", "values": ["combolist", "phished", "scraped", "unknown"] }
    ]
  }
}

Stealers (infostealer):

{
  "filters": {
    "license_module": ["lcm"],
    "jsonb_filters": [
      { "path": "data.enriched.breach.category", "values": ["infostealer"] }
    ]
  }
}

Response Example

LCM KPIs
────────────────────
Total Records: 250
Breaches:      120
Leaks:          80
Stealers:       50

---

lcm breaches

List breach records (exfiltrated and exposed credentials).

mysecutec lcm breaches [flags]

Flags

Flag	Type	Default	Description
--limit	int	20	Maximum number of results
--offset	int	0	Number of results to skip

API

POST /tam/v1/threats/aggregate

{
  "group_by": [
    { "path": "data.enriched.breach.source_id", "alias": "source_id" },
    { "path": "data.enriched.breach.name", "alias": "name" },
    { "path": "data.enriched.breach.category", "alias": "category" }
  ],
  "select": [{ "path": "id", "alias": "count" }],
  "filters": {
    "license_module": ["lcm"],
    "jsonb_filters": [
      { "path": "data.enriched.breach.category", "values": ["exfiltrated", "exposed"] }
    ]
  },
  "limit": 20,
  "offset": 0
}

Response

{
  "pagination": { "limit": 20, "offset": 0, "total": 15 },
  "results": [
    { "source_id": "breach-123", "name": "Example Breach 2024", "category": "exfiltrated", "count": 45 },
    { "source_id": "breach-456", "name": "Data Leak Corp", "category": "exposed", "count": 12 }
  ]
}

---

lcm leaks

List leak records (combolist, phished, scraped, unknown).

mysecutec lcm leaks [flags]

Flags

Flag	Type	Default	Description
--limit	int	20	Maximum number of results
--offset	int	0	Number of results to skip

API

Same as lcm breaches but with different category filter:

{
  "filters": {
    "license_module": ["lcm"],
    "jsonb_filters": [
      { "path": "data.enriched.breach.category", "values": ["combolist", "phished", "scraped", "unknown"] }
    ]
  }
}

---

lcm stealers

List infostealer records.

mysecutec lcm stealers [flags]

Flags

Flag	Type	Default	Description
--limit	int	20	Maximum number of results
--offset	int	0	Number of results to skip

API

Same as lcm breaches but with infostealer category filter:

{
  "filters": {
    "license_module": ["lcm"],
    "jsonb_filters": [
      { "path": "data.enriched.breach.category", "values": ["infostealer"] }
    ]
  }
}

---

lcm categories

View credential category breakdown, optionally filtered by year.

mysecutec lcm categories [--year <year>]

Flags

Flag	Type	Required	Description
--year	int	No	Filter by year

API

POST /tam/v1/threats/aggregate

{
  "group_by": [
    { "path": "data.enriched.breach.category", "alias": "category" }
  ],
  "select": [{ "path": "id", "alias": "count" }],
  "filters": {
    "license_module": ["lcm"]
  }
}

Response

{
  "results": [
    { "category": "exfiltrated", "count": 85 },
    { "category": "exposed", "count": 35 },
    { "category": "combolist", "count": 50 },
    { "category": "phished", "count": 20 },
    { "category": "infostealer", "count": 50 },
    { "category": "scraped", "count": 5 },
    { "category": "unknown", "count": 5 }
  ]
}

---

lcm breaches-overview

View breaches aggregated by source.

mysecutec lcm breaches-overview [flags]

Flags

Flag	Type	Default	Description
--limit	int	20	Maximum number of results
--offset	int	0	Number of results to skip

API

POST /tam/v1/threats/aggregate

Groups by breach source ID, name, and category.

---

lcm years

List years that have LCM data.

mysecutec lcm years

API

POST /tam/v1/threats/aggregate

{
  "group_by": [
    { "path": "first_seen_at.year", "alias": "year" }
  ],
  "select": [{ "path": "id", "alias": "count" }],
  "filters": {
    "license_module": ["lcm"]
  }
}

Response

{
  "results": [
    { "year": 2023, "count": 40 },
    { "year": 2024, "count": 85 },
    { "year": 2025, "count": 125 }
  ]
}

---

LCM Source Data Model

When viewing individual LCM threats (via mysecutec threats get), the data field contains:

Model: LCMSourceData

Field	Type	Description
raw	map	Raw SpyCloud data
enriched	LCMEnriched	Enriched credential data

Model: LCMEnriched

Field	Type	Description
credential_category	string	Category of credential
password_category	string	Password type
breach	LCMBreach	Breach information
user	LCMUser	User information
domain	string	Domain

Model: LCMBreach

Field	Type	Description
source_id	string	Breach source identifier
name	string	Breach name
categories	[]string	Breach categories

Model: LCMUser

Field	Type	Description
email	string	Email address
username	string	Username
full_name	string	Full name