LCM - Leaked Credential Management

View and manage leaked credential data including breaches, leaks, and stealers (infostealers).

Commands

• lcm kpis - View LCM dashboard KPIs
• lcm breaches - List breach records
• lcm leaks - List leak records
• lcm stealers - List infostealer records
• lcm categories - View category breakdown
• lcm breaches-overview - View breaches aggregation
• lcm years - List available years

---

lcm kpis

Display LCM dashboard KPIs with total record counts by type.

mysecutec lcm kpis

API

Makes three POST /tam/v1/threats/aggregate calls — the same requests used by lcm breaches, lcm leaks, and lcm stealers (see those sections for the exact body) — each with limit=1, then reads the pagination.total from each response to get the breach / leak / stealer record counts. The only difference between the three is the data.enriched.breach.category values list:

• Breaches: ["exfiltrated", "exposed"]
• Leaks: ["combolist", "phished", "scraped", "unknown"]
• Stealers: ["infostealer"]

Response Example

LCM KPIs
────────────────────
Total Records: 250
Breaches:      120
Leaks:          80
Stealers:       50

---

lcm breaches

List breach records (exfiltrated and exposed credentials).

mysecutec lcm breaches [flags]

Flags

Flag	Type	Default	Description
--limit	int	20	Maximum number of results
--offset	int	0	Number of results to skip

API

POST /tam/v1/threats/aggregate

Records are grouped by breach source_id; the breach name, category, consumer_category, and breach_main_category come back as selected fields. limit/offset are sent as query parameters, not in the request body.

{
  "group_by": [
    { "path": "data.enriched.breach.source_id", "alias": "source_id" }
  ],
  "select": [
    { "path": "data.enriched.breach.name", "alias": "name" },
    { "path": "data.enriched.breach.consumer_category", "alias": "consumer_category" },
    { "path": "data.enriched.breach.category", "alias": "category" },
    { "path": "data.enriched.breach.breach_main_category", "alias": "breach_main_category" }
  ],
  "filters": {
    "license_module": ["lcm"],
    "jsonb_filters": [
      { "path": "data.enriched.breach.category", "values": ["exfiltrated", "exposed"] }
    ]
  }
}

Response

{
  "pagination": { "limit": 20, "offset": 0, "total": 15 },
  "results": [
    { "source_id": "breach-123", "name": "Example Breach 2024", "category": "exfiltrated", "consumer_category": "...", "breach_main_category": "..." },
    { "source_id": "breach-456", "name": "Data Leak Corp", "category": "exposed", "consumer_category": "...", "breach_main_category": "..." }
  ]
}

---

lcm leaks

List leak records (combolist, phished, scraped, unknown).

mysecutec lcm leaks [flags]

Flags

Flag	Type	Default	Description
--limit	int	20	Maximum number of results
--offset	int	0	Number of results to skip

API

Same as lcm breaches but with different category filter:

{
  "filters": {
    "license_module": ["lcm"],
    "jsonb_filters": [
      { "path": "data.enriched.breach.category", "values": ["combolist", "phished", "scraped", "unknown"] }
    ]
  }
}

---

lcm stealers

List infostealer records.

mysecutec lcm stealers [flags]

Flags

Flag	Type	Default	Description
--limit	int	20	Maximum number of results
--offset	int	0	Number of results to skip

API

Same as lcm breaches but with infostealer category filter:

{
  "filters": {
    "license_module": ["lcm"],
    "jsonb_filters": [
      { "path": "data.enriched.breach.category", "values": ["infostealer"] }
    ]
  }
}

---

lcm categories

View credential category breakdown, optionally filtered by year.

mysecutec lcm categories [--year <year>]

Flags

Flag	Type	Required	Description
--year	int	No	Filter by year

API

POST /tam/v1/threats/aggregate

When --year is given, a first_seen_at.year JSONB filter is added.

{
  "group_by": [
    { "path": "data.enriched.breach.category", "alias": "category" }
  ],
  "select": [],
  "filters": {
    "license_module": ["lcm"],
    "jsonb_filters": [
      { "path": "first_seen_at.year", "values": ["2025"] }
    ]
  }
}

Response

{
  "results": [
    { "category": "exfiltrated", "count": 85 },
    { "category": "exposed", "count": 35 },
    { "category": "combolist", "count": 50 },
    { "category": "phished", "count": 20 },
    { "category": "infostealer", "count": 50 },
    { "category": "scraped", "count": 5 },
    { "category": "unknown", "count": 5 }
  ]
}

---

lcm breaches-overview

View breaches aggregated by source.

mysecutec lcm breaches-overview [flags]

Flags

Flag	Type	Default	Description
--limit	int	20	Maximum number of results
--offset	int	0	Number of results to skip

API

POST /tam/v1/threats/aggregate

Uses the same request as lcm breaches (grouped by breach source_id, filtered to the exfiltrated/exposed categories). In practice breaches and breaches-overview issue an identical aggregation.

---

lcm years

List years that have LCM data.

mysecutec lcm years

API

POST /tam/v1/threats/aggregate

{
  "group_by": [
    { "path": "first_seen_at.year", "alias": "year" }
  ],
  "select": [],
  "filters": {
    "license_module": ["lcm"]
  }
}

Response

{
  "results": [
    { "year": 2023, "count": 40 },
    { "year": 2024, "count": 85 },
    { "year": 2025, "count": 125 }
  ]
}

---

LCM Source Data Model

When viewing individual LCM threats (via mysecutec threats get), the data field contains:

Model: LCMSourceData

Field	Type	Description
raw	map	Raw SpyCloud data
enriched	LCMEnriched	Enriched credential data

Model: LCMEnriched

Field	Type	Description
credential_category	string	Category of credential
password_category	string	Password type
breach	LCMBreach	Breach information
user	LCMUser	User information
domain	string	Domain

Model: LCMBreach

Field	Type	Description
source_id	string | int	Breach source identifier
name	string	Breach name
category	string	Breach category (e.g. exfiltrated, exposed, infostealer)
consumer_category	string	Consumer category
breach_main_category	string	Main category

Model: LCMUser

Field	Type	Description
email	string	Email address
username	string	Username
full_name	string	Full name