Last month I submitted a P1 that started with a single leaked password. No fancy exploits. No zero-days. Just one credential from a stealer log that the target company had no idea existed.
Here's exactly how it went down.
Step 1: The Search
I had a new target on a private program. Before running any scans, I searched their domain on LeakRadar.
1,847 results.
Most were customer accounts — expected for a SaaS company. But LeakRadar segments results automatically: employees, customers, third-parties. I filtered to employees only.
23 corporate emails with plain-text passwords.
Step 2: Spotting the Interesting One
I scrolled through the LeakRadar results looking at the URLs where these credentials were captured. Most pointed to the main app login. Standard.
But one caught my eye: internal-tools.target.com/admin
An admin panel. On a subdomain I hadn't seen in any recon tool. The credential was from a stealer log dated three weeks ago — fresh.
Step 3: Testing the Credential
I navigated to the subdomain. Login page. No MFA prompt.
I entered the leaked email and password from LeakRadar.
Dashboard loaded.
Full admin access to their internal tooling. User management, feature flags, billing overrides, customer data exports. Everything.
Step 4: Documenting for the Report
I took screenshots of every panel I could access without touching customer data. LeakRadar gave me the exact timestamp and source of the leak, which I included in the report to show how an attacker would find this.
Timeline in my report:
- 00:00 — Searched domain on LeakRadar
- 00:02 — Found admin credential in stealer log
- 00:05 — Confirmed access to internal admin panel
- 00:15 — Report submitted
Total time: 15 minutes.
Step 5: The Payout
Triaged within 2 hours. P1 confirmed. Four-figure bounty.
The company had no idea this subdomain was exposed, no idea the employee's password had leaked, and no idea the same password worked on their admin panel.
Why This Worked
Three factors made this possible:
- Stealer logs capture real sessions. This wasn't from an old breach. The employee's machine was infected recently, and their credentials were harvested while they logged into the admin panel.
- No MFA on internal tools. The main app had MFA. The admin panel didn't. Attackers know to look for this gap.
- Password reuse. Even if the admin panel had a different password policy, employees often reuse credentials across internal systems.
LeakRadar showed me all three problems in one search result.
The Takeaway for Bug Bounty Hunters
Before you run a single scan, search your target's domain for leaked credentials. LeakRadar indexes stealer logs daily — the same data attackers buy on Telegram channels.
Filter to employees. Look at the URLs. Find the internal tools, staging environments, and admin panels that nobody remembers exist.
One password can be enough.
Check your next target: leakradar.io