SHAPE is now part of F5,  Learn More
See why we are better together
Virtual Summit 2020 | App Security and Fraud Summit  Learn More
Watch On-demandSee why we are better together



Blackfish, or orcas, have remained one of nature's apex predators by hunting in packs. Join the Blackfish network as we track down and eliminate stolen credentials.

Problem: Your users recycle passwords
Solution: Blackfish

The average person uses the same password across four different accounts. So even if your organization hasn’t been breached, chances are many of your users’ credentials have been spilled elsewhere.

Now, instead of waiting for attackers to try those breached credentials on your login applications, you can proactively safeguard your users at risk of account takeover. Blackfish alerts your company in real-time if and when criminals actively use your customers’ or employees’ credentials elsewhere on the web.

Credentials Spilled on The Dark Web Are Stale

Why are credentials on dark web marketplaces sold for mere pennies? Because criminals have already made plenty of money off of them. Criminals weaponize credentials first, and sell them last.

When criminals first steal brand new usernames and passwords, they use the credentials against the largest web and mobile apps in the world. It usually takes 6-12 months, or longer, for stolen credentials to end up on the dark web.

Blackfish Learns When Stolen Credentials Are First Used

When a criminal commits a credential stuffing attack on any Shape customer, Blackfish captures the usernames and passwords that are being used and marks them as compromised. Blackfish then immediately alerts any customers for which those credentials are valid.

Shape sees over 30M credential stuffing attacks per day and protects over 100M real human logins per day. In other words, Blackfish knows which credentials have been stolen even before criminals begin trading them on the dark web.

A Collective Defense Against Criminal Networks

An entire criminal ecosystem has emerged to enable information sharing and allow attackers to operate at scale. Now the security and fraud industry can fight back.

The world’s highest-value organizations, i.e., the world’s most-targeted organizations, are already part of the Shape network, so Blackfish has the power to identify criminals' very first attempts to weaponize credentials. The more organizations that use Blackfish, the sooner we can all cure the account takeover epidemic.

Blackfish Doesn’t Store Passwords

The security of the Blackfish system itself was the most important design consideration. Shape’s patented design uses a Bloom filter, enabling Blackfish to perform lookups of your user’s credentials without maintaining a database of compromised passwords.

Try Blackfish for Free

Eligible organizations are invited to try Blackfish and experience the power of a collective defense.

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Policy.

Blackfish in the News

Shape’s Blackfish could stop password thieves cold
November 8, 2017 / Seth Rosenblatt, The Parallax

“The economy of the Internet as a whole is suffering so that we can learn which passwords have been stolen. Because Blackfish can see all automated log-ins in real time, [it] can capture compromised usernames and passwords,” Sarah Squire says, “instead of buying them.”

Credential-stuffing defence tech aims to defuse password leaks
November 8, 2017 / John Leyden, The Register

“Credential stuffing only works because many users still use the same login details on multiple sites. This is a serious security risk that's only getting worse as the volume of data breaches rises.”

Shape Security introduces tool to blunt impact of stolen password caches
November 7, 2017 / Ron Miller, TechCrunch

“Today, the company released Blackfish, a product that could help blunt the impact of stolen password caches from massive breaches like Yahoo (the mother of all breaches), Adobe and Home Depot to name but a few examples.”

This 'pre-crime' AI bot network detects a hack before it's discovered
November 7, 2017 / Yahoo Finance

“Shape Security today launched Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”

Bloomberg Markets: Ghosemajumder on Protecting Apps
November 7, 2017 / Carol Massar and Cory Johnson, Bloomberg Podcast

“GUEST: Shuman Ghosemajumder Chief Technology Officer Shape Security Discussing the launch of Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”