Breach Monitor

The Breach Monitor checks whether email addresses on your domain have been exposed in known data breaches. It uses the Have I Been Pwned (HIBP) database — the world's largest collection of breached credentials — to identify compromised accounts associated with your domain.

Why It Matters

When employee email addresses appear in data breaches, attackers can use the leaked credentials to gain unauthorized access to your systems. Even if the breach happened on a third-party service, users who reuse passwords put your organization at risk. Breach Monitor gives you visibility into which accounts are exposed so you can take action before attackers do.

Accessing Breach Monitor

Navigate to Threat Intelligence → Breach Monitor in the sidebar. Make sure you have a domain selected — the feature scans email addresses on your currently selected domain.

Quick Email Search

Use the Quick Email Search to check a specific email address instantly. Enter any email address on your selected domain (e.g. [email protected]) and click Search. Results appear immediately showing all breaches that email was found in.

Each breach result includes:

• Breach name & source — The service that was breached (e.g. LinkedIn, Adobe, Dropbox)
• Breach date — When the breach occurred
• Data exposed — What types of data were leaked (passwords, emails, phone numbers, etc.)
• Accounts affected — Total number of accounts in the breach
• Verification status — Whether the breach has been verified as legitimate

Full Domain Scan

The Full Domain Scan automatically checks 20 common email prefixes on your domain, such as info@, admin@, support@, hr@, finance@, and more. You can also add custom email addresses before running the scan.

To run a domain scan:

• Click Run Domain Scan on the Breach Monitor dashboard
• Optionally, click + Add custom email addresses to include specific addresses (one per line)
• Confirm the scan — it runs in the background and takes 2–3 minutes
• The page auto-refreshes every 15 seconds while the scan is running

Understanding Results

After a scan completes, the dashboard shows summary statistics and a detailed results table.

Severity Levels

Each breach result is assigned a severity level based on the type of data that was exposed:

• Critical — Passwords, credit cards, bank account numbers, or social security numbers were leaked. Immediate action required.
• High — Phone numbers, physical addresses, IP addresses, or dates of birth were exposed. Users should be notified.
• Medium — Email addresses or usernames were exposed without sensitive data. Still worth monitoring.

Stats Cards

At the top of the dashboard, five cards summarize the scan results:

• Exposed Emails — How many unique email addresses on your domain were found in breaches
• Breaches Found — Total number of distinct breaches affecting your domain
• Critical / High / Medium — Breakdown of results by severity

Recommended Actions

When breaches are found, consider taking these steps:

• Force password resets for any email addresses found in breaches containing passwords
• Enable two-factor authentication (2FA) across your organization
• Check for credential reuse — if the breached password was used on other services, change it everywhere
• Notify affected users and educate them about phishing risks, since breached data is often used in targeted attacks
• Run regular scans to catch new breaches as they are discovered

Scan History

The bottom of the dashboard shows a history of all scans run on your domain, including the date, status (completed, running, or failed), number of exposed emails, and who initiated the scan. This gives your team an audit trail of breach monitoring activity.