Skip to main content

Dark Web Monitoring

Dark Web Monitoring checks your managed users' email addresses against the HaveIBeenPwned (HIBP) database to detect when credentials or sensitive data appear in known data breaches or paste sites.

note

Dark Web Monitoring is included in the User Protection package at $3/managed user/month.

How It Works

  1. You add email addresses to monitor (manually, via M365 sync, or CSV import)
  2. The HIBP scanner runs automatically every 12 hours against the HIBP API v3
  3. New breach findings appear as New status in the Breach Findings table
  4. Your team acknowledges and resolves each finding

Adding Monitors

Navigate to SecOps → Dark Web Monitoring and click Add Monitor.

Monitor TypeDescription
Email (HIBP)Checks email against HIBP breach and paste databases
DomainMonitors for a domain appearing in breach data
KeywordMonitors for a specific keyword
ℹ️Only email-type monitors are automatically checked against HIBP every 12 hours. Domain and keyword monitors are tracked in the system but require manual check or additional integration.

On-Demand Scanning

Click Check HIBP on any individual email monitor to run an immediate scan outside the automated schedule.

Summary Metrics

The Dark Web Monitoring dashboard shows:

MetricDescription
Monitored EmailsActive email monitors
Total BreachesAll breach findings across all monitors
New BreachesFindings not yet acknowledged
Critical ExposuresNew findings rated Critical severity

Breach Findings

Each finding includes:

FieldDescription
EmailThe monitored email address found in the breach
Breach Name / Paste SourceThe breach or paste site where the email appeared
Data ExposedTypes of data in the breach (emails, passwords, phone numbers, etc.)
Password ExposedBoolean flag — highlighted in red if passwords are in the breach
SeverityCritical (password exposed) / High / Medium / Low / Info
Breach DateWhen the original breach occurred
StatusNew / Acknowledged / Resolved / False Positive

Breach Detail Panel

Click any finding to open the detail panel. For breach-type findings, it shows:

  • Breach title and domain
  • Account count (how many total accounts were in the breach)
  • Data class breakdown
  • Verified / Sensitive flags from HIBP

For paste-type findings, it shows:

  • Paste source (e.g., Pastebin)
  • Paste title and email count
  • Paste URL

Acknowledge / Resolve Workflow

ActionWhen to Use
AcknowledgeYou've seen the finding and are investigating — moves status from New to Acknowledged
Mark ResolvedRemediation complete (e.g., password reset, user notified) — moves to Resolved

Findings can also be marked False Positive if the match is incorrect.

Filtering Findings

Use the status filter buttons to view: New | Acknowledged | Resolved | All

The default view shows New findings — the items requiring immediate attention.

⚠️When a password-exposed breach is found, immediately notify the affected user and require a password reset. If the same password is used elsewhere, all accounts using that password are at risk.