Are you using “Have I been Pwned” to monitor for your employees ending up in a data breach? No? You should be, and here’s how.
Before we start, this isn't monitoring your employees in the traditional manner, so that security and/or hr can go beat them up. This allows us as an organisation to keep our staff safe online, by introducing them to the security team when a breach happens and holding their hand, where needed, to fix the situation and offer some really practical help and advice on how to manage passwords in the future. This is an education piece more than anything.
A quick background on Have I been pwned, by Troy Hunt, it allows you to search across multiple data breaches to see if your email address has been compromised.
At an enterprise level we can monitor for emails at a domain level e.g. xyzcompany.com, once verified that we own the domain. This can be done using a number of methods through the sites "Domain Search" facility and subscribing to notifications. At the time of writing, this is by selecting from a handful of email address options such as [email protected], [email protected], [email protected] and [email protected] If that doesn't work for you, you can use a meta tag, or you can upload a file with a random string inside "have-i-been-pwned-verification.txt" or my personal favourite – make a DNS txt entry. The file, meta tags and DNS entries can all be removed immediately after successful verification.
After we have verified our ownership of a domain, we can download a list of all email addresses in our domain that have been involved in previous breaches and the name of the breach it was involved in e.g Adobe, LinkedIn or more recently Collection #1.
If you selected the subscribe option, you will now get email notifications of any future breaches where email addresses in your domain are found. It will not tell you the associated password – don't even try asking Troy for them, he stands by his decision not to share passwords. A very sensible decision I must say.
Okay, now you know who's been breached, now what? In short, you go be a good neighbour! You look after your staff!
If you are emailing your users, email them all individually, don't send a mass email, just because it's easier for you. Give your staff the personal touch, they deserve it. If you send a mass email, it just looks like a "here's a list of all the bad or dumb users in our organisation", it's embarrassing to be shamed amongst your peers, you wouldn't want that done to you, so don't do it to others. Also, explain you are letting them know because it would be a good idea to change the password for that service and any other services that use that password. Take the time to explain what happens with password reuse and the risks involved. Now seal the deal with an explanation of the use of a password manager such as 1Password and enabling 2FA. Give the user yet another olive branch by saying "if you want some help setting one up and seeing how to use it, let me know and we can set some time up and I will gladly take the time to show you."