ITSecure Advisory - Responding to HaveIBeenPwned Alerts

Back to ITS Updates

HaveIBeenPwned offers a unique service that monitors when an email address has been exposed in a data breach and provides a notification to the email account owner. These invaluable alerts allow us to get ahead of subsequent attackers looking to exploit this newly exposed information. Using a two phased approach, we'll cover what it takes to investigate and respond to these alerts. For questions and details specifically about the HaveIBeenPwned service, please refer to their FAQ


  • Review the details of the alert to determine the extent of the data breach and information that was exposed.
    • Determine if any sensitive or Personally Identifiable Information (PII), such as social security number, date of birth or home address were exposed.
    • Some examples of past data breaches are Adobe, LinkedIn, DropBox, and Ancestry
  • Log into the related account(s), reset the password and review all recent activity. Additional considerations will depend largely on the type of account.
    • Email Accounts - Review messages in your Sent and Trash/Deleted folders to determine if someone was using your account. Review messages in your Inbox to determine if someone tried to use to it reset the password for other accounts. Check your security and profile settings to determine if access was granted to another application or device.
    • Bank Accounts - Review all transactions for potential wire fraud, changes to account settings or any additional financial information that could have been exposed (e.g. linked accounts).
    • Subscription Services - Depending on the service, review messages and activity such as contacting customer support, or changes to account details such as adding/removing features. 
    • Social Media - Review your privacy settings as well as anything recently posted. Review and verify your connections or friends list to ensure they are legitimate. 
  • If a compromised password was also used for other websites, identify and write down all those accounts on a list. You will need to create a new password for these websites in the next step. 
  • If PII was exposed, you may receive an official notification from the company offering identity theft protection. Otherwise, consider reaching out for an official response, pursue identity theft protection separately and review your credit report. 
    • The company may also provide additional information on the steps they are taking to recover from the breach. This can be helpful in determining if you want to keep your account open with them, or continue to use their services. 
  • Approach remediation with an attacker's mindset of, “How could I use this information for mischief, misery or personal gain?” This will help determine additional actions you should take to secure your account and data.
  • Secure affected account(s) by
    • Creating a new strong password and avoid reusing passwords by leveraging a password manager.
    • Enabling MFA or 2FA on all your accounts to thwart unauthorized accesses.
    • Following specific steps provided by the company or website (e.g. Securing a compromised Google Account).
    • Correcting any changed settings, revoke unauthorized devices, and unfriend strangers or unknown contacts. 
    • Contacting the company's customer support for additional technical assistance in correcting or recovering your account.
  • Consider deleting stale data or accounts that are no longer used to minimize your risk.
  • Be proactive by adopting these security tips and best practices


Commonly Asked Questions

It is a widely acknowledged best practice to securely store passwords and other sensitive information using protections such as encryption. Unfortunately, weak security practices (e.g. poor coding or misconfigurations) at some organizations will result in sensitive data being improperly stored and lost during a compromise. In these cases, we are all victims of other people's poor choices and security practices.

In most cases, a person’s email address is also their username. If your password was exposed, attackers can log into other websites if the same password was reused for those websites. This cascade of compromised accounts makes it difficult to pinpoint and track the root cause. Learn more about password reuse and credential stuffing attacks

Compromised accounts are often sold on the cybercriminal underground network, often referred to as the “dark web”. For example, $20,000 could buy 617 million accounts, or the personal details of Facebook users for a mere $3 each


Was this information useful? We're always adapting and changing, just like hackers. Please feel free to send us feedback. We'd love to hear from you and make Colgate more secure.