Skip to content

HIBP — Credential Breaches

What this is

Have I Been Pwned is the largest public index of data breaches. It aggregates dumps from 800+ known breaches (LinkedIn, Adobe, Dropbox, Collection #1-5, and many others) — hundreds of billions of compromised email and password records.

Why this matters

Credential leaks through third-party breaches are the cheapest way to attack your company. The typical scenario:

  1. An attacker grabs the 2021 LinkedIn dump.
  2. Searches it for your CTO's email.
  3. Pulls out the password sitting there.
  4. Tries it against your Slack, VPN, GSuite, AWS Console.

This is called credential stuffing, and it remains the most common cause of organizational compromise in 2024-26.

BCP Portal monitors your corporate emails against the HIBP database and alerts you the moment a new breach appears containing them — long before attackers exploit it.

What we check

  • Email addresses — whether a specific address appeared in any known breach.
  • Domains — all breaches linked to your corporate domain at once.
  • Breach date and what data was leaked — passwords, phone numbers, addresses, dates of birth.

Severity

Severity Criteria
Critical Breach contains passwords, verified, occurred less than a year ago
High Breach contains passwords or phone numbers
Medium Breach has email + name / address / DOB
Low Email only, no additional attributes

What you see in the dashboard

An HIBP finding shows:

  • Which email was compromised.
  • The breach name (e.g., LinkedIn 2021).
  • Breach date and HIBP publication date.
  • Which data types were leaked.
  • Severity and recommended action (e.g., force a password reset for this user across all systems).

How to connect

  1. In the platform: Settings → Detection Sources → HIBP.
  2. Click Connect.
  3. If you already have an HIBP API key — paste it. If not — the button links to the HIBP registration form.
  4. Done — the first scan starts automatically.

About the API key

HIBP requires a paid API key (~$3.95/month) to look up emails. This is HIBP's pricing, not ours. The key is stored encrypted — even our support team can't see it in plaintext.

Scan schedule

Recommended frequency — daily. HIBP updates every few days, so more frequent scans only consume your API quota without added value.

FAQ

Is it safe to send client emails to HIBP? Yes. HIBP doesn't log requests made with an API key (part of their public policy), and emails are processed only on our server — they never leave your browser.

What to do when a breach is found? 1. Force a password reset for the compromised user across all your systems. 2. Verify the same password isn't reused in your other services. 3. Enable MFA if it isn't already on. 4. Close the finding as resolved.

Why so many findings on first scan? HIBP has 10+ years of history. The first scan surfaces every breach that ever touched any of your emails. That's normal — close historical ones as acknowledged and react going forward only to new ones.

How often does HIBP add new breaches? On average 5-15 new breaches per month. Large dumps (tens of millions of records) — a few per quarter.