DEV Community

Kyle Brennan
Kyle Brennan

Posted on

How to Check If You've Been Compromised (Data Breach OSINT)

#security #privacy #cybersecurity #tutorial

Data breaches happen daily. Your credentials are probably already out there — the question is whether you know about it.

This guide shows you how to investigate breach exposure for yourself, your organization, or (with proper authorization) your targets.

Why This Matters

  • 3+ billion records leaked in breaches annually
  • Most people reuse passwords across sites
  • Breached credentials fuel account takeovers, identity theft, and social engineering
  • Companies often don't disclose breaches for months

Free Tools for Personal Checks

Have I Been Pwned (HIBP)

The gold standard for breach checking.

URL: haveibeenpwned.com

What it shows:

  • Which breaches include your email
  • What data types were exposed (passwords, addresses, phone numbers)
  • When the breach occurred

Pro tip: Set up notifications to get alerts when your email appears in new breaches.

Firefox Monitor

Mozilla's breach notification service (powered by HIBP data).

URL: monitor.firefox.com

What it shows:

  • Same breach data as HIBP
  • Integrated with Firefox browser
  • Actionable recommendations

DeHashed

Search by email, username, IP, name, address, or phone.

URL: dehashed.com

What it shows:

  • Actual leaked data (passwords, hashes)
  • More comprehensive than HIBP
  • Requires paid subscription for full access

⚠️ Warning: Only search for data you own or have authorization to investigate.

For Organizations

Domain-Wide Monitoring

HIBP Domain Search:

  • Check if any company email appears in breaches
  • Requires domain verification
  • Free for small organizations

Commercial Options:

  • SpyCloud
  • Recorded Future
  • Digital Shadows

These provide real-time monitoring and credential recovery services.

What to Look For

  • Employee credentials in breaches
  • Corporate email/password combos
  • Third-party service credentials (could indicate shadow IT)
  • Patterns (same password across multiple employees = training issue)

Investigating Specific Breaches

Finding Breach Data

Legitimate Sources:

  • HIBP breach notifications
  • Security news sites (KrebsOnSecurity, BleepingComputer)
  • Vendor disclosure pages

Research Sources (use responsibly):

  • IntelX (intelligence archive)
  • Breach forums (for awareness, not exploitation)
  • Academic datasets (sanitized breach data for research)

Analyzing Breach Contents

When you have access to breach data:

  1. Scope assessment — How many records? What data types?
  2. Date analysis — When was data collected? Is it current?
  3. Password patterns — Are they plaintext, hashed, or encrypted?
  4. Correlation — Does this data appear elsewhere?

Password Hash Cracking (For Your Own Accounts)

If you find your password hash in a breach, you can check if it's been cracked:

Hash Identification

Common types:

  • MD5: 32 hex characters
  • SHA-1: 40 hex characters
  • SHA-256: 64 hex characters
  • bcrypt: Starts with $2a$ or $2b$

Lookup Services

  • CrackStation: crackstation.net — Free hash lookup
  • Hashes.org: Massive hash database
  • cmd5.org: MD5 specific

Note: bcrypt and properly salted hashes won't appear in lookup tables.

What to Do When You're Breached

Immediate Actions

  1. Change the password — On the breached service AND anywhere you reused it
  2. Enable 2FA — On all important accounts
  3. Check for unauthorized access — Review login history
  4. Monitor financial accounts — If payment info was exposed

Long-Term Fixes

  • Use a password manager (unique passwords everywhere)
  • Enable breach notifications
  • Consider a credit freeze if SSN/financial data leaked
  • Use email aliases to track which services leak your data

For Security Researchers

Ethical Considerations

  • Only access data you're authorized to investigate
  • Don't exploit credentials — Even if they're "already public"
  • Report vulnerabilities — If you find active exposures
  • Document your methods — Maintain clear audit trails

Building Breach Awareness

Track breach trends:

  • What industries are targeted?
  • What attack vectors are common?
  • How long between breach and disclosure?

This intelligence helps predict and prevent future incidents.

Red Flags in Breach Data

When analyzing breaches, watch for:

  • Honeypot accounts — Fake credentials that alert on use
  • Sanitized data — May indicate a processed/fake dataset
  • Duplicate entries — Common in aggregated "combo lists"
  • Outdated passwords — Breach data ages quickly

🔐 Stay Informed

Breach awareness is an ongoing process, not a one-time check.

Join CloudSINT Discord: https://discord.gg/8WP5VwSS

Get breach alerts, discuss findings, and learn from security researchers who track this stuff professionally.

Part of the OSINT education series. Protect yourself.

Top comments (0)