365 Compromised Account

Alert Title: “Compromised Account”

Description: Alerts when one of the local user (domain is tied to the tenant) email addresses is recently added in the https://haveibeenpwned.com database. This indicates that a 365 compromised account may have taken place with another service.

Options:

• Specific users can be ignore
• Specific compromises can be ignored

The problem: This alert is triggered when an email addresses from your tenancy is listed as being in a compromised list from a breach on https://haveibeenpwned.com  This does not necessarily imply that your email account itself has been compromised, rather a service which you have an account with has been compromised.

Impact: This will depend on the breach.  In some situations passwords may be compromised, allowing malicious use of the sites/systems compromised.   If common passwords are shared, then it is also possible that related services may be compromised (including your email if you use the same password).

Suggested steps: Engage a technician to confirm that the alert is accurate.  Change passwords for all impacted services, and where any common passwords are shared (make sure you have a unique password per service). Undertake any required steps as advised by a suitable technician.