Breached Password Detection

Every day, malicious hackers penetrate websites and applications, exposing thousands of emails and passwords. Because it's common for users to use the same password to login to multiple sites, this poses a problem, not only for the hacked system, but for any application that shares those breached passwords.

Auth0 tracks large security breaches that are happening on major third-party sites to help secure your users and system. By enabling breached password detection, when a trigger occurs, your users can be notified and/or blocked from logging in if we suspect their credentials were part of a published security breach.

Breached password detection also works when logging in using the Resource Owner Password Grant (ROPG) and when using custom databases with your tenants.

When a user receives an email requesting that they change their password immediately, it is because their account could be the victim of a security breach. This may be the result of a compromise by a third-party application that experienced a security breach. The breach may not have happened to this account, but based on available data, the user's credentials may have been released. Since many people reuse passwords, the request to change passwords is a precaution to make sure the user stays protected. Users may also want to change their password at any other sites where they suspect they used a shared password.

You can customize the emails sent to blocked account users. To learn more, read Customize Blocked Account Emails.

Configure breached password detection

When enabled, you can customize breached password detection preferences, including enabling blocking compromised user accounts and enabling or disabling email notifications to administrators and affected users.

  1. Go to Dashboard > Security > Attack Protection and select Breached Password Detection.

    Dashboard Security Attack Protection Breached Password Detection

  2. Enable the switch at the top of the page.

    Enabling attack protection features without configuring response settings activates Monitoring mode, which records related events in your tenant log only. The tenant log will contain information about whether the login was determined to be risky so you can determine if you want to configure responses. To learn more read View Attack Protection Log Events.

    If you cannot see the toggle to enable this feature, you may need to upgrade your plan.

  3. Under Response, enable the Block compromised user accounts switch to automatically block accounts that try to log in using compromised credentials.

  4. Under Notifications:

    1. Enable the Send notifications to users with compromised credentials switch to send an email to users when Auth0 detects that they are using compromised credentials.

    2. Select Send notifications to account administrators to choose the notification frequency: Immediately, Daily, Weekly, and Monthly.

  5. Click Save.

To configure the URL Lifetime and Redirect To values in the Dashboard go to Dashboard > Branding > Email Templates, locate Template, and select Change Password.

Verify detection configuration

You can verify the users' login experience when the breached password is detected.

  1. Go through your login flow using the email address leak-test@example.com and password Paaf213XXYYZZ.

  2. Check your tenant log to verify that the login was blocked and that an email was sent and failed to be delivered, which is expected behavior. The email to recipient leak-test@example.com cannot be delivered because example.com is not a valid domain name.

  3. Delete the leak-test@example.com user after you verify that the user was blocked.

Restrictions and limitations

The following use cases are not supported:

  • Using the Resource Owner Password Grant from the backend of the application: Using this call does not get the IP address of the user.

  • Authenticating a large number of users from the same IP address: Users who are behind a proxy are more likely to reach set limits and trigger breached password detection. To avoid erroneously triggering detection, configure an AllowList for the proxy's IP and CIDR range.

Learn more