How to find out if any users in your domain have been compromised

How to find out if any users in your domain have been compromised

Summary: have i been pwned?, a service that tells you if your email address is in one of the big data breach databases, now accepts domain searches.

TOPICS: Security

Over the last few years, hundreds of millions of email addresses have been captured from the organizations holding them, and in many cases the databases have been made public. The largest of these was the Adobe breach, which exposed over 150 million accounts.

Recently I wrote about have i been pwned?, a service which collects hashes of all these addresses into a single database and lets you check to see if your address is in one or more of them. Since I last wrote about have i been pwned? another large database has been added, that of Snapchat, containing about 4.6 million addresses, and Friday a smaller one, from Battlefield Heroes, a game whose user data was stolen by the LulzSec gang in 2011.

In addition to adding Snapchat and Battlefield Heroes, Troy Hunt, have I been pwned?'s author and operator, has added the ability to do domain-wide searches and notifications. According to Hunt, since he announced the feature last week it has attracted 25,000 subscribers and the site has performed over 1000 domain searches.

For instance, now I can search to see if any address on is in any of the databases and to be notified if any are added in the future.

Because of the potential for abuse, Hunt has had to add a verification step for domain searches, in order to prove that the user is an authoritative contact for that domain. He offers several options, shown in the screen capture below:


The options are:

  • Verify by email: The service does a whois lookup on the domain to gather all the authoritative accounts for it and presents them to the user. The user selects one of them, and the service sends a unique code to that address. The user retrieves the code and enters it on the form on and, if it matches, the user is verified.

  • Verify by meta tag: The user puts a specified <meta> tag with a unique code in the <head> section of the home page of the domain. checks for the tag and, if it matches, the user is verified.

  • Verify by file upload: The user uploads a file with a specific name containing a unique code to the root directory of the domain. checks for the file and, if it is present and matches, the user is verified.

  • Verify by TXT record: The user creates a TXT record in the DNS for the domain (it cannot be a subdomain) containing a unique code provided by the site. checks for the record and, if it is present and matches, the user is verified.

Once the verification is complete, he gets a series of links with format options for downloading the data:


Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I got my domain verified.

    Adobe is the only one that is listed. I changed my password and made use of KeePass 2.

    I might create multiple aliases for my domain for use with different services and forums, even if some services and companies do not accept "+" as part of a valid e-mail address.
    Grayson Peddie
  • Valiant effort but perhaps incomplete?

    On my domain. it found Adobe, but it seems to have missed - Canonical's embarrassingly closed-source vBulletin forum that was even more embarrassingly hacked in 2013.

    @Grayson Peddie IMO it is probably safer to regard this service as one that indicates mail addresses that have proven to be compromised, rather than verification that one's domain is safe - if you see what I mean?

    Agree about Keepass*. Means one can generate and deploy really strong passwords, and change them frequently, with minimal effort.
    • True about domain verification and e-mail address compromised...

      And for passwords, were you using the same passwords in almost every websites you went to? Even a very strong password that is impossible to brute force into your accounts that you've been using?

      Man, I hate criminals who compromises databases! I hate them so much that it forces me to use a password manager as I canNOT keep track of passwords. I thought about LastPass, but I'm not going to host my encrypted passwords in someone else's server but MY OWN. Not Dropbox, not Google Drive, but my own VPS server.

      I was looking for a solution to host in my Ubuntu Server in which cross-platform browsers (Google Chrome and Firefox, which is what I have in my system but my primary web browser is Google Chrome) can communicate with my server via a specific port and access my encrypted database. A web interface can be disabled if need be, but sadly, I'm better off using KeePass. I also have KeePass in my Android phone, but it's too much a daunting task to copy the database file manually. I might be planning to setup my ownCloud for password synchronization. At least there's an ownCloud client for Ubuntu:

      Some companies are stupid enough to use weak encryption and not salt every hashed passwords because without any salting at all, even a very strong 10x MD5/SHA1 encrypted password can be unencrypted once a database is compromised.
      Grayson Peddie
    • Absence of evidence is not evidence of absence

      Spot on, this gives you no guarantees that you haven't had an account compromised in another breach that hasn't been loaded into the service. That said, if you're aware of any others where the data is already public then ping me on @troyhunt and I'll add it in.