How to find out if any users in your domain have been compromised

have i been pwned?, a service that tells you if your email address is in one of the big data breach databases, now accepts domain searches.

Over the last few years, hundreds of millions of email addresses have been captured from the organizations holding them, and in many cases the databases have been made public. The largest of these was the Adobe breach, which exposed over 150 million accounts.

Recently I wrote about have i been pwned? , a service which collects hashes of all these addresses into a single database and lets you check to see if your address is in one or more of them. Since I last wrote about have i been pwned? another large database has been added,  that of Snapchat, containing about 4.6 million addresses , and Friday a smaller one, from Battlefield Heroes, a game whose user data was stolen by the LulzSec gang in 2011.

In addition to adding Snapchat and Battlefield Heroes, Troy Hunt, have I been pwned?'s author and operator, has added the ability to do domain-wide searches and notifications. According to Hunt, since he announced the feature last week it has attracted 25,000 subscribers and the site has performed over 1000 domain searches.

For instance, now I can search to see if any address on is in any of the databases and to be notified if any are added in the future.

Because of the potential for abuse, Hunt has had to add a verification step for domain searches, in order to prove that the user is an authoritative contact for that domain. He offers several options, shown in the screen capture below:


The options are:

  • Verify by email: The service does a whois lookup on the domain to gather all the authoritative accounts for it and presents them to the user. The user selects one of them, and the service sends a unique code to that address. The user retrieves the code and enters it on the form on and, if it matches, the user is verified.

  • Verify by meta tag: The user puts a specified <meta> tag with a unique code in the <head> section of the home page of the domain. checks for the tag and, if it matches, the user is verified.

  • Verify by file upload: The user uploads a file with a specific name containing a unique code to the root directory of the domain. checks for the file and, if it is present and matches, the user is verified.

  • Verify by TXT record: The user creates a TXT record in the DNS for the domain (it cannot be a subdomain) containing a unique code provided by the site. checks for the record and, if it is present and matches, the user is verified.

Once the verification is complete, he gets a series of links with format options for downloading the data: