The Compromised Accounts Reports take your accounts and run them through known databases of compromised accounts that are in the public domain. Unfortunately, there have been many breaches over the years, and if you have a large enough organization there is a good chance that one or more of the emails in your organization have been compromised in one of these breaches. These breaches will be tracked by domain as there can be multiple email domains within your Office 365 instance.
Use the Domains Overview report to get a list of the domains that have been compromised in a specific breach. Each breach is a little bit different, and the passwords that may have been compromised may be for external services. For each breach review the associated Breach information sheet to understand the scope and potential for action.

Expand the results to see details on the particular accounts that have been compromised.
The Domains History displays a historical graph of how many accounts have been found to be breached within each email domain and may indicate an email domain that is more prone to breaches or give you a sense of the scope of the issue.

Currently, we are checking against the Have I Been Pwned list but we will add more lists over time. As of June 2018, this database included over 5 billion compromised accounts.
If one of your accounts does show up in the list, it doesn’t mean that the account is currently compromised or that it can be used to get into your system, but information that could have been used was available. If there were secondary protection systems on your email domains they may have offered protection. Review activities for this account using the Audit Timeline and make sure that the account has a new password and uses other security features such as multi-factor authentication.
As with all of the reports, this information can be customized, filtered and scheduled.

Print Friendly, PDF & Email