loader image
How to automate Have I Been Pwned automated monitoring for hacked email address in 10 minutes

How to automate: Have I Been Pwned automated monitoring for hacked email addresses in 10 minutes

Hugo David

In today’s How to Automate, we will learn how to automate Have I Been Pwned to check for hacked email addresses in your organization regularly and, if needed, take action.

Data breaches and email hacks are common. In fact, it is the most common way for attackers to gain access to your networks and systems. As said thousands of times, with cybercriminals actively seeking personal information, ensuring that your email address and online accounts remain secure organization-wide is critical.

However, there are no silver bullets. Otherwise, attacks would be much more exceptional. Still, as of today, the main entry point is through legitimate accesses, such as business email compromises (BEC), that have been compromised by attackers, notably through phishing attacks.

How to defend against it? Preventive measures would be enforcing strong passwords in the organization and enforcing 2FA for critical, logical accesses. Still, as long as you are not able to shoulder peek every employee to check if they have registered an effectively strong password and not the first 20 characters of the alphabet, you must adopt proactive measures.

One way to do this is by checking across your organization for hacked email addresses has been compromised using the popular online service Have I Been Pwned. A traditional way to do it is to run regular checks on Have I Been Pwned or perform scans following new breach releases. Although critical, this workflow can be repetitive and time intensive as your organization grows and more employee accounts are to be checked.

The good news is, thanks to Mindflow, you can easily automate this process to save time and ensure you’re always up to date with potential security risks. In this blog post, we’ll explain how to automate the monitoring for hacked email addresses by using Have I Been Pwned and then take action on the findings.

We will orchestrate 3 tools: Have I Been Pwned, Google through Google Admin Directory SDK API, and Slack.

Google workspace admin (1)
Google Admin
Have I Been Pwned
slack integration mindflow

Have I Been Pwned automation for hacked email addresses overall goal

The main goal is to create a scheduled Flow that would run twice a week, at the beginning of the week and at the end.

Following the results, we will predetermine remediation actions through Google Admin Directory SDK API, such as Sign-in out the users from devices and web sessions, resetting sign-in cookies, and also requesting a password change at the next login. To notify your IT or Security team, we will generate a report to be posted on Slack.

Bear in mind that you can easily replace Google with Microsoft Office 365 adequate API and Slack with Google Chat, Teams, Emails, or even Jira, Opsgenie, and most of your communication tools.

Here is a quick peek at the final Flow before we dive in.

We will divide the walkthrough into 4 sections, covering the building’s milestones.

To make it functional, you will need:

  1. Slack API credentials:
  1. Google Admin Directory SDK API: add the following scope: https://www.googleapis.com/auth/admin.directory.user.
  2. Have I Been Pwned: API key registered here.
Have I Been Pwned check hacked email addresses - 1

First steps to automate monitoring for hacked email addresses

Before diving in the concrete build we have to perform preliminary tasks: Flow creation (thorough walkthrough, duh), Emoji choice (critical step), and Schedule configuration.

Create the Flow and configure the schedule to automate the triggering on specific days

First of all, create the Flow, assign a name that may be cooler than the one we will give for the purpose of this article “Schedule: Weekly email breach monitoring with Have I Been Pwned; Sign out, Reset sign-in cookies and password at next login if needed” haha. Of course, choose your emoji! I chose a cute piggy face.

After having created the Flow, you have to set up the Scheduler. To do so, click on the calendar icon to open the Scheduler pop-over and:

Have I Been Pwned check hacked email addresses - 2

Set your variable

To be able to generate a nice report comprising all our iteration output, we have to set an empty variable that we will update for each iteration inside the For each loop. To do so, create a Transform Data. Name it Setting variable message. Inside, click on “Add an item” and name this item message. Leave it empty.

Have I Been Pwned check hacked email addresses - 3

Retrieving all accounts before checking for hacked email addresses

Ensure you have your Google Admin Directory SDK API credentials registered in the Vault, either OAuth2 or Google Service Account; Mindflow handles both (Reminder to myself to write the overall guide for Google authentication! Stay tuned!).

  1. Get Google Admin Directory SDK API directory.users.lists call.
  2. Hard-type your domain.

For each account

Create a For each loop. Name it For each account. Set source by “/” and get in “Retrieves a paginated list…” the table users to iterate on.

Have I Been Pwned check hacked email addresses - 4

Create a condition Extracting active users to extract only active users. Inside this condition, create one branch, named Active: Create a compare function, “/” to Pick the field suspended. Set the operator to Is false.

Have I Been Pwned check hacked email addresses - 5

Create an HIBP step by querying the get/api/v3/breachedaccount/{{email}}. Configure it as such:

  1. Important, if the account is not breached, HIBP will return a 404 Not Found. To avoid the Flow stopping upon failure. Change the “On failure” field to Continue execution.
  2. Under the URL field, https://haveibeenpwned.com/api/v3/breachedaccount/[TYPE “/” to Pick the field PrimaryEmail in the Iteration Data in For each account under FLOW].

After the HIBP step, create a condition, name it Do we have a breach? and create 1 wait, 1 Transform Data, and 1 Google Admin Directory SDK API step by querying the directory.users.signOut call.

Configure the branches as such:

  1. To the Wait: Name the branch Timed out. Create a compare function and Pick under the HIBP step the field Code under STATUS. Select the operator Contains and type “429”. Configure the Wait at 60 seconds and name it Wait 60 seconds. This branch is created to meet the Request per Minutes (RPM) limitation from Have I Been Pwned. According to the plan you subscribed to, you have a limited set of RPM. So, if the API request returns an error 429, we will just wait 60 seconds before iterating again.
Have I Been Pwned check hacked email addresses - 6
  1. To the Transform Data: Name the branch Not Pwned. Create a compare function and Pick under the HIBP step the field Code under STATUS. Select the operator Contains and type “404”. Rename the step Preparing message output.
  2. To the Google step: Name the branch Pwned. Create a compare function and Pick under the HIBP step the field Code under STATUS. Select the operator Contains and type “200”.
Have I Been Pwned check hacked email addresses - 7

On to the other steps.

Your first Wait step, Wait 60 seconds, is already configured. Hop on Preparing message output. Inside, create an item called message. After Preparing message output, create a new Wait step and set it to 6 seconds. Name it Wait 6 seconds. To limit the possibility of being timed out as we explained above, we create a Wait 6 seconds to ensure that we are not going to be timed out due to our current plan (yes, we have the less expensive one bcz we no rich yet! :-D).

To configure the Google Admin Directory SDK API directory.users.signOut call, open the step’s settings panel, and, in the Input tab, under User key, Pick PrimaryEmail under For each account iteration data.

Have I Been Pwned check hacked email addresses - 8

After this first Google step, create a new Google step by querying the path directory.users.update from the Google Admin Directory SDK API. Configure it by calling PrimaryEmail field under the For each account Iteration data. Ensure you enable the boolean “Change password at next login.” to True.

Have I Been Pwned check hacked email addresses - 9

Create a Transform Data after this last step, named Preparing message output (yes, the same name as the first one, don’t worry, it doesn’t have consequences). Add an item and call it message. Type “–” to format the message and then the following chunks:

Additional: You can add the date at which these actions have been performed by typing “/”, and selecting the “Retrieves calling the directory.users.signOut step and Picking date.

Have I Been Pwned check hacked email addresses - 10

Once this second Preparing message output is created, link it to the Wait 6 seconds. To ensure that we are not going to be timed out, as we explained above.

Sending final report on Slack

After your For each account, you will have to create a Slack API call by querying the chat_postMessage action. Configure it as such:

The flow is set! You can manually run it once to see all the pills pop up and witness the rare phenomenon of red pills stacking up! Now you have your automated check for hacked email addresses and remediation using Have I Been Pwned!

Have I Been Pwned check hacked email addresses - 11

Start automating today

Sign up for Mindflow to get started with enterprise hyperautomation.

By registering, you agree to receive updates regarding Mindflow’s products and services and your account in Mindflow.

The future of automation is just a login away 🚀

Fill the form below to unlock the magic of Mindflow and be the first to try our feature . 



OpenAI icon





Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.