Dark web & breach monitoring

TSNC continuously checks whether your school's email domains and your staff's emails appear in known data breaches. When something shows up, we tell you โ€” fast.

What we monitor

  • Domain-level breaches โ€” anytime @yourschool.edu appears in a known dataset
  • Per-user breaches โ€” each staff member's individual email checked against HIBP's breach corpus
  • Compromised passwords โ€” browser extension warns when a user's vault entry matches a known breached password (without sending the password anywhere โ€” uses k-anonymity)

How alerts work

When a new breach lands that affects your domain or a user's email, we send:

  • Email to admins โ€” the org's principal and IT admin get a heads-up with breach details
  • In-app notification โ€” appears on the admin dashboard until acknowledged
  • Per-user notification โ€” the affected staff member sees a banner urging them to rotate any passwords they've reused

We don't flood you. Old breaches re-classified by HIBP don't re-alert. New breaches do.

๐Ÿ’ก
What to do when you see an alert
  • Don't panic โ€” most breaches are old credential leaks the affected user already knows about.
  • Identify which sites used the breached email + (likely) similar passwords.
  • Have the user rotate passwords on those sites โ€” start with email, banking, school accounts.
  • Make sure their TSNC vault master password isn't reused anywhere else (it shouldn't be, but verify).
  • Consider running a one-off phishing campaign โ€” attackers often follow up breaches with credential-stuffing campaigns.

Domain monitoring setup

We monitor any email domain that staff members use to log in. If your school uses@stmarys.edu AND @stmaryscatholicschool.org, both are monitored. Add or remove domains under Settings โ†’ School Email Domains.

Per-user breach monitoring

Optionally, each staff member can register one personal email (e.g., their Gmail) for breach monitoring. Useful because most credential leaks come from sites they used personally, and the password they used at that site is often the same as their work password.

The personal email setting is opt-in per-user, not org-wide. Staff members opt in themselves under their user settings.

The browser extension's password breach warning

When a user logs into a site using the TSNC password manager, the extension checks the password they're submitting against the HIBP breached-password database. If it matches a known breach, a warning appears.

The check uses HIBP's k-anonymity API: only the first 5 characters of the password's SHA-1 hash leave the device. The actual password never leaves your browser. This is a widely-used pattern; see HIBP API docs.

FAQ

How current is the breach data?+
HIBP updates within hours of new breaches becoming public. Our monitoring polls daily, so you'll typically see new breaches within 24 hours of HIBP indexing them.
Why is my email showing up in a breach I don't recognize?+
Many breaches are leaked years after they happened, or from sites you signed up for once and forgot. The breach itself often discloses the source โ€” check the breach name in the alert. Most aren't actively exploitable today, but the credentials may have been used in credential-stuffing attacks since.
Can I disable breach monitoring?+
Domain-level monitoring stays on (it's part of the org's security posture). Per-user breach monitoring is opt-in by default โ€” users choose to add a personal email or not.