Breached credential detected

This detection indicates that a username and password combination used to sign in to your Okta org has appeared in a third-party list of publicly available data breaches. See Breached credentials protection.

Detection risk level: High

Okta continuously monitors third-party lists of public data breaches for username-password combinations in your org and flags users who sign in with breached credentials.

Policy configuration

In your entity risk policy, set these conditions:

Detection: Breached Credential Detected
Take this action: Universal Logout, or run a Workflow to notify an admin and lower the user risk level. Workflow is recommended only if a remediation action has already been configured in your password policy.

If your org uses the breached credentials protection feature, the actions that you configured in your password policy are also performed.

Remediation strategy

Automated action: This is a user-driven remediation. If the user doesn't sign in (and therefore doesn't reset their password), their credentials remain exposed. Configure breached credentials protection to immediately force the expiration of the password if a breached credential is detected during the sign-in flow. To enforce MFA as part of the password expiry flow, Identity Engine customers can configure the Okta account management policy.