What steps to follow when a user has been involved in a password breach

Learn what steps you should take when you're alerted about a new password breach affecting users in your company.


SMBreach Pro allows you to be notified whenever a new breach involving your users has been discovered. This helps you take immediate action to reduce the chances of further infiltration using the breached information.


In the event that the alert is for a password breach, you should take at least the Critical Actions to address the breach as quickly as possible.


For added security, we recommend taking the Advanced Actions to mitigate further risks of password breaches in the future.


In this article you’ll learn:

  • What Critical Actions to take when there has been a password breach.
  • What Advanced Actions to take when there has been a password breach.

Critical Actions to take when there has been a password breach

1. Force password reset for the user on their company logins

A forced password reset would need to be done on the corresponding Microsoft Azure Directory, or Google Workspace for that tenant.


For Microsoft users involved in a password breach, you would need to log into the Microsoft Azure portal, select Users from the menu, locate the user involved in the breach and select the option Reset password.


For Google Workspace users involved in a password breach, you would need to log into the Google Admin console, go to Directory, click Users, locate the user involved in the breach and click on the option Reset password.


2. Mark breach as resolved in SiberMate

You should mark the breach as resolved to easily keep track of which breaches you've addressed.

  1. In SiberMate, navigate to SMBreach Pro, click on the Users tab and locate the user involved in the password breach. You can type in the user’s name or email address in the search field to find the user.

  2. Click on the user’s name to view the breaches they have been involved in.

    In the column Exposed Information, you’ll see tags of what type of breach the user was involved in.

  3. Use the filter in the Exposed Information column to select Passwords and click OK to display only password breaches that the user has been involved in.

Select the breach displayed and click Mark Resolved. If there are multiple breaches involving a password for that user, you can select the top tickbox to select all breaches displayed, click Actions and then click Mark Resolved.

Advanced Actions to take when there has been a password breach

1. Force password reset for the user on their company logins

A forced password reset would need to be done on the corresponding Microsoft Azure Directory, or Google Workspace for that tenant.


For Microsoft users involved in a password breach, you would need to log into the Microsoft Azure portal, select Users from the menu, locate the user involved in the breach and select the option Reset password.


For Google Workspace users involved in a password breach, you would need to log into the Google Admin console, go to Directory, click Users, locate the user involved in the breach and click on the option Reset password.


2. Reach out to the end user to explain what has happened and the risks involved

Explaining the situation to the end user helps raise awareness of the risks and severity of a password breach and enables them to take action on their end. It is also an opportunity to inform the end user of any additional training they will be sent and policies they will be expected to read and sign.


3. Send the user relevant supplementary training

In instances where there as been a password breach, we recommend enrolling the user involved onto at least one of the following training courses:

  • Secure Passwords & Authentication
  • Secure Email Use (if the breach was non-work related)

4. Send the user the company policies relevant to the breach

We recommend sending policies on the following topics to the users involved in a password breach:

  • Secure Passwords
  • Email Use (if the breach was non-work related)

To send a specific policy to a specific user, in SiberMate go to SMPolicy > View Policies and search for the policies relevant to the password breach. You can use the search field to search for keywords.


Hover over the actions arrow for the policy you want to send and click on Send Policy from the dropdown menu.


5. Send the user a simulated phishing attack

As the user is now a short-term high-risk individual, it's important to monitor the user's response to phishing simulations where a password is requested, to determine whether the user continues to be high risk and assess whether they require further training.


6. Mark the breach as resolved

You should mark the breach as resolved to easily keep track of which breaches you've addressed. Navigate to SMBreach Pro, click on the Users tab and locate the user involved in the password breach. You can type in the user’s name or email address in the search field to find the user.

  • Click on the user’s name to view the breaches they have been involved in.
  • In the column Exposed Information, you’ll see tags of what type of breach the user was involved in.
  • Use the filter in the Exposed Information column to select Passwords and click OK to display only password breaches that the user has been involved in.
  • Select the breach displayed and click Mark Resolved. If there are multiple breaches involving a password for that user, you can select the top tickbox to select all breaches displayed, click Actions and then click Mark Resolved.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.