The eternal question looms ‘Is any of our data safe anymore?’. Our data are all over the Internet, from our names, dates of births, addresses to credit card numbers. And we often go about our days with the credence that our data is safe and secure.

But hacking or data breaching isn’t something new. It has existed for a while, and as we continue to become more interdependent on the Internet, data breach incidences are only bound to rise.

You can’t be caught off guard in the aftermath of a data breach. Even the most stringent data protection and IT procedures could succumb to the same fate as recent victims. (Hilton Hotels, Home Depot, and Anthem are among the victims.)

So, what is a data breach?

If confidential or secured information is exposed, it is called a data breach. Your Social Security number, savings account or credit card details, personal health information, passwords, or email could all be lost or stolen in a data breach.

A data breach might be deliberate or unintentional. A cybercriminal could break into a company’s database and steal your personal information. Alternatively, an employee at that company may inadvertently disclose your personal information on the Internet. In any case, criminals may gain access to your sensitive personal data and profit from that at your expense.

How to recover from a data breach?

Data breaches are a perpetual issue for all businesses and individuals. No matter how many rules, strategies, or protections they have, a skilled attacker will eventually be able to compromise them.

It’s critical to be safe and do everything you can to avoid data breaches, but there’s no need to panic if they fail. You can take actions to increase your defences against the potential harm that a data breach could cause.

  • Shred documents
  • Use secure websites whenever possible.
  • Only provide your Social Security number if it is necessary
  • Ensure that the operating systems and applications on your computers and mobile devices are up to date
  • Make regular checks of your internet transactions and your monthly financial account statements.
  • Check your credit reports regularly to ensure that cybercriminals haven’t opened credit cards or loans in your name etc.,

For more insight, here’s an overview of the various breaches that have been consolidated in Have I Been Pwned. These breaches are accessible programmatically via the HIBP API and via the RSS feed.

I want to thank Troy Hunt, a Microsoft Regional Director and Most Valuable Professional awardee for Developer Security, blogger at troyhunt.com, for this resource. Without his help, we wouldn’t have access to this in-depth resource.

HIBP API Advantages

  • Provides a service to the public
  • Analysing the breach data helps victims learn of compromises of their accounts
  • The severity of the dangers of cyber-attacks on the Internet are highlighted.

In this article, I have attached a PowerShell script that takes the details of the given Azure AD Users as input and analyses the breaches that you can share with AAD admins and users.

Prerequisites

Note – The script mentioned below has not been optimized and is for demo purposes. You might need to modify the code as per your requirements.

$requiredProfileProperties = "id,displayName,userPrincipalName,userType"
$hibpApiEndpoint = "https://haveibeenpwned.com/api/v3"
$hibpApiKey = "[your key]"
$global:auditOutput = @()

$resultDir = "Output"
$executionDir = $PSScriptRoot
$outputDir = "$executionDir/$resultDir"
$outputFilePath = "$outputDir/$(get-date -f yyyyMMdd-HHmmss)-haveibeenpwned-breaches-outcome.csv"

function AddBreach {
    param (
        [Parameter(Mandatory = $false)] [string] $Name,
        [Parameter(Mandatory = $false)] [string] $BreachDate,
        [Parameter(Mandatory = $false)] [string] $Description,
        [Parameter(Mandatory = $false)] [bool] $IsVerified
    )

    $audit = New-Object -TypeName PSObject

    $audit | Add-Member -MemberType NoteProperty -Name "Name" -Value $Name
    $audit | Add-Member -MemberType NoteProperty -Name "BreachDate" -Value $BreachDate
    $audit | Add-Member -MemberType NoteProperty -Name "Description" -Value $Description
    $audit | Add-Member -MemberType NoteProperty -Name "IsVerified" -Value $IsVerified

    $global:auditOutput += $audit
}

$users = m365 aad user list --properties $requiredProfileProperties -o json | ConvertFrom-Json -AsHashtable
$usersCount = $users.Count
Write-Host "Number of users found : $usersCount"

ForEach ($user in $users) {
    if ($user.userType -eq "Member") {
        $userPrincipalName = $user.userPrincipalName
        Write-Host "Processing : $userPrincipalName"

        $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
        $headers.Add("hibp-api-key", $hibpApiKey)
        $breaches = (Invoke-RestMethod -Uri "$hibpApiEndpoint/breachedaccount/$userPrincipalName?truncateResponse=false" -Headers $headers)

        ForEach ($breach in $breaches) {
            $breachData = $breach | ConvertFrom-Json -AsHashtable
            
            $breachName = $breachData.Name
            $breachDate = $breachData.BreachDate
            $breachDescription = $breachData.Description
            $IsBreachVerified = $breachData.IsVerified
            AddBreach $breachName $breachDate $breachDescription $IsBreachVerified
        }
    }
}

$global:auditOutput | Export-Csv -Path "$outputFilePath" -NoTypeInformation
Write-Host "Open $outputFilePath to review analysis outcomes report."

Sample breach response

[
  {
    "Name": "Adobe",
    "Title": "Adobe",
    "Domain": "adobe.com",
    "BreachDate": "2013-10-04",
    "AddedDate": "2013-12-04T00:00Z",
    "ModifiedDate": "2013-12-04T00:00Z",
    "PwnCount": 152445165,
    "Description": "In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, <em>encrypted</em> password and a password hint in plain text. The password cryptography was poorly done and <a href=\"http://stricture-group.com/files/adobe-top100.txt\" target=\"_blank\" rel=\"noopener\">many were quickly resolved back to plain text</a>. The unencrypted hints also <a href=\"http://www.troyhunt.com/2013/11/adobe-credentials-and-serious.html\" target=\"_blank\" rel=\"noopener\">disclosed much about the passwords</a> adding further to the risk that hundreds of millions of Adobe customers already faced.",
    "DataClasses": [
      "Email addresses",
      "Password hints",
      "Passwords",
      "Usernames"
    ],
    "IsVerified": true,
    "IsFabricated": false,
    "IsSensitive": false,
    "IsRetired": false,
    "IsSpamList": false,
    "LogoPath": "https://haveibeenpwned.com/Content/Images/PwnedLogos/Adobe.png"
  },
  {
    "Name": "BattlefieldHeroes",
    "Title": "Battlefield Heroes",
    "Domain": "battlefieldheroes.com",
    "BreachDate": "2011-06-26",
    "AddedDate": "2014-01-23T13:10Z",
    "ModifiedDate": "2014-01-23T13:10Z",
    "PwnCount": 530270,
    "Description": "In June 2011 as part of a final breached data dump, the hacker collective &quot;LulzSec&quot; <a href=\"http://www.rockpapershotgun.com/2011/06/26/lulzsec-over-release-battlefield-heroes-data\" target=\"_blank\" rel=\"noopener\">obtained and released over half a million usernames and passwords from the game Battlefield Heroes</a>. The passwords were stored as MD5 hashes with no salt and many were easily converted back to their plain text versions.",
    "DataClasses": ["Passwords", "Usernames"],
    "IsVerified": true,
    "IsFabricated": false,
    "IsSensitive": false,
    "IsRetired": false,
    "IsSpamList": false,
    "LogoPath": "https://haveibeenpwned.com/Content/Images/PwnedLogos/BattlefieldHeroes.png"
  }
]

Conclusion

Even though we’re becoming accustomed to headlines about data breaches and leaks, the protection of our personal and sensitive information should be a priority for all of us. Enforcing the proper processes and recovery strategies can be beneficial. While no method has been shown to defend you from all attacks, we all have to start somewhere, don’t we?

I hope this script has been helpful, and I would love to know your thoughts. Would you mind posting them in the comments section below?