Stay organized with collectionsSave and categorize content based on your preferences.
Have I Been Pwned
Integration version: 7.0
Configure Have I Been Pwned to work with Google Security Operations
Credentials
An API Key needs to be purchased in order to make necessary configurations for
the HaveIBeenPwned integration.
Network
Function
Default Port
Direction
Protocol
API
Multivalues
Outbound
apikey
Configure HaveIBeenPwned integration in Google SecOps
For detailed instructions on how to configure an integration in
Google SecOps, seeConfigure
integrations.
Actions
Check Account
Description
Check if you have an account that has been compromised in a data breach.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the User entity.
Action Results
Entity Enrichment
Enrichment Field Name
Logic - When to apply
Breaches
Returns if it exists in JSON result
Pastes
Returns if it exists in JSON result
Insights
N/A
Script Result
Script Result Name
Value Options
Example
pwned_emails
N/A
N/A
JSON Result
[{"EntityResult":{"breaches":[{"PwnCount":37217682,"IsRetired":false,"Description":"In March 2012, the music website <a href=\\\"https://techcrunch.com/2016/09/01/43-million-passwords-hacked-in-last-fm-breach/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Last.fm was hacked</a> and 43 million user accounts were exposed. Whilst <a href=\\\"http://www.last.fm/passwordsecurity\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Last.fm knew of an incident back in 2012</a>, the scale of the hack was not known until the data was released publicly in September 2016. The breach included 37 million unique email addresses, usernames and passwords stored as unsalted MD5 hashes.","DataClasses":["Email addresses","Passwords","Usernames"],"IsSensitive":false,"Domain":"last.fm","IsSpamList":false,"BreachDate":"2012-03-22","IsFabricated":false,"ModifiedDate":"2016-09-20T20:00:49Z","Title":"Last.fm","Name":"Lastfm","AddedDate":"2016-09-20T20:00:49Z","IsVerified":true,"LogoPath":"https://haveibeenpwned.com/Content/Images/PwnedLogos/Lastfm.png"}],"pastes":[{"Date":null,"Source":"AdHocUrl","EmailCount":36959,"Id":"http://siph0n.in/exploits.php?id=1","Title":"BuzzMachines.com 40k+"}]},"Entity":"john_doe@example.com"}]
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis integration allows users to check if an account has been compromised in a data breach through the "Check Account" action, which runs on User entities.\u003c/p\u003e\n"],["\u003cp\u003eAn API key is required to configure the Have I Been Pwned integration for Google Security Operations SOAR, with detailed instructions in the Have I Been Pwned API Documentation.\u003c/p\u003e\n"],["\u003cp\u003eThe integration enriches user entities with "Breaches" and "Pastes" data, providing information from data breaches if it exists in the JSON result.\u003c/p\u003e\n"],["\u003cp\u003eA "Ping" action is available to test the connectivity of the integration, returning a true or false value on the connection.\u003c/p\u003e\n"],["\u003cp\u003eThe integration's API communicates outbound using the apikey protocol.\u003c/p\u003e\n"]]],[],null,["# Have I Been Pwned\n=================\n\nIntegration version: 7.0\n\nConfigure Have I Been Pwned to work with Google Security Operations\n-------------------------------------------------------------------\n\n### Credentials\n\nAn API Key needs to be purchased in order to make necessary configurations for\nthe HaveIBeenPwned integration.\n| **Note:** For more detailed information, see [Have I Been Pwned API\n| Documentation](https://haveibeenpwned.com/API/v3).\n\n### Network\n\nConfigure HaveIBeenPwned integration in Google SecOps\n-----------------------------------------------------\n\nFor detailed instructions on how to configure an integration in\nGoogle SecOps, see [Configure\nintegrations](/chronicle/docs/soar/respond/integrations-setup/configure-integrations).\n\nActions\n-------\n\n### Check Account\n\n#### Description\n\nCheck if you have an account that has been compromised in a data breach.\n\n#### Parameters\n\nN/A\n\n#### Use cases\n\nN/A\n\n#### Run On\n\nThis action runs on the User entity.\n\n#### Action Results\n\n##### Entity Enrichment\n\n##### Insights\n\nN/A\n\n##### Script Result\n\n##### JSON Result\n\n [\n {\n \"EntityResult\":\n {\n \"breaches\": [\n {\n \"PwnCount\": 37217682,\n \"IsRetired\": false,\n \"Description\": \"In March 2012, the music website \u003ca href=\\\\\\\"https://techcrunch.com/2016/09/01/43-million-passwords-hacked-in-last-fm-breach/\\\\\\\" target=\\\\\\\"_blank\\\\\\\" rel=\\\\\\\"noopener\\\\\\\"\u003eLast.fm was hacked\u003c/a\u003e and 43 million user accounts were exposed. Whilst \u003ca href=\\\\\\\"http://www.last.fm/passwordsecurity\\\\\\\" target=\\\\\\\"_blank\\\\\\\" rel=\\\\\\\"noopener\\\\\\\"\u003eLast.fm knew of an incident back in 2012\u003c/a\u003e, the scale of the hack was not known until the data was released publicly in September 2016. The breach included 37 million unique email addresses, usernames and passwords stored as unsalted MD5 hashes.\",\n \"DataClasses\": [\"Email addresses\",\n \"Passwords\",\n \"Usernames\"\n ],\n \"IsSensitive\": false,\n \"Domain\": \"last.fm\",\n \"IsSpamList\": false,\n \"BreachDate\": \"2012-03-22\",\n \"IsFabricated\": false,\n \"ModifiedDate\": \"2016-09-20T20:00:49Z\",\n \"Title\": \"Last.fm\",\n \"Name\": \"Lastfm\",\n \"AddedDate\": \"2016-09-20T20:00:49Z\",\n \"IsVerified\": true,\n \"LogoPath\": \"https://haveibeenpwned.com/Content/Images/PwnedLogos/Lastfm.png\"\n }],\n \"pastes\": [\n {\n \"Date\": null,\n \"Source\": \"AdHocUrl\",\n \"EmailCount\": 36959,\n \"Id\": \"http://siph0n.in/exploits.php?id=1\",\n \"Title\": \"BuzzMachines.com 40k+\"\n }]\n },\n \"Entity\": \"john_doe@example.com\"\n }\n ]\n\n### Ping\n\n#### Description\n\nCheck connectivity.\n\n#### Parameters\n\nN/A\n\n#### Use cases\n\nN/A\n\n#### Run On\n\nThis action runs on all entities.\n\n#### Action Results\n\n##### Entity Enrichment\n\nN/A\n\n##### Insights\n\nN/A\n\n##### Script Result\n\n##### JSON Result\n\n N/A\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
