Auth0 user logged in with a breached password

auth0

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Set up the auth0 integration.

Goal

Detect when a user logs in with a breached password.

Strategy

Auth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a MEDIUM severity Security Signal.

You can see more information on how Auth0 detects breached passwords on their documentation.

Triage and response

  1. Inspect the policy and user location to see if this was a login from approved location
  2. See if 2FA was authenticated
  3. If the user was compromised, rotate user credentials.