Back to Blog

Find Exposed Users with Credential Leak Monitoring

Baruch Mettler
Baruch Mettler

Businesses face a growing number of security threats, however, despite wide rollout of multi-factor authentication (MFA) and a wide compliance level focus on password policies, credential compromise remains a significant threat. Monitoring for credential breaches is essential for protecting your organization’s sensitive information and maintaining trust. This blog aims to provide an understanding of the importance of credential breach monitoring, real-world examples of its impact, and a practical guide to implementing it using the Pangea User Intel API.

Why Credential Breach Monitoring is Important

Data breaches often occur as a direct result of malicious actors gaining unauthorized access to usernames, passwords, API keys, and other login information. These breaches can lead to significant financial losses, reputational damage, and legal repercussions. With stolen credentials often being the primary method of attack, monitoring and responding to these breaches swiftly is critical. Fortunately, it is possible to obtain exposed credentials from data breaches, malware-infected devices, and other underground sources at scale..

In this blog, we’ll use Active Directory as the auth provider to demonstrate how to use Pangea User Intel APIs to check if your user emails have exposed credentials in data breaches.

Step 1: Fetch User Emails from Active Directory Using Python ⚡

Monitoring for credential breaches starts with identifying the users whose credentials need to be protected. Here’s how you can extract user emails from Active Directory using Python:

import ldap3

# LDAP server details
server_address = 'ldap://your-ldap-server-address'
user_dn = 'CN=your-user,CN=Users,DC=yourdomain,DC=com'
password = 'your-password'

# Establishing connection to the server
server = ldap3.Server(server_address, get_info=ldap3.ALL)
connection = ldap3.Connection(server, user_dn, password, auto_bind=True)

# Searching for user emails
search_base = 'DC=yourdomain,DC=com'
search_filter = '(objectClass=person)'
attributes = ['mail'], search_filter, attributes=attributes)

# Extracting emails
user_emails = [entry['attributes']['mail'] for entry in connection.entries]

# Displaying the emails
for email in user_emails:

Step 2: Check Credentials Against Pangea User Intel Service 🕵️

With this list of users, the next step is to check if any of these credentials have been compromised. The Pangea User Intel API allows you to easily check for compromised credentials based on a given email, username, phone number or an IP address. Here’s a snippet of Python that uses the Pangea SDK to perform this check:

from pangea.config import PangeaConfig
from import UserIntel
def check_user_breach(useremail):    
    user_email_analysis = inteluser.user_breached(email=useremail, 
    provider="spycloud", verbose=True, raw=False, start="30d", end="0d")
        print(f"User {useremail} was FOUND to be breached":)


By proactively identifying and addressing compromised credentials, businesses can significantly reduce the risk of data breaches. The Pangea User Intel APIs offer efficient and reliable ways to check for compromised credentials, helping your organization stay secure.

Try the Pangea User Intel API with $5 of free credit on signup, which is sufficient for over 1500 breached user lookups. If you have any questions or need help setting up Pangea services, feel free to ask them in the Pangea discourse community.


Additional user intel reporting details and options can be documented here:

Get updates in your inbox and subscribe to our newsletter

background landmass