Your Business Email Is Probably in a Data Breach. Here's What to Do About It.

The Breach Problem No One Talks About

When most people think of data breaches, they imagine hackers breaking directly into their systems. The reality for most Australian businesses is different and arguably more dangerous: their employee credentials are already sitting in publicly traded breach databases, and they do not even know it.

Our free security scanning platform checks business email addresses against known breach databases as part of every assessment. The results are consistently concerning: over 40% of domains we scan have at least one email address that has appeared in a historical data breach.

This is not a theoretical risk. It is the starting point for the majority of credential-based attacks that Australian businesses face today.

---

How Business Emails End Up in Breaches

Your employees use their work email addresses to sign up for a wide range of services: SaaS platforms, industry forums, online tools, conference registrations, newsletters, and social media. When any of those services suffers a data breach, the email address and often the password hash or plaintext password becomes part of a breach dataset.

Here is the critical part: the breach is not of your systems. It is of a third-party service your employee used. But if that employee used the same password (or a variation of it) for their work accounts, an attacker now has a valid credential to try against your business systems.

The Scale of the Problem

Major breaches that have affected Australian business emails include compromises of:

• LinkedIn (2012, 2021) -- over 700 million records
• Adobe (2013) -- 153 million records
• Dropbox (2012, disclosed 2016) -- 68 million records
• MyFitnessPal (2018) -- 150 million records
• Collection #1-5 compilations (2019) -- billions of aggregated credentials
• Various industry-specific platforms, HR tools, and professional networks

These breach datasets are freely available on the dark web and in some cases even on the open internet. Attackers aggregate them into searchable databases and use automated tools to test credentials against corporate login pages, VPNs, email systems, and cloud services.

---

Why This Matters for Your Business

Credential Stuffing Attacks

Attackers take email/password combinations from breaches and automatically try them against common business platforms: Microsoft 365, Google Workspace, VPN portals, CRM systems, and accounting software. If even one employee reused a password, the attacker gains access.

The success rate of credential stuffing is disturbingly high. Industry data suggests that 0.1-2% of credential stuffing attempts succeed, which sounds low until you consider that attackers try millions of combinations per day.

Business Email Compromise (BEC)

Once an attacker has access to a legitimate business email account, they can:

• Send fraudulent invoices to your clients with modified bank details
• Intercept conversations about pending payments and redirect funds
• Access sensitive documents shared via email or cloud storage
• Impersonate executives to authorise fraudulent transfers
• Harvest further credentials by sending internal phishing emails from a trusted address

The Australian Competition and Consumer Commission (ACCC) reports that BEC attacks cost Australian businesses tens of millions of dollars annually, and the average loss per incident continues to rise.

Compliance and Legal Exposure

Under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, Australian businesses with an annual turnover of $3 million or more must report data breaches that are likely to result in serious harm. If an attacker uses breached credentials to access your systems and exfiltrate customer data, you may have a reportable breach on your hands.

---

What Our Scan Tells You

When you run a free security assessment through our platform, the breach check component:

1. Identifies common email patterns for your domain (info@, admin@, accounts@, plus any we discover through OSINT)
2. Checks each address against aggregated breach databases
3. Reports which breaches each email appeared in, when the breach occurred, and what data types were exposed
4. Calculates a risk score based on the number of breaches, recency, and types of data exposed

This gives you an immediate picture of your credential exposure without needing to check each email address manually.

---

What You Should Do Right Now

1. Run the Scan

If you have not already, run a free security scan on your domain. The breach check runs automatically and the results appear in your report within minutes.

2. Enforce Password Resets

For any email addresses that appear in breach databases, force an immediate password reset on all business systems. Do not simply notify the employee and ask them to change it -- enforce the reset so it cannot be deferred.

3. Implement Multi-Factor Authentication (MFA)

MFA is the single most effective defence against credential-based attacks. Even if an attacker has a valid username and password, they cannot log in without the second factor.

Priority MFA targets:

• Microsoft 365 or Google Workspace (email and document access)
• VPN and remote access systems
• Financial systems (accounting, banking, payroll)
• CRM and client data systems
• IT administration consoles

MFA should be mandatory, not optional. Any system that supports it should have it enabled.

4. Deploy a Password Manager

Password reuse happens because people cannot remember unique complex passwords for dozens of services. A business password manager solves this by generating and storing unique passwords for every account.

Modern password managers also flag when a saved password appears in a known breach and prompt the user to change it.

5. Monitor Ongoing Breach Exposure

Breach exposure is not a one-time check. New breaches are disclosed regularly, and employee email addresses may appear in future compromises. Set up ongoing monitoring so you are alerted when new exposure is detected.

6. Educate Your Team

Your employees are not intentionally putting the business at risk. Most people simply do not understand the connection between using their work email on a third-party site and the potential for that credential to be used against the business. Brief, practical security awareness training changes behaviour.

---

The Affinity MSP Approach

We do not just identify the problem -- we help you fix it and prevent recurrence. Our managed security services include:

• Ongoing breach monitoring for all business email addresses with immediate alerting
• MFA deployment and management across all business systems
• Password policy enforcement aligned with current ACSC guidance
• Security awareness training tailored to your team and industry
• Incident response if compromised credentials are detected in use

Book a free consultation to review your scan results and build a credential security strategy for your business.

---

The breach statistics in this article are based on anonymised, aggregated data from our scanning platform. For more details on our platform findings, read our full data insights article.