## Why It Matters Reused and leaked passwords are the most common way accounts get taken over. If a team member's email and password were exposed in a breach somewhere else, an attacker can try the same credentials on your Kit account. Breach monitoring gives you an early warning so you can rotate the password before that happens. > [!NOTE] > Breach monitoring is included on paid plans. It runs automatically — there's nothing to set up. ## How It Works Once a day, Kit checks every team member's login email against [Have I Been Pwned](https://haveibeenpwned.com), the industry-standard database of known credential breaches. - The check covers the **login emails of people on your account** — not candidates, prospects, or other contacts. - The first time an email is checked, Kit records its existing breaches quietly as a baseline. You are **not** alerted about old, historical leaks. - After that, you're alerted only when an email turns up in a breach that was **newly added to Have I Been Pwned recently** — a genuinely new exposure. ## What Triggers an Alert A new, recent breach for a team member's email. When that happens: | Who is notified | How | |---|---| | **The affected team member** | In-app notification + email | | **Account admins** | In-app notification + email | This lets the person act on their own account and lets admins enforce a reset across the team. ## What to Do When You're Alerted > [!WARNING] > Treat a breach alert as a prompt to act today, not later. - [ ] Change the password on the affected Kit account immediately. - [ ] Turn on two-factor authentication if it isn't already. - [ ] Stop reusing that password anywhere else — use a unique password per site. ## Your Privacy Have I Been Pwned only reveals **which sites** were breached — never your actual password. Kit never sees or stores your credentials, and stores only the names of the breaches an email appeared in. No passwords, ever. ## Controlling Notifications Breach alerts are part of the **Security alerts** category in your notification settings. You can adjust email delivery from [Email & Notification Preferences](/docs/email-preferences) — though we strongly recommend leaving security alerts on. ## Quick Checklist - [ ] Confirm your account is on a paid plan (monitoring is automatic). - [ ] Make sure your team's login emails are current. - [ ] Keep **Security alerts** enabled in your preferences. - [ ] Have a password-reset plan ready for when an alert arrives. ## See Also - [Email & Notification Preferences](/docs/email-preferences) - [Custom Domains](/docs/custom-domains)