{
  "id": "2Sx7R4CGxcRmr5gV",
  "name": "Automated Data Breach Monitor with  HIBP API",
  "tags": [],
  "nodes": [
    {
      "id": "5d16601e-79e7-4071-a0f0-dce718bf3e25",
      "name": "Schedule Trigger",
      "type": "n8n-nodes-base.scheduleTrigger",
      "position": [
        0,
        0
      ],
      "parameters": {
        "rule": {
          "interval": [
            {}
          ]
        }
      },
      "typeVersion": 1.2
    },
    {
      "id": "15146ef4-c973-437d-aaa0-961a9ce6f671",
      "name": "List Emails to Check",
      "type": "n8n-nodes-base.code",
      "position": [
        208,
        0
      ],
      "parameters": {
        "jsCode": "const emailsToCheck = [\n    \"user@example.com\",\n    \"user@example.com\",\n    \"user@example.com\"\n];\n\nreturn emailsToCheck.map(email => ({\n    json: { email: email }\n}));"
      },
      "typeVersion": 2
    },
    {
      "id": "d7fcb0a4-307b-4454-a515-615bb32614da",
      "name": "Query HIBP API",
      "type": "n8n-nodes-base.httpRequest",
      "position": [
        416,
        0
      ],
      "parameters": {
        "url": "=https://api.pwnedpasswords.com/range/{{ encodeURIComponent($json.email) }}",
        "options": {}
      },
      "typeVersion": 4.2
    },
    {
      "id": "e7201557-fd32-4bca-a6c8-e053df5553b3",
      "name": "Is Breached?",
      "type": "n8n-nodes-base.if",
      "position": [
        624,
        0
      ],
      "parameters": {
        "options": {},
        "conditions": {
          "options": {
            "version": 2,
            "leftValue": "",
            "caseSensitive": true,
            "typeValidation": "strict"
          },
          "combinator": "and",
          "conditions": [
            {
              "id": "5ceba6a6-a52f-4ed8-85b8-5e68e0cda8ac",
              "operator": {
                "type": "string",
                "operation": "notEquals"
              },
              "leftValue": "={{ $json.body }} ",
              "rightValue": "[]"
            }
          ]
        }
      },
      "typeVersion": 2.2
    },
    {
      "id": "d7bfc8f4-9067-40ce-ae3c-8f96203404fc",
      "name": "Send High-Priority Alert",
      "type": "n8n-nodes-base.slack",
      "position": [
        880,
        0
      ],
      "parameters": {
        "text": "=\ud83d\udea8 *URGENT: Data Breach Alert!* \ud83d\udea8\\nEmail address *{{ $json.email }}* was found in a data breach.\\nImmediate action is required!",
        "user": {
          "__rl": true,
          "mode": "id",
          "value": "[YOUR_SECURITY_ALERT_CHANNEL_ID]"
        },
        "select": "user",
        "otherOptions": {}
      },
      "credentials": {
        "slackApi": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 2.3
    },
    {
      "id": "0375f848-bb60-42cb-9c69-23d2d5fb0c26",
      "name": "Sticky Note",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -64,
        -48
      ],
      "parameters": {
        "width": 1184,
        "height": 240,
        "content": "## Flow"
      },
      "typeVersion": 1
    },
    {
      "id": "02e3c3f0-0cf3-4bf3-9b7b-4b6bec91d354",
      "name": "Sticky Note1",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -64,
        240
      ],
      "parameters": {
        "color": 5,
        "width": 1184,
        "height": 1200,
        "content": "## Problem\nAs an AI Agent developer, you know that one of the biggest threats to businesses is compromised credentials. Employees often use corporate emails to sign up for third-party services. When those services are breached, their credentials can leak, and attackers can use them to try and gain access to your internal systems (known as a **credential stuffing attack**). Manually monitoring every email account for breaches is an impossible task.\n\n## Solution\nThis n8n workflow offers a proactive and efficient solution. It **periodically checks a list of company email addresses against the HaveIBeenPwned (HIBP) API**\u2014a trusted database of leaked credentials. If an email address is found in a data breach, the workflow will immediately send an **urgent alert to Slack**, allowing your security team to take swift action, such as forcing a password reset or temporarily suspending the account, before attackers can exploit the leaked data.\n\n## For Whom\nThis simple yet vital automation is ideal for:\n* **Security & IT Teams:** To proactively monitor at-risk credentials.\n* **System Admins & HR:** To detect security risks on employee accounts.\n* **Small and Medium-Sized Businesses (SMEs):** To implement a strong, yet easy-to-deploy, layer of foundational security.\n* **Any Organization:** That wants to reduce the risk of credential stuffing attacks and protect internal data.\n\n---\n\n## Scope\n* **What it does:**\n    * Runs on a customizable schedule (e.g., every week).\n    * Checks a list of specified email addresses against the HaveIBeenPwned database.\n    * Sends a detailed, urgent alert to a designated Slack channel if a breach is detected for an email.\n* **What it doesn't do:**\n    * This workflow **does not automatically fix the issue** or reset passwords. It is a detection and alerting tool only.\n    * It does not monitor other security vectors, such as network activity or file changes.\n\n---\n\n### How to Set Up\nHere is a step-by-step guide to implement this workflow in your n8n instance.\n\n1.  **Prepare Your Credentials**\n    * **HIBP API Key:** You need to get an **API key** from haveibeenpwned.com. This key is required to access the API.\n    * **Slack Credential:** Create a **Slack credential** in n8n. Note the **Channel ID** of your security alert channel (e.g., `#security-alerts`).\n\n2.  **Import the Workflow JSON**\n    * Create a new workflow in n8n and import the JSON code (which was provided in a previous response).\n\n3.  **Configure the Nodes**\n    * **Scheduled Check (Cron):** Set the schedule according to your preference (e.g., every Monday at 8:00 AM).\n    * **List Emails to Check (Code):** Open this node and **edit the `emailsToCheck` array**. Enter the list of company email addresses you want to monitor.\n    * **Query HIBP API (HTTP Request):** Open this node and in the \"Headers\" section, add the header `hibp-api-key` with the value of your HIBP API key.\n    * **Send High-Priority Alert (Slack):** Select your **Slack credential** and replace `YOUR_SECURITY_ALERT_CHANNEL_ID` with your actual **Channel ID**.\n\n4.  **Test and Activate**\n    * **Manual Test:** Run the workflow manually. You can test with a known breached email address (you can find examples online) to ensure the alert is triggered.\n    * **Verify Output:** Check your specified Slack channel to confirm that the alert is sent with the correct information.\n    * **Activate:** Once you're confident in its function, activate the workflow. n8n will now automatically monitor your important accounts for data breaches on the schedule you set."
      },
      "typeVersion": 1
    }
  ],
  "active": false,
  "settings": {
    "executionOrder": "v1"
  },
  "versionId": "c349e3f7-69f0-4039-9b6f-5dd5a0787987",
  "connections": {
    "Is Breached?": {
      "main": [
        [
          {
            "node": "Send High-Priority Alert",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Query HIBP API": {
      "main": [
        [
          {
            "node": "Is Breached?",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Schedule Trigger": {
      "main": [
        [
          {
            "node": "List Emails to Check",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "List Emails to Check": {
      "main": [
        [
          {
            "node": "Query HIBP API",
            "type": "main",
            "index": 0
          }
        ]
      ]
    }
  }
}