Breached Password Detected with no email Received or `pwd_leak` Event Logged

Problem statement

When a breached password is detected, there is no email notification sent to the user, the tenant admin or no pwd_leak event logged in the tenant logs.


When a compromised credential (breached password) is detected, here are the actions that Auth0 takes

  1. Block compromised user accounts
  2. Send notifications to users with the URL to change their password
  3. Send notifications to tenant admins with compromised credentials
  4. Log a pwd_leaked event in the tenant logs with compromised credentials

There are throttling applied to action 2,3, and 4:

  • For action 2, notifications to users are sent once per hour per user
  • For action 3, notifications to the tenant admin are sent once per hour per IP
  • For action 4, tenant log events are generated once per hour per IP

If the emails are not received or the tenant log event is not observed, check if it is within the throttling period, and if yes, it’s expected.
There is no throttling for action 1, so the user account is always blocked if a compromised credential (breached password) is detected.