User Account is Not Blocked When 'Block compromised user accounts' Feature is Enabled

Problem statement

Activating the Block compromised user accounts under Response Block Setting in Attack protection - Breached Password detection does not appear to result in blocking the user account. When looking at the user’s account details in the Auth0 dashboard, there is no indication that this account is blocked, like in a scenario such as Brute Force protection.


This behavior is functioning as designed. The Breach Password Detection feature checks the user’s password during every log-in. There is no flag in the user’s account that can be cleared as in other scenarios, such as Brute Force protection. Therefore, when reviewing the user’s account, it appears as not blocked. However, the login will continue to be blocked until the user changes their password.