BreachWatch provides organizations oversight of the vulnerability of user's passwords through active monitoring of dark web breach data. Users and administrators are notified if any of their passwords in a record have been used in publicly known breach that could leave your organization vulnerable to a credential stuffing attack, or an account takeover.

End User View

BreachWatch will prompt the user on their client device to resolve the breached password by either resetting to a new password or ignoring it. If a password is ignored, then that record will be skipped on future scans until the password is reset. The user may also do nothing (deferring a response) and leaving the risky password unchanged and thus still "at risk".

Admin Console

BreachWatch provides a dashboard overview and a summary table in the Admin Console showing how users have dealt with these notifications.

If users have "At Risk" or "Ignored' passwords the admin can take action by clicking on the user's name to pull up a user details information in order to send an email to the user, or take some other actions.

The total shown in this table does not include SHARED records, only those records the users owns are shown. In addition, if a record does not have a password in it, it will not be shown in the count.

Reporting & Alerts

If the optional Advanced Reporting & Alerts module is installed, then BreachWatch specific events are sent from the devices/clients and can be used to report activity with a variety of filters, and/or generate an alert.

IMPORTANT: To activate event-level reporting of BreachWatch data to the Advanced Reporting & Alerts Module you must enable the event role enforcement policy under the specific role > Enforcement Settings > Vault Features screen.

Sample BreachWatch Report

Deployment & Reporting Enablement

1) All end user devices with the Keeper Password Manager application should be updated as they now support the sending of password status and events data to the console.

2) The BreachWatch capability can be deployed selectively to your organization via Role Enforcements. The "Pause BreachWatch on Devices" toggle controls whether devices send events for reporting purposes, and whether to pause the service so it will not appear on the user's devices at all. Note that enabling events to the reporting module will send record event metadata (User Email, Record UID, IP Address and Device Type) from Keeper’s backend to any connected SIEM product.

3) If you do not want to deploy BreachWatch to your entire organization at once you can control with the Pause BreachWatch toggle. Users in this node will not have BreachWatch enabled on their client devices.


BreachWatch is a Zero Knowledge architecture that uses a number of layered techniques to protect our customer’s information. For detailed technical information regarding the security and encryption model of BreachWatch, please visit the BreachWatch section on the Security Disclosure page of our website: