4iT IT Support Sydney | Your Reliable Sydney IT Support Partner

Insights & News

Has My Business Been Breached? How to Check (Australian SME)

To check whether your business has been caught in a data breach, start with a dark web or breach-exposure scan of your domain and staff email addresses, review Microsoft 365 sign-in logs for anything unusual, and watch for the practical warning signs like unexpected password resets or invoice queries from clients. Most SMEs never get a tidy notification that they have been breached. They find out from the symptoms, or they find out too late.

Office monitor showing an email inbox and security alert on a desk

Key facts

  • A breach-exposure or dark web scan checks whether your domain and staff credentials appear in known breach data, and is the most direct way to check proactively.
  • Many breaches are third-party: your staff credentials leak because another website they used was breached, not because your own systems were attacked.
  • Practical warning signs include unexpected sign-ins, mailbox rules nobody created, clients querying invoices with changed bank details, and password resets no one requested.
  • The OAIC received 595 data breach notifications in the second half of 2024, the highest half-year total since the Notifiable Data Breaches scheme began in 2018.
  • Finding an exposure early turns it into a password reset. Finding it late turns it into invoice fraud, a data breach notification, or a ransomware incident.

How can you check if your business has been breached?

The most direct check is a dark web or breach-exposure scan against your business domain and staff email addresses, which searches known breach databases and credential dumps for anything tied to you. This is what dark web monitoring does on an ongoing basis, but a one-off scan is a reasonable starting point to see your current exposure. Alongside that, review the sign-in and audit logs on your core systems, Microsoft 365 in particular, for logins from unfamiliar locations or devices. The scan tells you whether credentials have leaked. The logs tell you whether anything has been done with them.

What are the warning signs of a breach?

The clearest signs are the practical ones your staff or clients notice before any technical alert fires. Watch for account lockouts and password resets nobody requested, mailbox rules that auto-forward or delete messages that no one set up, sent emails that staff did not send, and clients calling to query an invoice or a change of bank details they were emailed. That last one is the signature of business email compromise, where an attacker inside a mailbox quietly redirects a payment. In the SMEs we support, the breach is often first spotted not by IT but by an accounts person noticing a client paid the wrong bank account. By then it has already cost money.

Why might you be breached without being attacked directly?

Most credential exposure comes from someone else's breach, not your own. A staff member reuses a work password on a personal account or a third-party service, that service gets breached, and the work credential ends up in a dump that gets traded and tested against business logins. Your own systems were never touched, but your exposure is real. This is why "we haven't been hacked" is not the same as "our credentials aren't exposed". The two are different questions, and only one of them is answered by looking at your own systems. The other needs you to look at where leaked data circulates.

What should you do if a check finds something?

If a scan or a warning sign turns up an exposure, treat it as a compromised credential and work the response: reset the affected password immediately, confirm multi-factor authentication is enabled, and check the account for signs of misuse like unfamiliar sign-ins or mailbox rules. If you find evidence the credential was used, escalate it to a proper investigation rather than a quiet reset, because an attacker who has been inside a mailbox may have set up more than one way back in. And if customer personal information was exposed, consider your obligations under the Notifiable Data Breaches scheme early, because the clock on notification starts when you become aware.

Frequently asked questions

Is there a free way to check if my business has been breached?

There are free breach-check tools that let you look up an email address against known breaches, and they are a reasonable first look. Their limitation is that they are point-in-time and cover only breaches that have been made public and indexed. Ongoing dark web monitoring covers more sources and alerts you when something new appears, rather than relying on you to remember to check.

How often should we check for breaches?

A one-off check tells you your exposure today, but exposure changes every time a new breach happens somewhere your staff have accounts. That is the case for continuous monitoring rather than occasional manual checks: the useful version of this is always-on, so a newly leaked credential surfaces within days rather than whenever someone next thinks to look.

Does a breach always mean our systems were hacked?

No. Very often the exposure comes from a third-party breach involving a reused password, with your own systems untouched. That still matters, because the leaked credential can be used against your business logins. It also means checking only your own systems gives false comfort. You need to check both your systems and whether your credentials are circulating.

What is the first sign most businesses notice?

For many SMEs it is a money-related one: a client querying an invoice with bank details that were changed without authorisation, which is the hallmark of business email compromise. Others notice password resets or logins they did not initiate. The technical signals are usually there earlier in the logs, but the human-noticed signs are what tend to trigger the phone call to IT.

If you want a clear answer to whether your business credentials are already exposed, that is a straightforward thing for us to check. Call 4iT on 1800 367 448 or book a chat, and we will run the exposure check and tell you what, if anything, needs actioning.

Brett Muscio

About the author

Brett Muscio is the Director of 4iT Support Pty Ltd, a managed services provider based in Castle Hill, NSW. He works with SME clients across Sydney, Melbourne, and Brisbane on cybersecurity, including breach detection, credential monitoring, Microsoft 365 hardening, and incident response, with on-site support across the Sydney metro area and remote delivery nationally. Connect on LinkedIn.

Recent Posts

Scroll to Top