Proton Pass has launched Dark Web Monitoring

Today we’re excited to launch another feature for everyone with a paid Proton plan: Dark Web Monitoring for credential leaks. You’ll find it in our new Security Center in Proton Mail, and in your Security and Privacy settings.

Dark Web Monitoring scans hidden parts of the internet for Proton Mail email addresses that have ended up in illegal data markets. If our system detects a breach that affected one of your accounts used to sign up to a third party website, you’ll receive a Security Center alert along with actions you can take to mitigate the risk.

Proton’s dark web detection continuously scans dark web hubs associated with illicit activities, such as hacking forums and markets, searching databases for emails contained in data breaches that use any of Proton’s 19 email domains (for example, @pm.me, @protonmail.ch, etc.) as well as any other information associated with those email addresses (like stolen credit card details, for example). We use our own threat intelligence datasets that are also enriched with data from Constella Intelligence, a leader in digital threat management. No user data is ever shared with third parties, but we do analyze reports from third parties any time they find leaked information or data stolen in a hack from a third-party online service that’s tied to a Proton Mail email address or a Proton Pass alias.

Dark Web Monitoring will show all known breaches that have affected your accounts over the last two years. While all breaches carry risks, we highlight the breaches you should prioritize with a red indicator. These breaches require immediate attention, typically to change passwords that were exposed as plaintext or weakly hashed (for example, using MD5).

Orange notifications show breaches that affected your accounts but where either no password was leaked, or where your password was encrypted or strongly hashed (for example, with SHA256 or bcrypt). Note that these breaches can still expose sensitive personal information.

I like that they use Constella Intelligence and their own intelligence instead of becoming yet another service that uses HIBP. It’s unfortunate that they only monitor Proton domains and not custom domains or SimpleLogin.

Yeah, lack of support for SimpleLogin aliases is a huge bummer for me

They did say that they will bring this feature to custom domains, proton pass and simplelogin aliases.

It works with Proton Pass currently. What they said was that they’d bring “similar but separate” functionality to SimpleLogin

It seems that even now, SimpleLogin already notifies if one of your aliases has been in a data breach.

Oh yeah, there is HIBP integration. Kind of forgot about that actually. My understanding is that it doesn’t work with custom SimpleLogin domains though, and I’d really prefer everything integrated in one place.

People with a custom domain can still use Have I Been Pwned: Domain search of course, but this new service from Proton uses a different dataset than HIBP, so there could be some data SimpleLogin users are missing out on.

Or, there could be some data Proton users are missing out on? I’m not sure why they don’t use HIBP data as well.

What I’m confused about is this:

Proton only has 4 domains, plus 4 alias domains in Proton Pass. SimpleLogin has 9 domains.

• Does that mean they’re including SimpleLogin domains in these 19, and non-custom SimpleLogin domains are monitored, or is this part of the documentation wrong as well?
• What are the other 3 domains being monitored?
• Why didn’t they just list all 19 domains to make it clear?

@Son please help us out with this confusing product launch lol

From reading through the comments on this reddit post, it seems that this only affects Proton Mail domains (proton(.)me, protonmail(.)com, protonmail(.)ch and pm(.)me). They will expand this feature to Proton Pass as well which will be a seperate implementation / feature.

Custom domains are planned and should be out soon from what they have said.

I saw the announcement regarding this new service on reddit. Can anyone clarify how this service differs from HIBP?

Also I saw another member quote that Mike Roger’s former member of the intelligence community is on the board of Directors of constella intelligence? Is this a red flag?

From the comments above, I think they are using a different database / service than HIBP?

Hey SL will launch aliases breach monitoring with HIBP soon. This feature has actually been beta tested for a while now but we made it more stable and scalable enough recently. This will cover all aliases, including those created with custom domains. This is independent to the Dark web monitoring feature in Proton Mail.

I’ll ask about the 19 domains and will let you know.