Where does the "Breaches" and "infostealers" data come from?
Data breaches come from haveibeenpwned.com.
Infostealers come from hudsonrock.com.
Riot is connected to their APIs. A new breach can take up to 24 hours to appear in the platform.
Why can a breach appear in Riot several days after its "publication date"?
The "publication date" corresponds to the date the breach was made public.
But the identification of impacted email addresses can happen later (sometimes weeks/months).
→ This is why the notification (on the admin or employee side) is not always immediate after publication.
Which email addresses appear in the admin interface: professional or personal?
The admin interface displays only professional email addresses.
Data related to personal addresses is only visible to the employee in their portal.
Can my employees add personal email addresses? How many maximum?
Yes, if the feature is enabled, an employee can add up to 10 personal email addresses from the settings on app.tryriot.com.
If we enable personal address monitoring, do admins see alerts related to personal addresses?
No. Breaches related to personal addresses are anonymous on the admin side.
Notifications and tracking remain exclusively on the employee side (Albert and/or portal).
How do admin notifications for breaches work (frequency / volume)?
When a breach is detected for the first time, an email is sent to the admin.
Each time an employee is detected as affected by this breach, an email is sent to the admin per employee.
If the volume becomes too high (e.g.: large population), it may be relevant to reduce these notifications via hub.tryriot.com.
Why don't I see certain "breaches" in Riot even though they exist elsewhere?
Riot only surfaces breaches linked to an identified service (e.g.: clearly named compromised service).
Certain lists/aggregations (e.g.: combolists, aggregated data sets, stealer logs without an identified service) may be considered not actionable.
What do the chart statuses mean (e.g.: "Active" vs "Resolved")?
Active or Warned: the employee has received a notification that a breach was detected.
Resolved or Acknowledged: the employee has indicated in their portal (Breaches tab) that they have taken action (e.g.: password change).
How to prevent employees from seeing / having the "Breaches" task in their portal?
Disabling notifications in the Breaches settings prevents Albert from notifying, but the task may remain visible in the portal.
To completely remove all visibility on the employee side, you need to disable the Breaches module (back-office - contact support).
⚠️ In this case, admins will no longer have access to breaches either.
If I disable notifications, do employees still see their breaches in their portal?
Yes. If Breaches notifications are disabled, the employee may no longer be notified by Albert, but their breaches remain accessible in their portal (Breaches tab).