Schedule a Call
Schedule a Call

← Back to All Workflows

Automate Alerts for New Breaches Using n8n and Have I Been Pwned API

Stay informed about the latest data breaches with this detailed n8n workflow that uses the Have I Been Pwned API to send notifications when new breaches occur. This automation saves time by continuously monitoring breaches and notifying you only when new incidents arise.
scheduleTrigger
httpRequest
readWriteFile
+7
Download Workflow Free
Learn how to Build this Workflow with AI:
Workflow Identifier: 2318
NODES in Use: manualTrigger, scheduleTrigger, httpRequest, readWriteFile, extractFromFile, splitOut, if, set, convertToFile, noOp

Press CTRL+F5 if the workflow didn't load.

Visit through Desktop for Best experience

1. Opening Problem Statement

Imagine Audun, a cybersecurity analyst, who constantly needs to monitor data breaches reported on haveibeenpwned.com to protect his clients’ sensitive information. Every 15 minutes, he manually checks the latest breaches, wasting at least 30 minutes daily just gathering data, cross-referencing, and filtering out duplicates. This manual process delays breach response times and increases the risk of missing urgent alerts, potentially costing his clients sensitive information exposure or financial damage.

Audun’s challenge is specific: he needs an automation that not only fetches the latest breaches but also tracks which breaches have already been reported so he only receives notifications when there’s a genuinely new threat. This is the core problem solved by the n8n workflow we’ll discuss.

2. What This Automation Does

This n8n workflow automates the monitoring of new data breaches from haveibeenpwned.com’s API and only triggers alerts for new breaches, avoiding repetitive notifications. Here’s what happens when it runs:

  • Every 15 minutes, it triggers an HTTP request to the Have I Been Pwned latest breach API to fetch the newest breach data.
  • It reads a cached file (cache.json) locally to identify the last breach it alerted about.
  • It compares the latest breach from the API to the cached breach name to detect if there’s a new breach.
  • If a new breach is found, it updates the cache file and triggers an alert node (placeholder for notifications like Slack or Discord).
  • If no new breach is detected, it skips alerting to avoid redundant notifications.
  • The workflow includes manual trigger and cache reset options for testing and control.

This automation saves Audun hours every week by eliminating repetitive manual checks and ensures he never misses a new breach alert, improving response time and security.

3. Prerequisites ⚙️

  • n8n account to build and run the workflow.
  • Have I Been Pwned API access (public endpoint used here requires no auth, but your setup might need API keys).
  • File system access for local caching (cache.json file).
  • Optional: messaging platform account like Slack or Discord if integrating alerts.

4. Step-by-Step Guide to Build the Workflow

Step 1: Set Up a Schedule Trigger every 15 Minutes

In n8n, click Add Node → Core Nodes → Schedule Trigger. Set the interval to trigger every 15 minutes by selecting minutes and entering 15.

What you should see: The workflow automatically starts every 15 minutes.

Common mistake: Forgetting to set the minutes interval correctly, which may cause the workflow to not run as expected.

Step 2: Add HTTP Request Node to Fetch Latest Breaches

Add HTTP Request node by navigating to Add Node → Core Nodes → HTTP Request. Set the URL to https://haveibeenpwned.com/api/v3/latestbreach and choose GET method (default).

Expected response: JSON array of breach objects with properties like Name, Domain, etc.

Common mistake: Not ensuring the node runs after the schedule trigger, or misconfiguring the URL.

Step 3: Read the Cached File to Get the Last Breach Alerted

Add Read Binary File node (named “Read last breach”) by selecting Add Node → Core Nodes → Read & Write File. Set filename to ./cache.json.

This node reads the file containing the name of the last breach alerted.

Visual confirmation: You see JSON content with a field like lastItem.

Common mistake: The file cache.json might not exist initially; handle this with fallback logic.

Step 4: Extract JSON From the Cached File

Add Extract From File node, choose operation “fromJson” to parse the file content into usable JSON data.

Expected Outcome: Access to lastItem in the data stream.

Common mistake: Skipping this parsing step leads to errors in JSON data handling.

Step 5: Split Out the Latest Breach Array

Add Split Out node to separate the breaches received from the HTTP Request one by one.

This allows checking each breach individually against the cached name.

Visual: The workflow will process each breach item separately.

Common mistake: Not splitting causes the entire array to be checked as a single object.

Step 6: Check If Cache File Has Content

Add If node named “Check for content” and set condition to check whether lastItem exists in the cached data.

If no content exists, use a Set node to assign none to lastItem to handle empty cache file gracefully.

Common mistake: Not handling empty cache causes failed comparisons.

Step 7: Compare Latest Breach to Cached Breach

Add If node named “If – check for new”. Configure it to compare the name of the latest breach from the API ($json.Name) with lastItem from cache.

If they differ, this means a new breach was found.

Common mistake: Incorrect comparison logic could produce false positives or misses.

Step 8: Save New Breach Name and Convert to File

If a new breach is detected, use a Set node to assign the breach name to lastItem, then a Convert To File node to convert this data to JSON file format.

Expected result: Cache update with the latest breach name.

Step 9: Write New Cache File

Add Read & Write File node, set operation to write, filename ./cache.json to replace old cache data with the new breach name.

This ensures the workflow remembers the last alerted breach on next runs.

Step 10: Trigger Alert for New Breach

Use a No Operation (NoOp) node configured as a placeholder for your alert system—Slack, Discord, or email. When this node runs, it signals that an alert should be sent.

Tip: Later you can replace this node with actual alert nodes.

5. Customizations ✏️

  • Change the alert channel: Replace the NoOp node with a Slack or Discord node to send real-time notifications.
  • Adjust polling frequency: Change the minutes interval in the Schedule Trigger to check breaches more or less frequently.
  • Expand cache persistence: Use a database node instead of file storage to track multiple breach names instead of just the last one.
  • Add detailed alert content: Extend the alerts to include breach details like domain, date, and description by extracting and setting those fields.
  • Enable manual reset: Use the manual trigger node labeled “When clicking ‘Test workflow’” to reset the cache, allowing alerts to be triggered again for testing or re-alerting.

6. Troubleshooting 🔧

Problem: “File ./cache.json not found or empty causing error on JSON parse.”
Cause: The cache file does not exist on the first run or got deleted.
Solution: Use the Set to none node to handle empty file cases gracefully and create the cache on first run.

Problem: “HTTP Request returned no data or invalid response.”
Cause: Incorrect API URL or network issues.
Solution: Verify the URL https://haveibeenpwned.com/api/v3/latestbreach, check internet connection and retry.

Problem: “Alert triggers repeatedly for the same breach.”
Cause: Cache file not updating properly.
Solution: Confirm the write node updates the cache file and that the comparison logic correctly identifies new breaches.

7. Pre-Production Checklist ✅

  • Confirm n8n workflow nodes are fully connected in the correct order.
  • Test the workflow manually using the Manual Trigger node before scheduling.
  • Check the cache.json existence permissions and that it can be read/written.
  • Simulate a new breach by clearing the cache and observe alert trigger.
  • Validate HTTP response from the API contains expected breach data.

8. Deployment Guide

Once tested, activate the Schedule Trigger node to start automated execution every 15 minutes. Keep the manual trigger available for troubleshooting and reset operations.

Regularly monitor execution logs in n8n to catch failures or abnormal data. Update the workflow or alert nodes if the Have I Been Pwned API changes.

If self-hosting n8n, you can use reliable hosting services like Hostinger for optimal uptime.

9. FAQs

  • Can I use a different breach API? Yes, but you will need to adjust the HTTP Request URL and data extraction nodes accordingly.
  • Does this workflow consume API credits? The haveibeenpwned API is publicly accessible for certain endpoints, but check their documentation for limits.
  • Is my cached data secure? This workflow stores cache locally, so make sure your n8n environment permissions are secure.
  • Can I add multiple alert channels? Absolutely, you can duplicate alert nodes or integrate with several platforms.

10. Conclusion

By following this guide, you have built a precise breach monitoring automation using n8n and the Have I Been Pwned API. This workflow uniquely tracks the last alerted breach to avoid duplicate alerts, saving you hours and improving your alert accuracy.

Next, consider integrating detailed breach reports, adding richer alert content, or expanding monitoring to user accounts. You’ve taken a big step toward proactive cybersecurity management with automation. Keep exploring and enhancing!

Learn by Category

Sales →
Productivity →
Social →
Finance →
Marketing →
Content→
Recruitment →
Security →
SEO →
CRM →
Development →
Ecommerce →

Related Workflows

Automate Viral UGC Video Creation Using n8n + Degaus (Beginner-Friendly Guide)

Learn how to automate viral UGC video creation using n8n, AI prompts, and Degaus. This beginner-friendly guide shows how to import, configure, and run the workflow without technical complexity.
Form Trigger
Google Sheets
Gmail
+37
Free

AI SEO Blog Writer Automation in n8n (Beginner Guide)

A complete beginner guide to building an AI-powered SEO blog writer automation using n8n.
AI Agent
Google Sheets
httpRequest
+5
Free

Automate CrowdStrike Alerts with VirusTotal, Jira & Slack

This workflow automates processing of CrowdStrike detections by enriching threat data via VirusTotal, creating Jira tickets for incident tracking, and notifying teams on Slack for quick response. Save hours daily by transforming complex threat data into actionable alerts effortlessly.
scheduleTrigger
httpRequest
jira
+5
Free

Automate Telegram Invoices to Notion with AI Summaries & Reports

Save hours on financial tracking by automating invoice extraction from Telegram photos to Notion using Google Gemini AI. This workflow extracts data, records transactions, and generates detailed spending reports with charts sent on schedule via Telegram.
lmChatGoogleGemini
telegramTrigger
notion
+9
Free

Automate Email Replies with n8n and AI-Powered Summarization

Save hours managing your inbox with this n8n workflow that uses IMAP email triggers, AI summarization, and vector search to draft concise replies requiring minimal review. Automate business email processing efficiently with AI guidance and Gmail integration.
emailReadImap
vectorStoreQdrant
emailSend
+12
Free

Automate Email Campaigns Using n8n with Gmail & Google Sheets

This n8n workflow automates personalized email outreach campaigns by integrating Gmail and Google Sheets, saving hours of manual follow-up work and reducing errors in email sequences. It ensures timely follow-ups based on previous email interactions, optimizing communication efficiency.
googleSheets
gmail
code
+5
Free
Load More