Costa Rica's national CSIRT (Computer Security Incident Response Team — the government body responsible for coordinating the national response to cyber incidents) has joined Have I Been Pwned's free government domain monitoring service, making the Central American nation the 42nd government to gain access to the breach notification platform. The integration gives Costa Rica's incident responders real-time visibility into compromised government email addresses across HIBP's database of billions of breached credentials — a capability the country's cybersecurity posture has needed since at least 2022.
Have I Been Pwned Government Program: What It Offers
Have I Been Pwned (HIBP) is a free breach notification service created by Australian security researcher Troy Hunt. It aggregates credential data from thousands of publicly disclosed data breaches, allowing individuals and organizations to check whether their accounts appear in known breach datasets. As of 2026 the index contains over 14 billion breached records from more than 800 separate breach events.
The free government service extends HIBP's domain search monitoring capability to national cyber agencies and CSIRTs at no cost. Instead of checking individual email addresses, participating governments can monitor entire domain namespaces — for example, @gobierno.go.cr — and receive automatic alerts when those addresses appear in newly indexed breaches.
This matters because credential stuffing and account takeover attacks frequently begin with breached passwords reused across services. A government employee's work email appearing in a third-party breach (a compromised e-commerce site, a hacked social media platform) signals that the employee may be reusing a password — creating a lateral entry path into government systems. HIBP monitoring shrinks the window between that exposure and detection.
Each participating government receives:
- Real-time notifications when monitored domain addresses appear in newly added breach datasets
- Bulk domain search across the full HIBP index
- API access for integration with SIEM (Security Information and Event Management — the centralized logging and alerting platform used in enterprise and government security operations centers) and incident ticketing workflows
Costa Rica's CSIRT and the 2022 Conti Attack
The CSIRT of the Government of Costa Rica was established in 2015 and operates under the Ministry of Science, Innovation, Technology and Telecommunications (MICITT). Its mandate covers both government network defense and support for critical infrastructure operators across the country.
Costa Rica's entry into the HIBP program arrives in the context of a significantly elevated national cyber threat level. In April and May 2022, Costa Rica became the first country in history to declare a national state of emergency caused by a cyberattack, after the Conti ransomware group hit multiple government ministries simultaneously. The Ministry of Finance, Ministry of Labour, Social Security Fund, and several other agencies were compromised. The attack disrupted tax collection, payroll processing, and healthcare system operations for weeks, exposing deep vulnerabilities in Costa Rica's public sector digital infrastructure.
Conti demanded a $10 million ransom. The government refused to pay. The fallout prompted a broad national conversation about the country's cyber readiness and led directly to increased international support, including a commitment from the United States to provide approximately $25 million in cybersecurity assistance to strengthen Costa Rica's defenses, improve incident response capacity, and reduce exposure to nation-state and criminal threat actors.
How HIBP's Government Program Has Scaled
The program began with a handful of early adopters and has grown steadily. The UK's National Cyber Security Centre (NCSC) and Australia's Australian Cyber Security Centre (ACSC) were among the first to join, with all UK and Australian government domains enrolled for centralised monitoring. From that origin the program has expanded to 42 participating nations with Costa Rica's onboarding.
Troy Hunt has been transparent about the rationale: government agencies lack agile procurement mechanisms to quickly acquire commercial breach monitoring services. Cost barriers would leave many public sector incident responders blind to employee credential exposure. The free program eliminates that friction while delivering genuine national security value.
What CSIRT-CR Can Do With This Access
With HIBP domain monitoring active, CSIRT-CR can now identify:
- Credential exposure before exploitation — government employees whose work email addresses and associated passwords have appeared in third-party breaches, enabling proactive password resets and MFA (Multi-Factor Authentication — a login control requiring a second verification factor beyond a password) enforcement before attackers can exploit the exposure.
- High-risk accounts for targeted phishing — email addresses confirmed present in breach datasets are statistically more likely to be targeted in subsequent spear-phishing campaigns, allowing CSIRT-CR to prioritize awareness outreach to those users.
- Supply chain exposure — if a vendor handling government data suffers a breach that surfaces in HIBP, the monitoring triggers immediate notification regardless of whether the vendor has disclosed the incident.
This visibility is especially relevant given Costa Rica's post-2022 threat landscape. Credential-based initial access remains the dominant entry vector in ransomware campaigns. The Conti group itself — which fractured into multiple successor operations including Black Basta, Royal, and Akira — routinely used purchased or phished credentials as its first foothold into target environments. Early detection of a compromised credential can interrupt that entire kill chain before it reaches ransomware deployment.
What You Should Do Right Now
Whether you represent a government agency or a private organization, these steps directly apply:
- Enroll your domains in HIBP monitoring — the API and domain search are available at haveibeenpwned.com. Government agencies in qualifying nations should contact Troy Hunt through the site to access the free government program.
- Cross-reference any breach hits with MFA enrollment status — an account appearing in a breach dataset is a direct signal to confirm MFA is active and that the password has been rotated.
- Integrate HIBP alerts into your SIEM or ticketing system — the API supports automated ingestion, ensuring breach notifications trigger response workflows without requiring manual review queues.
- Run a baseline bulk domain search now — even without ongoing monitoring, a one-time search surfaces historical credential exposures that may have accumulated undetected.
- Train employees on password reuse risk — breach monitoring is a backstop, not a substitute. A password manager and strong, unique credentials per service eliminate the root cause that HIBP monitoring detects after the fact.
Background: Why Government Credential Monitoring Is a Baseline Capability
The global dataset of breached credentials has grown to a scale that makes it a reliable resource for criminal initial access brokers — marketplace operators who purchase credential dumps, validate them against real services, and resell working login combinations to ransomware affiliates and espionage operators. Government email addresses appear in these datasets because employees register work addresses for external services: conference platforms, professional associations, cloud tools, and personal accounts inadvertently tied to a government domain.
The 2022 Costa Rica attacks demonstrated concretely what happens when these exposures go undetected. The HIBP government program's expansion to 42 nations is a signal that public sector incident response teams increasingly treat breach notification infrastructure as a fundamental operational capability rather than a supplementary add-on.
Conclusion
Costa Rica's onboarding to Have I Been Pwned's government monitoring program is a practical, low-overhead security improvement for a country that has experienced firsthand the operational consequences of credential-based intrusion. CSIRT-CR can now detect government employee credential exposures in near real-time — a direct capability improvement that reduces the window available to attackers between breach and exploitation.
For any query contact us at contact@cipherssecurity.com
