@OakleyBoss has any thought been put into proactively running your members emails and hashed credentials through a compromised account check? (Like SpyCloud)
Some common security practices when sites like this have had multiple compromises via Account Take Over — is to force password changes for your entire user base. That is onerous for sure, but perhaps a little bit of filtering, you can get a data centric list of all -potentially- compromised accounts??
—From that smaller data set, then you can force password changes, or force 2SV or OTP for those high risk accounts.
Thoughts?
For musing: The most secure system is a system that nobody can use
Great minds think alike! We ran through an initial exercise last week of identifying high-risk accounts (on a number of criteria and being purposefully vague for obvious reasons) and forcing a reset across all of them, a good amount went through. Will also look at running through a 3rd party service!