Great question! While HaveIBeenLeaked is a well-known resource for checking if your email has been involved in a data breach, there are also other services like DeHashed and Have I Been Pwned that can provide similar checks. For company-wide monitoring, you might want to look into more comprehensive solutions like SpyCloud or BreachLock, which offer proactive breach detection for businesses and customers. It’s definitely valuable to stay on top of these things to protect sensitive data!

There are a number of services that offer a database of known breaches (usernames/emails with or without cracked passwords). They can be part of the monitoring mosaic if you want, but their role at best is minor. No matter the circumstance, you should assume every online service you use will be breached at some point. A practice I have long applied is to use different email addresses for different services as a way of tracking who gets compromised or at least who sells or trades my contact information. It doesn't matter the size of the company, its mission, etc., nearly all get sloppy or breached.

1. Minimize what information you give any service. The more you give them, the more you are giving some future attacker. Tweak or mis-spell certain information as a cue that will stand out in some future phishng scam.
2. Good authentication practices. Passwords can still be very effective as long as they are long, random, and unique. For your critical resources, use two-factor authentication, but there is a double-edged sword in that you are now giving up more information (phone number, etc.) to a future attacker (again, assume compromise).
3. Perhaps most important, minimize your attackable footprint. Whether for business or personal use, before you download an app, signup for a service, really ask whether you need it. Also, do a little due diligence on its quality. You can consult the CVE (cve.org). If the product or the company behind has a laundry list of issues, maybe you want to consider an alternative. The same thinking applies to how you configure services (an easy one is to stop defaulting to HTML email).

As a small company, you are asking a good question. As we've erased the perimeter around our data and resources, security responsibility has moved from a centralized element to something shared by every employee. If you read about most attacks today, many of them come down to some employee having their credentials compromised by a phishing scam or the like. While monitoring has value, I'd prioritize good security training. Follow the SANS Internet Storm Center daily summaries or podcast and occasionally pull out one or two to share with your company and partners.