What do you do if some people's email address in your company are available on the darkweb?

What do you mean that it's "available on the darkweb"?

Change the password only if you think their accounts might be compromised.
Adding MFA is always good.

What is it that you're looking to protect against?

Our security company found that these email addresses were available in Darkweb databases....

I do understand that but what database? Is it for a SaaS service? Does it include password hashes?

Having an email address available isn't something to worry about in and of itself. It needs some context around it to determine the risk.

For instance, my email address is out there on the internet. No need to go to the darbweb to get that info.

Have you run the email addresses through the known compromised site dbs?
https://haveibeenpwned.com/

Don't be concerned if it is just email addresses. There are lots of ways an email address can get out, even if it is just from somebody signing up for a newsletter.

Passwords, on the other hand is a different concern. Certainly make sure those specific people change their passwords as was recommended. Beyond that, the company should have a policy where all users are forced to change their passwords after a certain amount of time and that the passwords used must be complex.

Ah, guys I've just read the report further and it does say that these email addresses were 'pawned', which I assume means that they had been compromised.

Did they really put "pwned" in the report?

Change passwords as soon as possible but you do need to find out where and what was compromised. My guess is it wasn't the local directory or else every user would have been pwned.

It was just random users, some of whom have left, which is a relief.

Jeremy - they did indeed put 'pawned' in the report.

Thanks so much for all the input guys, really appreciate it. Perhaps we need to also use 2-factor authentication for OWA?

Another thing to note, having found email address in a database will not tell you if a user has changed their password since the compromise. Your security consultants should be telling you where theses accounts were compromised and the age of the data and explaining to you what the risks are and how to mitigate.

Glad to help. :)

When I do a security audit I provide proof such as the password or hash and provide remediation tasks, did they not give remediate tasks and proof?

Thanks for all of your input on this matter. I've reviewed it and will be changing the password for these particular accounts and enforcing password complexity, along with 2-FA for OWA. I'm looking at company called 'DUO', apparently they're awesome for this.

Glad to help. :)