Over the years there have been countless data breaches that have included the theft of user account information. Many are well publicized in the media, however, a number are purposely or irresponsibly not disclosed to the public. Worse, many of the publicized, yet not disclosed, breaches simply go undetected for weeks, months – even years!
With all of these breaches, wouldn’t you like to know if your information definitively was leaked onto the internet? Well, now there is a way to do this.
Troy Hunt, a security researcher and award-winning “Microsoft Most Valuable Professional,” or MVP, has created a research project and website called www.HaveIBeenPwned.com (HIBP), a free service that aggregates the information from data breaches into a searchable database and helps you see if you’ve been impacted by malicious activity on the web.
You see, when data breaches occur that include names, email addresses, passwords, secret questions (and their answers), etc., the bad actors or hackers will often post their cache of stolen information on the Dark Web as “social proof” that their escapades were successful. He or she could also be using your personal information to cause more mayhem by providing it to other bad actors.
Hunt has developed a way to scour the internet’s nooks and crannies to find “chunks” of data from these breaches. Most of the time, he is able to find smaller batches of data from multiple locations, but there are also times he is able to access a large data set, such as the information from the Ashley Madison breach. The media is quick to announce a breach, and sometimes they post where the data exists, but Hunt digs deeper and works to validate that the data is truly correct breach data.
How Do I Check whether or not my information was taken and posted publicly?
Simple – visit www.HaveIBeenPwned.com and enter your email address and click the “pwned?” button. Be sure to try all of your email addresses – the results may surprise you.
The results include whether or not your email address was part of the data captured in a known breach. Information about the breach is shared, including dates and details about the types of information besides your email address that was lost. In my case, as you can see, my professional email address and password were posted after a LinkedIn data breach:
When I entered my personal email account I discovered that my info was leaked from 3 different data breaches. Ugh!
Hunt does not claim to be able to check your email against all past data breaches, but it appears he has been able to build a very large database – over 2 Billion email address entries as I write this post. This information is undoubtedly useful for anyone who wants to know if their information is widely available on the web.
Staying Informed
Another fantastic feature of HIBP are notifications. When sign up, you will receive email alerts if you are included in a new data breach that is discovered or leaked. As an example, I recently received an alert from HIBP because my information was found in a massive data leak related to a major SPAM email organization (even the bad guys lose data sometimes). The only way I found out that my personal info was part of that leak was through the alert functionality that HIBP provides.
I highly recommend checking your email addresses on HIBP so that you can find out where your information has been leaked. You can’t remove your information from a leaked list, but at least you can change your password and other information associated with the account. Better yet, if possible, you can close the account and open a new one with different credentials.
Hopefully you found this information helpful and will consider forwarding it to colleagues, friends and family to help them protect their personal information as well.
If you want to know where your business stands relative to cyber risk, the experts at Interphase Systems would be happy to conduct a security vulnerability assessment and help you make your business systems and information more secure. Contact us today!