Be Alerted If Your Account Was Compromised - haveibeenpwned.com

Millions upon millions of accounts are compromised every year. It is very likely that the account for some web site or online service you use has been exposed by an attack.

How can you find out if your account may have been compromised? One way is to enter your email address on the site Have I Been Pwned.

Have I Been Pwned main screen capture

Being pwned is a typo for being owned that attackers use because it sounds cooler than saying they owned someone's servers.

If an attacker pwns a server or an organization, they have gained unauthorized access which can include compromising of customer databases and credentials.

To do a one time check of an email address, type your email into the input box and click pwned?

If you're lucky, you'll get a No Pwnage Found message:

No Pwnage Found message

If your email address is contained in their database, you'll receive a message stating what breaches exposed your information.

Here's what the site shows for an old account of mine that is no longer in use:

pwned Address Example Output

Great to know! If I were still using that account to access sites, I'd want to immediately change my credentials and enable multi-factor authentication if it's available.

Personally, I'd also likely change my email password and enable multi-factor authentication there too if available.

Some of the risks of having an account compromised are:

  • Attackers may have full access to the compromised account
    • Any details about you in the account, could include:
      • Name
      • Username or handle you used for the service or site
      • Password (if it was stored improperly or could be cracked)
      • Physical Address
      • Email address
      • Payment Info (should be truncated and limited)
      • Security questions and answers
    • Ability to make changes to the account
  • Attackers share compromised accounts, meaning your information can be shared with other bad actors

Any or all of those pieces of information could be used against you. Attackers could:

  • Look for your username, name, or email address on other sites
  • Attempt to compromise your email or other accounts based on exposed information
  • If email is compromised, they can try to gain access to other accounts where the email was used via password reset features
  • Blackmail the mailbox owner regarding private information

One of the ways Have I Been Pwned knows what accounts have been compromised is by watching these database dumps. Troy Hunt, the site owner, adds the email addresses he finds to his database so you can search for your email address to see where it may have been exposed.

In addition to doing occasional checks of your email addresses, you can sign up to be automatically alerted if your address shows up in the Have I Been Pwned database.

Notify Me of Pwnage screenshot

Some things you can do to protect yourself and minimize the damage when your information is compromised include:

  • Using a password manager (allows use of long, random passwords)
    • I've used Keepass and LastPast for a local and online example respectively
  • Avoid password re-use
    • Even if you don't use a password manager, don't re-use passwords on multiple sites
  • Use fake answers to security questions
  • Enable multi-factor authentication wherever possible
  • Sign up for notification from Have I Been Pwned or check frequently to make sure you haven't been.

Password managers carry risks. You're putting all your eggs in one basket, so protect that basket! For LastPass, you can enable multi-factor authentication and I strongly recommend it. Use strong passwords for any password manager you use.

In my humble opinion, the advantages of having a password manager generate and store unique passwords for you for each site you visit outweigh the disadvantage of centralized storage. You can also store fake answers to security questions in them.

comments powered by Disqus