Have you been pwned?
Check out haveibeenpwned.com to find out!
Happy Tuesday, friends!
I’ve got just a little tip for ya today. This one’s about a website I’ve been using for awhile, but it occurred to me that you might not!
What is it?
It’s a website, haveibeenpwned.com, that serves one purpose: to let you know if your email address and/or password has been found in a data breach… or as the kids would say, “you got pwned.”
It was created by a white hat security pro (one of the good guys that tries to break into systems to make sure they’re secure) named Troy Hunt and is now run by him, his wife Charlotte who manages the operations, and an engineer named Stefán Jökull Sigurðarson, who helps maintain the codebase and cloud infrastructure from his home in Iceland.
How does it work?
On the main page, if you enter your email address, it’ll let you know if that email appeared in any data breaches since at least 2008 (that’s when my earliest breach was at least… thanks, MySpace).
On the passwords page, you can also enter any common passwords you’ve used in the past, and it’ll let you know if those passwords were compromised as well.
How do they do it? Well, they pull in data from various data breach sources and when you enter your info, the site runs a check against the breached dataset. If it finds your info, you’ve been pwned. Pretty simple.
What should I do if I’ve been pwned?
If your email address has been pwned—which if you’ve had it for more than a few years, there’s a really good chance it has—check if your password was also leaked in the breach (it’ll tell you which specific data was compromised below the breach description). Depending on what was leaked, you should change any passwords associated with those accounts and never use those passwords again. In the future, use a password manager and generate your passwords!
You should also consider deleting any accounts that you don’t use anymore. If you see a breach from an old site or service that you no longer use, visit the site to see if it’s still active, and if it is, delete your account altogether. If it’s not active anymore, you still need to retire that password forever because that information is already out there.
These bad actors expect you to reuse your login credentials, so they try the breached creds on other sites to see if they work there, too. Never reuse passwords!
Is this site safe?
What an excellent question to ask! You’re getting the hang of this whole privacy thing, I can tell!
Yes. Troy and the team don’t personally collect any data (when you enter an email or password it’s checked immediately against a storage database and the results are returned, but what you enter isn’t logged). No one is collecting the email addresses or passwords that you enter on the site.
The only caveat is that the website itself, like most websites, has some trackers on it which could send info like which pages you visited, what type of computer you’re using, demographic information stored in your browser with cookies, and potentially other metadata to various data hungry sites like Facebook, Google, and Microsoft (among others). Is it ideal? No, but no more problematic than visiting any other website with trackers (for that, you could consider switching to Brave).
That’s it for today! I hope you haven’t been pwn3d too badly, but if you have, you know what to do!
K33p 0n k33p1n' 0n,
KL