Adobe. Yahoo!. The US Department of Energy (DoE). The New York Times.
What these names have in common is that they have all experienced at least one breach in 2013—the year when threat actors started targeting organizations across industries to either steal data for profit or leak them to "teach companies a lesson about cybersecurity."
The majority of the data breached are credential information, such as usernames and passwords, with the former usually being an email address. Some personally identifiable information (PII) and other sensitive organization-centric data was added into the mix as well.
With so many breaches going on that year, plus the observed ramping up of such attacks a few years before it, one may be led to think: How can people keep up with checking whether they’re affected by these breaches or not? Do they even know they have been breached?
This prevalence of data breaches coupled with his analysis on the Adobe attack have led Troy Hunt, an Australian cybersecurity expert, blogger, and speaker, to create Have I Been Pwned (HIBP), a website that allows internet users to check whether their personal data has been compromised or is part of a trove of leaked data following company breaches.
Feeling security fatigue? Listen to Troy Hunt with other cybersecurity experts Chloé Messdaghi and Tanya Janca in this episode of Lock and Code on how to beat it.
Is "Have I Been Pwned?" legit?
Yes, it is.
To date, HIBP has been around for almost a decade, and through the years, it has only proven itself to be an essential tool for everyday internet users, governments, and organizations alike.
Yes, you read that right: governments. HIBP has been assisting governments, such as the UK, Australia, and Romania (to name a few), in monitoring for breaches in government domains. Note that centralized monitoring is done by the cybersecurity arms of these governments, such as the National Cyber Security Centre (NCSC) for the UK, the Australian Cyber Security Centre (ACSC) for Australia, and CERT-RO for Romania. These organizations, of course, cannot query other websites beyond government domains.
“The only access they have is to domains that their people working in those departments could query anyway via the existing free domain search model, we're just consolidating it all into a unified service,” Hunt wrote in a 2018 blog post about this matter. If you’re interested in reading more about this, there is in-depth detail here.
HIBP is also single-handedly handled and maintained by Hunt himself, not a team. And Hunt is a well-known and very trusted name within the cybersecurity circle. On top of that, he runs the service "with maximum transparency."
Is "Have I Been Pwned?" safe?
If you’re more of a privacy-centric person who never likes websites snooping on your queries whenever you use their search feature, it is understandable to be concerned about whether HIBP can actually snoop or, worse, record every query you make.
According to HIBP’s FAQ page: "Nothing is explicitly logged by the website. The only logging of any kind is via Google Analytics, Application Insights performance monitoring and any diagnostic data implicitly collected if an exception occurs in the system."
Below are other storage-related questions covered in this page:
How is the data stored?
The breached accounts sit in Windows Azure table storage which contains nothing more than the email address or username and a list of sites it appeared in breaches on. If you're interested in the details, it's all described in Working with 154 million records on Azure Table Storage – the story of Have I Been Pwned
Does the notification service store email addresses?
Yes, it has to in order to track who to contact should they be caught up in a subsequent data breach. Only the email address, the date they subscribed on and a random token for verification is stored.
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
In 2019, Hunt opened up to his readers about Project Svalbard, a name he associated with the future of Have I Been Pwned. In a nutshell, Hunt had planned to hand over the management of HIBP to a “better-resourced and better-funded structure” when he realized that he will burn out one day. The news could have raised alarm bells for those who have trusted the site all these years as there is always fear of either having the service monetized or misuse of data by whoever will be acquiring HIBP.
At the time, Hunt penned a long and thoughtful post on Project Svalbard, including his 7-point commitments to the future of HIBP, which you can read here. Here’s the tl;dr version of that:
- Freely available consumer searches should remain freely available.
- I (Troy Hunt) will remain a part of HIBP.
- I want to build out much, much more capabilities wise.
- I want to reach a much larger audience than I do at present.
- There's much more that can be done to change consumer behaviour.
- Organisations can benefit much more from HIBP.
- There should be more disclosure - and more data.
But in March 2020, something changed. According to last-minute, unforeseen developments, the sale of HaveIBeenPwned had been stopped. As Hunt wrote:
"Have I Been Pwned is no longer being sold and I will continue running it independently. "
Have you been pwnd? Here’s what to do
While it is important to know if your personal details or credentials have been leaked, it is significantly more important to act on it. What do you do now, knowing that your account has been compromised?
For starters, change your password. Make it longer. It doesn’t have to be a complex string of uppercase and lowercase characters, symbols, and numbers. Length is enough, according to a 2021 NIST guideline. You can formulate your own long password, or you can enlist the help of a password manager.
Lastly, use two-factor authentication (2FA) to add a layer of protection to your account. We strongly suggest using a one-time password (OTP) app, or if you have a physical hardware key, such as a Yubikey, all the better. Take note that some big-name companies like Facebook already have started giving their users the option to use a hardware key. So if you want to do that, check if your online service provider offers it, too, and take advantage of it.