Data breaches – where someone breaks into the master database where all of the user names and passwords and other user data for a company or account – happen all the time. Probably every day but clearly every week.
We don’t know how often they happen, because most are probably never discovered or reported. Many are, however, usually when the raw data goes on sale or is just shared freely on the dark web. Often when we do find out, it’s months or sometimes years after the breach took place.
Has your password been stolen? Probably. There are nearly 10 BILLION stolen passwords floating around the internet, from over 450 breached sites (at the time of this writing). The chances are pretty likely that you’ve been affected.
And there is an easy way to find out.
Have I Been Pwned (HIBP) – a data breach notification service
Haveibeenpwned.com is a website that tells you whether your account has been part of a data breach, and if you have it tells you where and what data was stolen. The service works pretty simply. Just enter your email address and you’ll get a list of the known breaches associated with that email.
After you enter your email address, HIBP will tell you how many breaches that email address has been a part of and offers context into those breaches as well. Here’s an example of what you’ll may see for each email address to enter:
HIBP will tell you whether the breach was verifiable or not, whether your details were posted on a publicly available site, and/or whether it’s part of a spam list (among other things). HIBP is independently run and is constantly updating its database with new breaches and data dumps. You can also check any number of email addresses by checking the website.
It Gets Worse
Keep in mind that HIBP can only report on known breaches. It’s very likely that many breaches have gone undetected. This is why using strong and unique passwords on your key accounts is so important.
By the time a breach is reported in HIBP, generally, the bad guys have had access to the breached accounts for some time, and may have already tried those leaked passwords on other accounts with the same email or username. This is why unique passwords are critical and why varying your email/username adds a strong layer of protection too.
What To Do Next
When HIBP shows that your accounts have been breached, there are two important next steps:
- Change your password on the breached service. The company may have already forced you to (they should have) but if they haven’t, go change it.
- Check if you use that password on any other accounts. If you do, go change those passwords too.
Unique Password Checker
HIBP also offers a service to check if a particular password has been leaked in a breach. For example, here are the results for the password ‘12345’, an embarrassingly common password.
You can use this to look for breaches on passwords you use, or use it to check if a new password you’re thinking of using is unique (and therefore strong). Of course, it seems strange to enter a password you want to be unique into a website…but this step can be helpful as you craft new passwords.
If you want to check whether your site is part of a data breach, HIBP offers a domain check service but needs to validate that you control the domain before giving you any information. You can also see all the sites that are in HIBP’s data breach database here if you want to know a specific site’s breach history.
Breach Notification Service
HIBP also offers a simple notification service called NotifyMe that will let you know if your email is part of a data breach in the future. You can add as many emails as you want and whenever that email is found in a new breach, you’ll get an email.
As mentioned above, the cat is out of the bag by then, but knowing and checking the account, and changing passwords, is the best you can do at that point, and something you should be in the habit of doing. We recommend signing up for HIBP breach notification on all emails you use to create any online accounts.