Have You Been Pwned?
Yahoo made headlines recently by admitting that it suffered a data breach that may have compromised more than 500 MILLION Yahoo accounts. Here's how to find out if you may have been affected by this (or one of many other) massive data breaches... |
Is Your Personal Data Exposed?
The Yahoo breach, which exposed names, email addresses, telephone numbers, dates of birth, and weakly-encoded passwords, happened in late 2014. Incredibly, Yahoo says it didn’t even suspect the breach until the summer of 2016, and it didn’t advise users to change their passwords until September 22.
While Yahoo may have been “grossly negligent” in its security practices, as two class-action lawsuits already allege, it’s worth noting that data breaches go undetected for 201 days, on average. During that time, a lot of damage can be done to users’ finances, credit, privacy, and more. That’s why it behooves each of us to be constantly vigilant about about our own security.
A savvy reader suggested to me, “You might want to remind your readers to occasionally go to the site Have I Been Pwned and check if they have been “pwned” * at one of the compromised websites. If they had an account (on) those sites, it doesn’t necessarily mean that their password has been compromised but it may have been. So it is good idea to change your password at those sites and also at any other sites where you may have used the same password.”
(* “Pwned” is gamer slang for “perfectly owned,” captured, conquered. In this context, it means a hacker now owns your login credentials, and maybe much more sensitive data.)
Have I Been Pwned (HIBP) collects and analyzes stolen data that it finds online. It then allows users to check their “email address or username” to see if it’s on HIBP’s “pwned” list. If it is, HIBP displays the information about the source of the data breach, when it occurred, how many accounts were compromised, and if your credentials are known to have been posted on a publicly searchable repository of "pwned" addresses.
I've mentioned HIBP before, but it's worth revisiting, in light of the ever-growing list of websites and institutions that have suffered data breaches. HIBP is the creation of a well-respected security expert, Troy Hunt. According to itself, HIBP was launched in December, 2013, and as of September, 2016, it receives about 10,000 visitors a day. About 350,000 people have subscribed to be notified if their email addresses turn up on future additions of pwned accounts.
Is It Safe and Effective?
And just for fun, see Hey, Is This Your Password? to find out if any of the keys to your kingdom are on the list of the 25 Worst Passwords.
HIBP seems safe and legit. If you learn there that one of your email addresses may have been compromised, by all means change the password for that account, and for any other account where the same password was used. You can also sign up to be notified by email if any of your account information is found in future breaches.
In most cases, when a site breached, the hackers get your email address, and a hashed or encrypted copy of your password. This is why trivial passwords are such a big problem. The weaker your password is, the more likely that the data thieves will be able to decode it.
One reservation I have about HIBP is the timeliness of its data. HIBP harvests published files of compromised accounts. Typically, such files are not published until the accounts in them have been thoroughly exploited, sold, and re-sold multiple times. HIBP told me that a MySpace account belonging to me was breached in 2008 but the data wasn’t published until 2016. I can't blame HIBP for not knowing about this earlier, but it's little comfort to find out today that my account was pwned eight years ago.
There are cases in which “fresh” data is published. The hackers who breached the Ashley Madison “have an affair” site wasted no time in publishing all the embarrassing data they got on more than 30 million alleged adulterers. (I say “alleged” because most of the accounts turned out to be fakes.) But the overwhelming majority of stolen data will not find its way into HIBP until long after the horse is out of the barn.
"Let's Assume…"
HIBP is a free service, and at the very least provides a wakeup call for password vigilance. There's an old saying that to ASSUME "makes an ASS of U and ME." But when it comes to your online accounts, the opposite is true. Given the fact that many popular websites, online stores, health insurance companies and even banks have suffered embarrassing data breaches, it makes sense to assume that you HAVE been affected.
See my advice in the sidebar above regarding how to have strong, unique passwords for every website you use, and make it happen today. Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 26 Sep 2016
For Fun: Buy Bob a Snickers. |
Prev Article: Windows 10 - The Missing Pieces |
The Top Twenty |
Next Article: Be A Smart Philanthropist |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Have You Been Pwned? (Posted: 26 Sep 2016)
Source: https://askbobrankin.com/have_you_been_pwned.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Have You Been Pwned?"
Posted by:
Unitary
26 Sep 2016
The "Have I Been Pwned" site suggests to notify you if and when it detects that you were Pwned.
If you try to register for such notifications, you see the following message:
"Just to make sure you're not a robot, please solve this puzzle first:"
The real puzzle is: where is that puzzle? I could not find one. Maybe the puzzle was Pwned...
Posted by:
John Anderson
26 Sep 2016
Well, I found I had been pwned in LinkedIn. Some years ago I did everything I could find to remove myself from LinkedIn. I still get occasional notices that someone wants to connect with me, and I don't know what else to do about it. I don't want to change my password there, because that would then make me active again (if I am really inactive). Any comments on this situation?
Posted by:
Dave S
26 Sep 2016
Thanks for this! I checked all my emails from Yahoo and did find one on that list.
Strangely, I found one of my gmail accounts on that list as well (the password was different than my yahoo.com account). I don't remember reading anything about Google accounts being breached. Did I miss that?
Posted by:
Mulakush
26 Sep 2016
How do we know that "Have I Been Pwned" site is by itself legitimate. I feel a little alarmed about putting in my email address.
EDITOR'S NOTE: I addressed that point in my article.
Posted by:
TBG
26 Sep 2016
To Unitary: Just click in the square box in front of the phrase "I am not a robot."
Posted by:
William L. White
26 Sep 2016
Thank you for the information regarding the Yahoo email breach. While changing my password I was asked to disable my security questions and answers which I did. A followup email to me asked if I had done so and if so I was good to go. I saw no way to get new security questions and answers. Am I missing something?
Posted by:
lcathowie
26 Sep 2016
LOVE your articles! All Are INFORMATIVE and Interesting, Thank You for YOU and glad I found your website. to bad Too much good stuff is already taken. Cat Howie
Posted by:
Jay R
26 Sep 2016
Good news! I'm not on the site. But that hasn't stopped my bank from giving me new card numbers every year or so. I was about to call my kids and ask if any of them were holding a pawn ticket. I had to get that off of my chess.
Posted by:
Just a Yahoo
26 Sep 2016
AT&T switched its emails to Yahoo a few years back, so some people may not realize their Bell Telephone emails are YAHOO. Worse, some AT&T/Yahoo emails are Access IDs (using the same password as the email) to see AT&T accounts & get info like WIFI password & call/text history.
I recently learned that a forgotten, neglected Ameritech email had full access to my AT&T accounts (which I had linked). Scary!
Posted by:
Robert A.
26 Sep 2016
Hmmm...I just checked HIBP, after reading Bob's article. Lo and behold, I found that I had been Pwned on three sites: IMesh, MySpace and Trillian. But the interesting part is I have never had any accounts with any of these outfits. I am not on ANY social media, for that matter. I am neither rich nor famous, and have never felt the need to post frivolous tweets or opinions on these sites, nor do I need to have my ego stroked by getting "likes." from persons that I don't know, care about, nor will never meet. I guess I am old school. I prefer communicating with others, when ever possible, in person, over an actual phone call/Skype call, and only as a last resort, by using email or instant messenger.
IMesh, after checking its website, seems to have died, so, I guess I am okay there. But the other two, I'm confused. I'm concerned that possibly someone I may have met or known sometime in the past, as a rival or enemy, or, just as a practical joke, may have set up a bogus account in my name, and posing as me with some personal info that they knew about me, from casual conversations.
Although most, if not all persons should be smart enough not to reveal their Social Security/bank account/credit card numbers to others, in casual communications, many will unintentionally reveal some rather common info to persons that probably really don't need to know it. Info that others could use to build fake profiles in your name: home address, phone numbers; family, friends, neighbors and pets names; vehicle makes, models, colors and license numbers; social, political and religious or business affiliations, information gleaned from an on-line job resume, or personal photos posted on social media accounts.
Privacy is getting rarer and rarer, these days. There's no need to give up more of it, either voluntarily or involuntarily. Broadcasting one's life story and personal details can be very risky. One should only share that info with others on a need-to-know basis.
Posted by:
MmeMoxie
26 Sep 2016
Good wakeup call, Bob. I checked my email accounts and found 2 that had breaches. One of the websites really shocked me, I had thought it was more secure when joining it's Forum.
LinkedIn was one of the breaches. I honestly hate that website! You basically can't even close down your account. LinkedIn still retains most of your information. Now, that to me is a major security breach alone.
These breaches were from my AT&T email accounts. I don't use the web emails on AT&T, but none the less, it is still AT&T and most probable Yahoo.
Posted by:
Delta
27 Sep 2016
To William L. White
WikiHow says "Security questions used to be used to protect your Yahoo! account, but have been phased out in favor of recovery phone numbers and email addresses." see http://www.wikihow.com/Reset-Security-Questions-in-Yahoo-Mail
Google (among others) has "conclude[d] that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both." see https://security.googleblog.com/2015/05/new-research-some-tough-questions-for.html for more.
Posted by:
froggs09
29 Sep 2016
Help on how to delete accounts on linkedin and others.
https://www.accountkiller.com/en/
http://backgroundchecks.org/justdeleteme/
Hope this helps