Have You Been Pwned?
Yahoo made headlines recently by admitting that it suffered a data breach that may have compromised more than 500 MILLION Yahoo accounts. Here's how to find out if you may have been affected by this (or one of many other) massive data breaches...
Is Your Personal Data Exposed?
The Yahoo breach, which exposed names, email addresses, telephone numbers, dates of birth, and weakly-encoded passwords, happened in late 2014. Incredibly, Yahoo says it didn’t even suspect the breach until the summer of 2016, and it didn’t advise users to change their passwords until September 22.
While Yahoo may have been “grossly negligent” in its security practices, as two class-action lawsuits already allege, it’s worth noting that data breaches go undetected for 201 days, on average. During that time, a lot of damage can be done to users’ finances, credit, privacy, and more. That’s why it behooves each of us to be constantly vigilant about about our own security.
A savvy reader suggested to me, “You might want to remind your readers to occasionally go to the site Have I Been Pwned and check if they have been “pwned” * at one of the compromised websites. If they had an account (on) those sites, it doesn’t necessarily mean that their password has been compromised but it may have been. So it is good idea to change your password at those sites and also at any other sites where you may have used the same password.”
(* “Pwned” is gamer slang for “perfectly owned,” captured, conquered. In this context, it means a hacker now owns your login credentials, and maybe much more sensitive data.)
Have I Been Pwned (HIBP) collects and analyzes stolen data that it finds online. It then allows users to check their “email address or username” to see if it’s on HIBP’s “pwned” list. If it is, HIBP displays the information about the source of the data breach, when it occurred, how many accounts were compromised, and if your credentials are known to have been posted on a publicly searchable repository of "pwned" addresses.
I've mentioned HIBP before, but it's worth revisiting, in light of the ever-growing list of websites and institutions that have suffered data breaches. HIBP is the creation of a well-respected security expert, Troy Hunt. According to itself, HIBP was launched in December, 2013, and as of September, 2016, it receives about 10,000 visitors a day. About 350,000 people have subscribed to be notified if their email addresses turn up on future additions of pwned accounts.
Is It Safe and Effective?
And just for fun, see Hey, Is This Your Password? to find out if any of the keys to your kingdom are on the list of the 25 Worst Passwords.
HIBP seems safe and legit. If you learn there that one of your email addresses may have been compromised, by all means change the password for that account, and for any other account where the same password was used. You can also sign up to be notified by email if any of your account information is found in future breaches.
In most cases, when a site breached, the hackers get your email address, and a hashed or encrypted copy of your password. This is why trivial passwords are such a big problem. The weaker your password is, the more likely that the data thieves will be able to decode it.
One reservation I have about HIBP is the timeliness of its data. HIBP harvests published files of compromised accounts. Typically, such files are not published until the accounts in them have been thoroughly exploited, sold, and re-sold multiple times. HIBP told me that a MySpace account belonging to me was breached in 2008 but the data wasn’t published until 2016. I can't blame HIBP for not knowing about this earlier, but it's little comfort to find out today that my account was pwned eight years ago.
There are cases in which “fresh” data is published. The hackers who breached the Ashley Madison “have an affair” site wasted no time in publishing all the embarrassing data they got on more than 30 million alleged adulterers. (I say “alleged” because most of the accounts turned out to be fakes.) But the overwhelming majority of stolen data will not find its way into HIBP until long after the horse is out of the barn.
HIBP is a free service, and at the very least provides a wakeup call for password vigilance. There's an old saying that to ASSUME "makes an ASS of U and ME." But when it comes to your online accounts, the opposite is true. Given the fact that many popular websites, online stores, health insurance companies and even banks have suffered embarrassing data breaches, it makes sense to assume that you HAVE been affected.
See my advice in the sidebar above regarding how to have strong, unique passwords for every website you use, and make it happen today. Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 26 Sep 2016
|For Fun: Buy Bob a Snickers.|
Windows 10 - The Missing Pieces
The Top Twenty
Be A Smart Philanthropist
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Have You Been Pwned? (Posted: 26 Sep 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved