Have You Been Pwned?

Have I Been Pwned?

At some point, there is a good chance your information will be taken from a website. The more websites you sign up to the chances increase further.

The best defence is to ensure unique passwords are used for every website, one of the reasons we gave last year for using a password manager like LastPass. Unique passwords prevent stolen passwords from being used on other websites.

But how do you know if your email address (and possibly your password and other information) have been stolen?

What Is Pwned?

Have I Been Pwned is a website created late in 2013 after a massive security breach with Adobe resulted in the publication of 153 million accounts. Troy Hunt, the creator of Have I Been Pwned, wanted to ensure the average user can discover if they have been compromised as easily as hackers can use the data for malicious purposes.

The word ‘pwned’ is meant to be pronounced ‘owned’, started by a simple typo when a gamer meant to send a message ‘you have been owned’ to someone they defeated but hit ‘p’ instead of ‘o’ when it was typed in. Others started typing it on purpose, becoming part of the gaming culture and eventually used by hackers.

Pwned Websites

Have I Been Pwned have a catalogue of over 300 pwned websites with more than 6.5 billion pwned accounts, which you can search to check if your email address is somewhere in the list. Some websites are well known and run by large companies.

EyeEm had 20 million accounts exposed this month, a website for photographers to share photography. Other companies include Adobe in 2013, LinkedIn in 2016, and Ancestry in 2015. LinkedIn was breached in 2012, taking 4 years before the data was published.

Verify Email Address

Verification complete, Good news or Oh No, pwned!

Have I Been Pwned offers a ‘Notify Me’ service. This provides two advantages over simply checking if your email address has been compromised.

The first is you will be notified when a breach has occurred, saving you from checking in every now and then to see if there have been new breaches your email address has been included in.

The second is your email address will be checked against more sensitive websites that are not publicly searchable. This prevents someone from entering email addresses of people they know to see if they turn up in lists such as the infidelity website Ashley Madison.

Domain Search

Domain Pwned search results

If you have your own domain name, you can perform a search to check if any email address for the domain is listed as compromised. A domain needs to be verified by proving you have control of the domain name or the website.

Once the domain is validated, any compromised email addresses are listed in a spreadsheet, JSON file, or as a HTML page. Each email shows which compromise the email address is in.

What if I don’t want my email address searchable?

If you don’t want your email address searched on Have I Been Pwned, there is an opt-out feature where you can submit your email address. This will prevent your email address returning results but it prevents it from appearing in any future data breaches as well.

Check my email address

It only takes a few moments to check if your email address is in the clear. Head to haveibeenpwned.com to find out now.

The website also has a Pwned Passwords section. You can use it to check if the password you use is commonly used, and if so, think about using a different password.