If you've been researching the dangers of data breaches, you might have come across a website named Have I Been Pwned (or HIBP). The premise of the website is simple. In exchange for your email address, phone number, username, or even password, Have I Been Pwned will tell you if any of them have ever been published online.
Obviously if you're worried about people stealing your data, the idea of giving those details out to an unusual website might not seem like the best option.
So what exactly is Have I Been Pwned and more importantly, can you trust it?
What Is Have I Been Pwned (HIBP)?
Have I Been Pwned is a popular website that as of 2019 has over 2 million subscribers.
It's smart to be wary about who you give your details to but this website is designed to help you avoid problems not cause them.
Have I Been Pwned was originally created in 2013 by a security researcher named Troy Hunt. According to Hunt, he created the website in response to the data breach at Adobe Systems which affected 32 million people.
He claims that at the time of the attack, it was easy for hackers to download large batches of stolen account details. But it was very difficult for the average person to find out if their details were included.
When the website launched, it only had the records of five security breaches. Have I Been Pwned now has hundreds of breaches on record and the average person can find out if they are included in seconds.
If you're still concerned about the intentions of Have I Been Pwned, it's also worth noting that plans were recently announced to make the entire system open source.
Why Is It Called Have I Been Pwned?
If the name doesn't automatically inspire confidence, that's because it's derived from a term used by hackers.
In hacking, the term "pwn" means to compromise, or take control of, another computer or application.
The logo also includes the text ';-- and this is in reference to SQL Injection which is a popular method of starting a data breach.
Where Does Have I Been Pwned Get Its Information?
When account details are stolen in bulk, they are often published online for anyone to download.
Due to the reputation of the website, there have also been numerous occasions when anonymous sources reached out to Hunt in order to contribute.
Keeping the website updated is therefore just a matter of adding the data dumps as they happen.
Arguably the most impressive feature of the website is the Dump Monitor. This is a Twitter bot which monitors Pastebin pastes for potential data dumps. When it finds one, all of the account details are added in real time.
Most data dumps aren't immediately talked about. So if your details are ever stolen, it's likely that they'll be added to the database before you even hear that they've been stolen.
The website is likely to be even faster in the future as they recently announced that they were working with the FBI. Under the proposed agreement, it's expected that the FBI will feed compromised passwords directly into the database as they are found.
The FBI is obviously responsible for investigating all sorts of criminals so they're likely to have access to passwords that nobody else would.
Wouldn't a Company Tell Me if My Details Were Stolen?
If a company experiences a data breach, the correct course of action is to contact everybody that may have been affected. Unfortunately, this doesn't always happen.
Sometimes it isn't practical to contact everybody. For example, people might sign up to a service and then change their email address. Other times, data breaches aren't made public because they can make a company look bad.
In 2015, Hunt was contacted by an anonymous source who gave him a data dump that apparently came from the web hosting company 000WebHost. Hunt worked with a Forbes journalist to verify the data. Upon doing so, they attempted to contact the company but were unable to get a response.
000WebHost eventually acknowledged the breach but this didn't happen until after the Forbes journalist published an article on the topic.
What Happens if Your Details Are Involved in a Data Breach
If your account details are published online, there are a number of things that can happen, none of them good.
If your email account is breached, hackers can use it to access any service that your email is connected to. They can also contact people, pretending to be you. If any of your accounts have personal information, it can be sold or used for identity theft. If your online bank account is accessed, your money can be stolen.
How to Use Have I Been Pwned
Have I Been Pwned is very easy to use. Simply enter your details and it will tell you if there's a match. Here are a few things to keep in mind when using the service.
If your details aren't found, this doesn't automatically mean that they've never been stolen. It just means that Have I Been Pwned has never come across them.
Have I Been Pwned doesn't return results from breaches that occurred on sensitive websites i.e. anything adult. If you'd like to access the entire database, you will have to verify your email address.
If you sign up to Have I Been Pwned, you can opt to receive an email if your details are ever published in the future. This is very much recommended.
What to Do if Your Details Have Leaked
If your details are found, there are a number of steps that you should take.
- If your password is found, you should visit any website that uses it and change it immediately.
- If any of the affected accounts are important to you, you should look for evidence that they've been accessed.
- If an email address is affected, you should also change the password of any service that's linked to it.
- You should avoid using this password anywhere in future.
Protect Your Accounts Today
Data breaches are a frequent occurrence and can happen on any website, regardless of size. If you think that you might have been affected, Have I Been Pwned is the best, and perhaps only, resource for finding out.
Regardless of whether or not your details have already been stolen, the preferred way to protect against data breaches is to never use the same password on multiple accounts. This way, if your details are ever stolen, only one account will be affected.