0 Members and 2 Guests are viewing this topic.
Who is behind Have I been pwned?I'm Troy Hunt, a Microsoft Regional Director and Most Valuable Professional awardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight.I created Have I been pwned? as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach. I wanted to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community.Short of the odd donation, all costs for building, running and keeping the service currently come directly out of my own pocket. Fortunately, today's modern cloud services like Microsoft Azure make it possible to do this without breaking the bank!What is the site all about?This site came about after what at the time, was the largest ever single breach of customer accounts — Adobe. I often did post-breach analysis of user credentials and kept finding the same accounts exposed over and over again, often with the same passwords which then put the victims at further risk of their other accounts being compromised.The FAQs page goes into a lot more detail, but all the data on this site comes from publicly leaked "breaches" or in other words, personal account data that has been illegally accessed then released into the public domain. Have I been pwned? aggregates it and makes it readily searchable.Why build the site?This site serves two primary purposes for me: firstly, it obviously provides a service to the public. Data breaches are rampant and many people don't appreciate the scale or frequency with which they occur. By aggregating the data here I hope that it not only helps victims learn of compromises of their accounts, but also highlights the severity of the risks of online attacks on today's internet.Secondly, the site provided me with an excellent use case for putting a number of technologies through their paces and keeping my hands-on skills somewhat current. Projects like this are an excellent way of staying relevant as my day job increasingly focuses more on software management and less on actually building things (which I happen to love doing!) It's been an enormously fulfilling journey that I've invited others to join me on by way of often blogging in depth about the process, something I intend to keep up as the site inevitably evolves over time. 147pwned websites 1,458,062,898pwned accounts 40,287pastes 31,616,249paste accounts Top 10 breaches 359,420,698 MySpace accounts 164,611,595 LinkedIn accounts 152,445,165 Adobe accounts 112,005,531 Badoo accounts 93,338,602 VK accounts 68,648,009 Dropbox accounts 65,469,298 tumblr accounts 49,467,477 iMesh accounts 40,767,652 Fling accounts 37,217,682 Last.fm accountsFAQsNeed to know something about Have I been pwned? (HIBP)What is a "breach" and where has the data come from?A "breach" is an incident where a hacker illegally obtains data from a vulnerable system, usually by exploiting weaknesses in the software. All the data in the site comes from website breaches which have been made publicly available.Are user passwords stored in this site?No. The intention of the site is to map email addresses and usernames to data breaches and storing the passwords here would do nothing to achieve that end.Is a list of everyone's email address or username available?The public search facility cannot return anything other than the results for a single user-provided email address or username at a time. Multiple breached accounts can be retrieved by the domain search feature but only after successfully verifying that the person performing the search is authorised to access assets on the domain.What about breaches where passwords aren't leaked?Occasionally, a breach will be added to the system which doesn't include credentials for an online service. This may occur when data about individuals is leaked and it may not include a username and password. However this data still has a privacy impact; it is data that those impacted would not reasonably expect to be publicly released and as such they have a vested interest in having the ability to be notified of this.How is a breach verified as legitimate?There are often "breaches" announced by attackers which in turn are exposed as hoaxes. There is a balance between making data searchable early and performing sufficient due diligence to establish the legitimacy of the breach. The following activities are usually performed in order to validate breach legitimacy: Has the impacted service publicly acknowledged the breach? Does the data in the breach turn up in a Google search (i.e. it's just copied from another source)? Is the structure of the data consistent with what you'd expect to see in a breach? Have the attackers provided sufficient evidence to demonstrate the attack vector? Do the attackers have a track record of either reliably releasing breaches or falsifying them?What is a "paste" and why include it on this site?A "paste" is information that has been "pasted" to a publicly facing website designed to share content such as Pastebin. These services are favoured by hackers due to the ease of anonymously sharing information and they're frequently the first place a breach appears.HIBP searches through pastes that are broadcast by the @dumpmon Twitter account and reported as having emails that are a potential indicator of a breach. Finding an email address in a paste does not immediately mean it has been disclosed as the result of a breach. Review the paste and determine if your account has been compromised then take appropriate action such as changing passwords.
Page created in 0.099 seconds with 16 queries.