Data breaches seem to be in the headlines on a weekly, if not daily, occurrence. From the massive Yahoo breaches that leaked one billion users’ information to this week’s hack of Sydney startup Qnect, which has 51,000 users, it’s hard to keep up with whether your own personal data is now exposed to the public.
In December 2013, Australian security expert Troy Hunt launched a website called “Have I been pwned?”. Pwned is internet slang for “owned” or conquered. The site is a simple search engine where you input your email address or login and it will return whether that account has been involved in any data breaches.
— André Duarte (@atduarte) May 4, 2017
Hunt said that as a security specialist he often trawled through data exposed by these incidents to analyse the passwords that people used, and that inspired him to create the HIBP resource.
“As I analysed various breaches I kept finding user accounts that were also disclosed in other attacks – people were having their accounts pwned over and over again,” he said in 2013 upon starting the site.
Despite travelling the world speaking and training the tech industry on security practices, Hunt’s own personal and work email addresses were found publicly exposed after the breach on Adobe customers in 2013.
“I had absolutely no idea why!” he said.
“The most likely answer is that I did indeed create accounts on Adobe, perhaps as far back as in the days when I was using Dreamweaver to build classic ASP whilst it was still owned by Macromedia. The point is that these accounts had been floating around for so long that by the time a breach actually occurred I had no idea that my account had been compromised because the site was simply no longer on my radar.”
While resources existed to search for information on individual breaches, before HIBP there was no single place where someone could check for their personal information across all the different security leaks.
When it launched the Have I Been Pwned site contained 154 million searchable accounts. Today it holds a staggering 3.75 billion. No doubt the huge Yahoo breaches discovered last year was a big contributor.
While even users that only register on “credible” sites still can’t avoid being hacked, Hunt said the damage from any leaks can be minimised by using strong and unique passwords.
“As fallible humans, we reuse passwords. We’ve all done it at one time or another,” Hunt said on his blog last month. “Most people are just out there YOLO’ing away with the same password or three across all their things.”