Have I Been Pwned?

Last updated

Have I Been Pwned?
Have I Been Pwned wordmark black.png
Screenshot
Have I Been Pwned%3F homepage.png
Type of site
 Internet security
Created by Troy Hunt
URL haveibeenpwned.com
CommercialYes
RegistrationOptional
Users 2 million verified email subscribers (2018) [1]
Launched4 December 2013;10 years ago (2013-12-04)
Current statusOnline

Have I Been Pwned? [lower-alpha 1] (HIBP; stylized in all lowercase as "';--have i been pwned?") is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. [3] [4] Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

Contents

As of June 2019, Have I Been Pwned? averages around one hundred and sixty thousand daily visitors, the site has nearly three million active email subscribers and contains records of almost eight billion accounts. [5]

Features

The primary function of Have I Been Pwned? since it was launched is to provide the general public with a means to check if their private information has been leaked or compromised. Visitors to the website can enter an email address, and see a list of all known data breaches with records tied to that email address. The website also provides details about each data breach, such as the backstory of the breach and what specific types of data were included in it.

Have I Been Pwned? also offers a "Notify me" service that allows visitors to subscribe to notifications about future breaches. Once someone signs up with this notification mailing service, they will receive an email message any time their personal information is found in a new data breach.

In September 2014, Hunt added functionality that enabled new data breaches to be automatically added to HIBP's database. The new feature used Dump Monitor, a Twitter bot which detects and broadcasts likely password dumps found on pastebin pastes, to automatically add new potential breaches in real-time. Data breaches often show up on pastebins before they are widely reported on; thus, monitoring this source allows consumers to be notified sooner if they've been compromised. [6]

Along with detailing which data breach events the email account has been affected by, the website also points those who appear in their database search to install a password manager, namely 1Password, which Troy Hunt has recently endorsed. [7] An online explanation on his website [8] explains his motives.

Pwned passwords

In August 2017, Hunt made public 306 million passwords which could be accessed via a web search or downloadable in bulk. [9]

In February 2018, British computer scientist Junade Ali created a communication protocol (using k-anonymity and cryptographic hashing) to anonymously verify if a password was leaked without fully disclosing the searched password. [10] [11] This protocol was implemented as a public API in Hunt's service and is now consumed by multiple websites and services including password managers [12] [13] and browser extensions. [14] [15] This approach was later replicated by Google's Password Checkup feature. [16] [17] [18] Ali worked with academics at Cornell University to formally analyse the protocol to identify limitations and develop two new versions of this protocol known as Frequency Size Bucketization and Identifier Based Bucketization. [19] In March 2020, cryptographic padding was added to this protocol. [20]

History

Launch

Troy Hunt, the creator of Have I Been Pwned? Troy Hunt.jpg
Troy Hunt, the creator of Have I Been Pwned?

In late 2013, web security expert Troy Hunt was analyzing data breaches for trends and patterns. He realized breaches could greatly impact users who might not even be aware their data was compromised, and as a result, began developing HIBP. "Probably the main catalyst was Adobe," said Hunt of his motivation for starting the site, referring to the Adobe Systems security breach that affected 153 million accounts in October 2013. [21]

Hunt launched Have I Been Pwned? on 4 December 2013 with an announcement on his blog. At that time, the site had just five data breaches indexed: Adobe Systems, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures. [22] However, the site now had the functionality to easily add future breaches as soon as they were made public. Hunt wrote:

Now that I have a platform on which to build I'll be able to rapidly integrate future breaches and make them quickly searchable by people who may have been impacted. It's a bit of an unfair game at the moment – attackers and others wishing to use data breaches for malicious purposes can very quickly obtain and analyse the data but your average consumer has no feasible way of pulling gigabytes of gzipped accounts from a torrent and discovering whether they've been compromised or not. [22]

Data breaches

Since its launch, the primary development focus of HIBP has been to add new data breaches as quickly as possible after they are leaked to the public.

In July 2015, online dating service Ashley Madison, known for encouraging users to have extramarital affairs, suffered a data breach, and the identities of more than 30 million users of the service were leaked to the public. The data breach received wide media coverage, presumably due to the large number of impacted users and the perceived shame of having an affair. According to Hunt, the breach's publicity resulted in a 57,000% increase in traffic to HIBP. [23] Following this breach, Hunt added functionality to HIBP by which breaches considered "sensitive" would not be publicly searchable, and would only be revealed to subscribers of the email notification system. This functionality was enabled for the Ashley Madison data, as well as for data from other potentially scandalous sites, such as Adult FriendFinder. [4]

In October 2015, Hunt was contacted by an anonymous source who provided him with a dump of 13.5 million users' email addresses and plaintext passwords, claiming it came from 000webhost, a free web hosting provider. Working with Thomas Fox-Brewster of Forbes , he verified that the dump was most likely genuine by testing email addresses from it and by confirming sensitive information with several 000webhost customers. Hunt and Fox-Brewster attempted many times to contact 000webhost to further confirm the authenticity of the breach, but were unable to get a response. On 29 October 2015, following a reset of all passwords and the publication of Fox-Brewster's article about the breach, 000webhost announced the data breach via their Facebook page. [24] [25]

In early November 2015, two breaches of gambling payment providers Neteller and Skrill were confirmed to be genuine by the Paysafe Group, the parent company of both providers. The data included 3.6 million records from Neteller obtained in 2009 using an exploit in Joomla, and 4.2 million records from Skrill (then known as Moneybookers) that leaked in 2010 after a virtual private network was compromised. The combined 7.8 million records were added to HIBP's database. [26]

Later that month, electronic toy maker VTech was hacked, and an anonymous source privately provided a database containing nearly five million parents' records to HIBP. According to Hunt, this was the fourth largest consumer privacy breach to date. [27]

In May 2016, an unprecedented series of very large data breaches that dated back several years were all released in a short timespan. These breaches included 360 million Myspace accounts from circa 2009, 164 million LinkedIn accounts from 2012, 65 million Tumblr accounts from early 2013, and 40 million accounts from adult dating service Fling.com. These datasets were all put up for sale by an anonymous hacker named "peace_of_mind", and were shortly thereafter provided to Hunt to be included in HIBP. [28] In June 2016, an additional "mega breach" of 171 million accounts from Russian social network VK was added to HIBP's database. [29]

In August 2017, BBC News featured Have I Been Pwned? on Hunt's discovery of a spamming operation that has been drawing on a list of 711.5 million email addresses. [30]

Unsuccessful effort to sell

Midway through June 2019, Hunt announced plans to sell Have I Been Pwned? to a yet to be determined organisation. In his blog, he outlined his wishes to reduce personal stress and expand the site beyond what he was able to accomplish himself. [5] As of the release of the blog post, he was working with KPMG to find companies he deemed suitable which were interested in the acquisition. However, in March 2020, he announced on his blog that Have I Been Pwned? would remain independent for the foreseeable future. [31]

Open-sourcing

On August 7, 2020, Hunt announced on his blog his intention to open-source the Have I Been Pwned? codebase. [32] He started publishing some code on May 28, 2021. [33]

Branding

The name "Have I Been Pwned?" is based on the script kiddie jargon term "pwn", which means "to compromise or take control, specifically of another computer or application."

HIBP's logo includes the text ';--, which is a common SQL injection attack string. A hacker trying to take control of a website's database might use such an attack string to manipulate a website into running malicious code. Injection attacks are one of the most common vectors by which a database breach can occur; they are the #1 most common web application vulnerability on the OWASP Top 10 list. [34]

See also

Notes

  1. Pronounced /ˈpnd/ POHND [2]

Related Research Articles

<span class="mw-page-title-main">Gravatar</span> Web service providing individuals with a "Globally Recognized Avatar"

Gravatar is a service for providing globally unique avatars and was created by Tom Preston-Werner. Since 2007, it has been owned by Automattic, having integrated it into their WordPress.com blogging platform.

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

LastPass is a password manager application owned by GoTo. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

<span class="mw-page-title-main">OMGPop</span> Game studio acquired by Zynga Inc. in 2013

OMGPop, stylized as OMGPOP and formerly known as i'minlikewithyou or iilwy, was an independent flash game studio. In 2013, it was purchased by Zynga Inc.

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

In July 2015, an unknown person or group calling itself "The Impact Team" announced they had stolen the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The hacker(s) copied personal information about the site's user base and threatened to release users' names and personal identifying information if Ashley Madison would not immediately shut down. As evidence of the seriousness of the threat, the personal information of about more than 2,500 users was initially released. The company initially denied that their records were insecure, and continued to operate.

<span class="mw-page-title-main">Troy Hunt</span> Australian web security expert

Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites.

Alex Holden is the owner of Hold Security, a computer security firm. As of 2015, the firm employs 16 people.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.

Connected toys are internet-enabled devices with Wi-Fi, Bluetooth, or other capabilities built in. These toys, which may or may not be smart toys, provide a more personalized play experience for children through embedded software that can offer app integration, speech and/or image recognition, RFID functionality, and web searching functions. A connected toy usually collects information about the users either voluntarily or involuntarily, which raises concerns on the topic of privacy. The data collected by the connected toys are usually stored in a database, where companies that produce connected toys can use the data for their own purposes, provided they do so in line with the protections outlined in the Children's Online Privacy Protection Act (COPPA).

Criticism of Dropbox, an American company specializing in cloud storage and file synchronization and their flagship service of the same name, centers around various forms of security and privacy controversies. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords; a July 2011 privacy policy update with language suggesting Dropbox had ownership of users' data; concerns about Dropbox employee access to users' information; July 2012 email spam with reoccurrence in February 2013; leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program; a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption; the leak of 68 million account passwords on the Internet in August 2016; and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.

CloudPets was an Internet-connected soft toy manufactured by now defunct Spiral Toys that was the subject of numerous security vulnerabilities in February 2017. The plush teddy bear-style toys used Bluetooth to connect to a parent's smartphone to allow distant family members to send voice messages to the toy, and allow children to send voice messages back.

Collection #1 is the name of a set of email addresses and passwords that appeared on the dark web around January 2019. The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs. The list, reviewed by computer security experts, contains exposed addresses and passwords from over 2000 previous data breaches as well as an estimated 140 million new email addresses and 10 million new passwords from previously unknown sources, and collectively makes it the largest data breach on the Internet.

Firefox Monitor is an online service developed by Mozilla, announced in June 2018, and launched on September 25 of that year. It informs users if their email address and passwords used have been leaked in data breaches, using the database provided by Have I Been Pwned? (HIBP). Mozilla is also working with HIBP's creator, Troy Hunt. Despite the name, this service is not limited to Mozilla Firefox alone, but can be accessed as a website from all common browsers.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country. This was reported stealing over 500 Million credit cards.

ShinyHunters is a criminal black-hat hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

<span class="mw-page-title-main">Junade Ali</span> British computer scientist and cybersecurity researcher

Junade Ali is a British computer scientist known for research in cybersecurity.

<span class="mw-page-title-main">Verifications.io</span> Email marketing company, defunct 2019

Verifications.io is a defunct email-focused technology firm whose primary practice was to validate email addresses for email marketing platforms. The company's platform allowed for email marketing firms to submit lists to the company, which would verify the lists for valid email addresses.

References

  1. "We're Baking Have I Been Pwned into Firefox and 1Password". troyhunt.com. 25 June 2018.
  2. Merriam-Webster: What Does 'Pwn' Mean? And how do you say it?
  3. Seltzer, Larry (5 December 2013). "How to find out if your password has been stolen". ZDNet . Retrieved 18 March 2016.
  4. 1 2 Price, Rob (20 August 2015). "HaveIBeenPwned.com lets you see if you're in the Ashley Madison hack leak". Business Insider . Retrieved 18 March 2016.
  5. 1 2 "Project Svalbard: The Future of Have I Been Pwned". Troy Hunt. 11 June 2019. Retrieved 11 June 2019.
  6. O'Neill, Patrick Howell (16 September 2014). "How to find out if you've been hacked in under a minute". The Daily Dot . Retrieved 20 May 2016.
  7. "Finding Pwned Passwords with 1Password - AgileBits Blog". agilebits.com. 22 February 2018.
  8. "Have I Been Pwned is Now Partnering With 1Password". troyhunt.com. 29 March 2018.
  9. "Need a new password? Don't choose one of these 306 million". Engadget. Retrieved 29 May 2018.
  10. "Find out if your password has been pwned—without sending it to a server". Ars Technica. Retrieved 24 May 2018.
  11. "1Password bolts on a 'pwned password' check – TechCrunch". techcrunch.com. 23 February 2018. Retrieved 24 May 2018.
  12. "1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online" . Retrieved 24 May 2018.
  13. Conger, Kate. "1Password Helps You Find Out if Your Password Is Pwned". Gizmodo. Retrieved 24 May 2018.
  14. Condon, Stephanie. "Okta offers free multi-factor authentication with new product, One App | ZDNet". ZDNet. Retrieved 24 May 2018.
  15. Coren, Michael J. "The world's biggest database of hacked passwords is now a Chrome extension that checks yours automatically". Quartz. Retrieved 24 May 2018.
  16. Wagenseil I, Paul (5 February 2019). "Google's New Chrome Extension Finds Your Hacked Passwords". www.laptopmag.com.
  17. "Google Launches Password Checkup Extension to Alert Users of Data Breaches". BleepingComputer.
  18. Dsouza, Melisha (6 February 2019). "Google's new Chrome extension 'Password CheckUp' checks if your username or password has been exposed to a third party breach". Packt Hub.
  19. Li, Lucy; Pal, Bijeeta; Ali, Junade; Sullivan, Nick; Chatterjee, Rahul; Ristenpart, Thomas (6 November 2019). "Protocols for Checking Compromised Credentials". Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: ACM. pp. 1387–1403. arXiv: 1905.13737 . Bibcode:2019arXiv190513737L. doi:10.1145/3319535.3354229. ISBN   978-1-4503-6747-9. S2CID   173188856.
  20. Ali, Junade (4 March 2020). "Pwned Passwords Padding (ft. Lava Lamps and Workers)". The Cloudflare Blog. Retrieved 12 May 2020.
  21. Coz, Joseph (10 March 2016). "The Rise of 'Have I Been Pwned?', an Invaluable Resource in the Hacking Age". Vice . Retrieved 18 March 2016.
  22. 1 2 Cluley, Graham (5 December 2013). "Check if you're the victim of a data breach with 'Have I Been Pwned?'". grahamcluley.com. Retrieved 20 May 2016.
  23. Rash, Wayne (28 May 2016). "How Troy Hunt Is Alerting Web Users Ensnared in Huge Data Breaches". eWeek . Retrieved 15 June 2016.
  24. Fox-Brewster, Thomas (28 October 2015). "13 Million Passwords Appear To Have Leaked From This Free Web Host - UPDATED". Forbes . Retrieved 20 May 2016.
  25. 000webhost (29 October 2015). "We have witnessed a database breach on our main server". Facebook . Retrieved 20 May 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
  26. Fox-Brewster, Thomas (30 November 2015). "Gambling Darling Paysafe Confirms 7.8 Million Customers Hit In Epic Old Hacks". Forbes . Retrieved 20 May 2016.
  27. Franceschi-Bicchierai, Lorenzo (27 November 2015). "One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids". Vice . Retrieved 31 March 2016.
  28. Storm, Darlene (30 May 2016). "Pwned: 65 million Tumblr accounts, 40 million from Fling, 360 million from MySpace". Computerworld . Retrieved 15 June 2016.
  29. Whittaker, Zack (10 June 2016). "More "mega breaches" to come, as rival hackers vie for sales". ZDNet . Retrieved 15 June 2016.
  30. Kelion, Leo (30 August 2017). "Giant spambot scooped up 711 million email addresses". BBC News . Retrieved 30 August 2017.
  31. "Project Svalbard, Have I Been Pwned and its Ongoing Independence". Troy Hunt. 3 March 2020. Retrieved 30 April 2020.
  32. Hunt, Troy (7 August 2020). "I'm Open Sourcing the Have I Been Pwned Code Base" . Retrieved 8 August 2020.
  33. Hunt, Troy (27 May 2021). "Pwned Passwords, Open Source in the .NET Foundation and Working with the FBI" . Retrieved 29 May 2021.
  34. "Top 10 2013-Top 10". OWASP. Retrieved 20 May 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.