Have I Been Pwned? Check if your email has been compromised in a data breach

[Deozaan]

Have I Been Pwned is a website/service that allows you to check to see if your email address (or other info) can be found within the database(s) of various sites that have had data breaches over the years. It was mentioned earlier on this site in this thread.

But consider this a friendly reminder/suggestion to occasionally check and see which sites have mishandled your data.

https://haveibeenpwned.com/

[tomos]

Two out of three emails 'breached' -- but all ones I had heard about already.

I was freaked out lately by a spam email (of a threatening legal you havent paid this bill nature) that had my name, address, and *unlisted* telephone number. Was able to trace it back to a previous 'harmless' spam email, but I was not able to find out how they got my details. They wrote my name incorrectly (was spelled correctly) and wrote the telephone number in a slightly unusual manner. Have yet to follow up on it (not sure yet what I can do, but dont suspect I will have much success anyways).

[Curt]

"Curt@"

Oh no — pwned!
Pwned on 5 breached sites and found no pastes (subscribe to search sensitive breaches)

A "breach" is an incident where data has been unintentionally exposed to the public.

Breaches you were pwned in


Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.

Compromised data: Email addresses, Password hints, Passwords, Usernames
------------------

Dropbox: In mid-2012, Dropbox suffered a data breach which exposed the stored credentials of tens of millions of their customers. In August 2016, they forced password resets for customers they believed may be at risk. A large volume of data totalling over 68 million records was subsequently traded online and included email addresses and salted hashes of passwords (half of them SHA1, half of them bcrypt).

Compromised data: Email addresses, Passwords
------------------

Exploit.In (unverified): In late 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I been pwned.

Compromised data: Email addresses, Passwords
------------------

MajorGeeks: In November 2015, almost 270k accounts from the MajorGeeks support forum were breached. The accounts were being actively sold and traded online and included email addresses, salted password hashes and IP addresses.

Compromised data: Email addresses, IP addresses, Passwords, Usernames
------------------

Malwarebytes: In November 2014, the Malwarebytes forum was hacked and 111k member records were exposed. The IP.Board forum included email and IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity

[Deozaan]

Yeah... I've had a number of accounts pwned over the years. Ever since the Gawker hack I've been pretty consistent about always making a new forwarder address for every site/service I sign up for. So if I start getting spam I can just delete that forwarder address and move on with my life (or create a new one to replace it if I still need to use that service). But there have been a time or two where I was careless and used my "main" email address, or accounts created long ago that were long forgotten which have since been pwned, and now I get spam to my normal email address fairly regularly.

You'd think I'd have learned my lesson, but just last year I carelessly gave out the main address to a new account I'd created to rid myself of the spam (for some reason it didn't occur to me that I could use forwarders with that account) and just a month or so later the site I'd signed up for was breached. 

Here are the latest results for me:

Breaches — 17 emails found
Pwned sites
Android Forums, Anti Public Combo List
Dropbox
Anti Public Combo List, Exploit.In
Disqus
Anti Public Combo List, Gamigo
Kickstarter
Last.fm
LinkedIn
Patreon
B2B USA Businesses
Nexus Mods
XSplit

[wraith808]

Just checked mine again:

Good news — no pwnage found!
No breached accounts and no pastes (subscribe to search sensitive breaches)

 

The e-mail I use for job searches and official stuff was pwned by linked in 

[4wd]

Out of 23 gmail addresses, 3 have one breach each, (all different).

Not too worried as it was for sites that were unimportant, 2FA is used on the gmail accounts and any important sites.

That site is rather limited in it's checking algorithm though, eg.

[email protected]
[email protected]
[email protected]

All the same address as far as email is concerned but the checker regards each as being a separate entity, ie. [email protected] is compromised but as far as the check is concerned, [email protected] won't be.

They need to strip out all the irrelevant characters before checking, both from the input address and their lookup lists.

[Deozaan]

And that's not even taking into consideration the infinite number of possible [email protected] addresses.

[Ath]

They need to strip out all the irrelevant characters before checking, both from the input address and their lookup lists.

-4wd (April 11, 2018, 10:37 PM)

AFAIK, that's only applicable for @gmail.* and gmail provided (undetectable as they can have any domain name, I presume) e-mail addresses, and not for 'regular' e-mail providers , unless you know of other e-mail providers that follow the same policy/structure?

[4wd]

They need to strip out all the irrelevant characters before checking, both from the input address and their lookup lists.

-4wd (April 11, 2018, 10:37 PM)

AFAIK, that's only applicable for @gmail.* and gmail provided (undetectable as they can have any domain name, I presume) e-mail addresses, and not for 'regular' e-mail providers , unless you know of other e-mail providers that follow the same policy/structure?

-Ath (April 12, 2018, 01:21 AM)

It was an example, (the eg. bit), they could filter based on the domain the email address belongs to, (gmail.com, hotmail.com, mail.ru, etc), using whatever addressing rules the provider uses.

Even if they did it only for gmail it should considerably reduce the size of the lists and the need to input multiple email addresses for checking.

I'm only really talking about the big providers here which would probably cover >90% of the list, it'd be impossible to cater for every domain, (eg. [email protected]).