What is HaveIBeenPwned and is it Safe?

The Internet is an increasingly scary place, but websites like Have I Been Pwned (HIBP) are trying to help. From the Yahoo breach to the many recent ransomware attacks, personal data is collected and leaked at staggering rates. 

For example, one security researcher collected over 530 million names, email addresses, and phone numbers tied to companies, including Facebook, Twitter, and LinkedIn. It's nearly impossible for companies to 100% guard their data, but they should be doing a better job.

NordVPN Banner Ad

What is Have I Been Pwned?

Have I Been Pwned ( www.haveibeenpwned.com ) is a free service that lets you search multiple data breaches in one click to see if your data is among them. If so, you can take steps to mitigate the potential damage. While the site's creator, Troy Hunt, has made it clear that he doesn't believe in changing leaked passwords, he feels you should know about it.

The site regularly receives and adds data from large-scale data breaches. The Have I Been Pwned database will get updated each time a new breach occurs. This database lets you check if your email address is among the over 6 billion accounts leaked in some of the most significant breaches ever recorded.

According to Hunt's December 2013 blog post announcing Have I Been Pwned, the website was conceived on his flight back from TechEd New Zealand 2013 and built overnight after he landed. Initially, its coverage was limited only to the Adobe breach, which had just been announced while Hunt was traveling, but he quickly expanded it to include other breaches as well.

How HaveIBeenPwned Works

Have I Been Pwned

Have I Been Pwned is one of many ways to help protect yourself online, and it's easy to use. Visit their website at www.haveibeenpwned.com and type your email address into the search box. It will then search the Have I Been Pwned database to see if there's a match.

Have I Been Pwned passwords

Aside from email addresses, Have I Been Pwned also allows you to check if your password information is among leaked data. Click the “Passwords” tab on the navigation bar. Next, enter the password you think may have been spread, and the system will check with their database.

Who's been pwned

You also get access to a list of all the significant data leaks companies have experienced. Click on the “Who's been pwned” tab on the navigation menu, and you'll see lists of organizations, the scope of the leak, and other information.

Have I Been Pwned Notify

Aside from active checks, Have I Been Pwned also provides a passive service. You can sign up for alerts. If you subscribe to updates from the site, you'll receive an email when new information about a data breach that affects you appears. These notifications aren't immediate, though. It is often a few days after the initial breach but usually before any personal information is made public.

Is Have I Been Pwned Legit and Safe?

It's legit. Hunt has worked with Google on the Password Alert extension for Chrome, which checks your passwords against Have I Been Pwned's database (Google uses this information anonymously). 

Using Have I Been Pwned also shouldn't compromise your security — the site doesn't store your password, and there are safety features in place to make sure bots or other malicious users don't compromise it.

What To Do If You've Been Pwned

If you're unlucky enough to have personal information leaked, it's not the end of the world. While it's impossible to do anything about your information once it's out there, there are actions you can take following a data breach to protect yourself from identity theft and other problems.

Change your passwords. Although Hunt doesn't believe in changing passwords after the face, I think this is still an excellent first step. Use a strong and unique password for each of your accounts so that one login can't unlock the rest of them. If this sounds like lots of work, consider using a Password Manager like NordPass or LastPass to keep track of things.

Increase your account security. Set up two-factor authentication (2FA) for all of your accounts. The way this works is that anytime you log in from a new device or location, you'll need an additional code to verify your identity. 2FA makes it much harder for hackers to break into your account.

Contact the affected service. Check the website of the company that suffered the breach for information. The company should post information about how you can find out if your specific data was leaked. It should also list what steps you need to take next. If the company's website doesn't offer any guidance, try reaching out to them on social media.

Watch for suspicious activity. Monitor financial statements and credit reports for any sudden changes or activity. If you see something you don't recognize, notify your bank immediately. There are also credit monitoring services available from reputable companies like Equifax, Experian and TransUnion.

Where Have I Been Pwned Get Its Information

Have I Been Pwned is based primarily on automated parsing of publicly searchable data dumps of breached accounts, as well as manual curation by Hunt of other public breaches that do not appear in the aforementioned sources. 

There are lots of different sources, but they're all breaches. His original source was the Anti Public Combo List, which was collated from various sources and published in December 2016. That one breached account provided more than 562 million unique email addresses and passwords.

Hunt has also used data from other sites, such as Exploit.in, which is a place people share their exploits and post links to data dumps and torrents of stolen information.

What Does Pwned Mean and How it is Related to HIBP?

The word pwned is a leetspeak slang term derived from the word owned. The first recorded use of “pwned” was in an online game called Warcraft, where a map designer misspelled “owned.” The expression spread from there and started being used as a synonym for owned.

Unlike its root word, pwned does not imply that someone has gained physical possession of something, but rather refers to dominating or humiliating an opponent. In online gaming, for instance, pwning refers to defeating someone in an embarrassingly one-sided manner (e.g., killing someone with a single shot).

In hacker culture, pwning can refer to compromising a computer system. For example, if you hack into someone's email account, you might say I just pwned John's email! If you're interested in leetspeak, there's a handy leetspeak translator you can try out. It's available for free.

Final Thoughts on Have I Been Pwned

Have I Been Pwned fills an important public service gap that governments and companies have been reluctant to address. If a company chooses to go public with a data breach, it could potentially be opening itself up to lawsuits from shareholders or customers who have been affected.

In most regions around the world, there are no laws that require companies to disclose information about a data breach to the public or even their customers. This can be particularly worrying for customers who may not realize that their personal details have been compromised and are then at risk of becoming victims of identity theft or fraud.

Timothy Shim

Tim is a former tech journalist turned web technology junkie. He spends his time exploring the best in digital privacy and security tools. Meanwhile, experiments with SEO continue to increase his blood pressure. ( Contact Tim on Linkedin )

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.