With more people working from home, students accessing information online, and an increase in virtual meetings in recent weeks, it’s even more important to have knowledge about data breaches. The following guest article is written by Daniel Van Noord.
It seems like we hear about another data breach almost every day. Whether a company is targeted and hacked or simply leaves their database open for the world our data is out there. If we knew what websites had leaked personal information we would be able to take precautions like changing passwords and watching for fraudulent credit card transactions. Sadly, many of these breaches go unnoticed or companies actively try to cover them up. Fortunately, there is one project that aims to responsibly collect and report on known data breaches.
Have I Been Pwned is a free service created by Troy Hunt, who is an independent security researcher, Microsoft Regional Director and Most Valuable Professional (awards given for value to the community), international speaker and author. He created Have I Been Pwned after the Adobe breach exposed 153 million usernames and passwords. The site was meant to be both a service to the public and a way to test modern web technologies. Even though many breaches are never discovered the service contains more than 9.5 billion accounts that have been leaked.
So how does it work? It starts when Troy Hunt finds a new data breach, often through someone reaching out to him directly. Once he has the data he works to find out where it is from and to validate it as hackers often lie about where the data comes from. Once it is reasonably validated he loads the emails into the Have I Been Pwned database. From there end users can look up what data breaches contained their email. You can even sign up for notifications so you will know if your email shows up in a new breach. If you are a company, government or simply have your own domain you can sign up to be notified if any email addresses from your domain show up in a breach.
Let’s say you search the system and it doesn’t find any records. That’s great! You are not part of any known breaches. But you should still be careful and use a good unique password for every online service. On the other hand, if your email does show up in a breach there are a few steps you should follow. First read the breach description. This will tell you what information leaked with the breach. If the breach was an email list or a spam list your exposure is probably just your email address. If the breach contained passwords you should change the password for that site and any sites that used the same password. Once again it is best practice to use a strong unique password on every site. If the breach contains credit card information you can monitor your card for purchases you did not make. If the breach contained personal information like your social security number or financial information you can freeze your credit reports or sign up for credit monitoring.
Beyond monitoring for leaks of personal data now is a good time to think about who has your data and who needs your data. When you sign up for an online service ask yourself if the value the service brings is worth risking the personal information they are asking for. If all they need is your email this can be an easy choice. But a lot of online services make money by selling information, often for advertising purposes. They will ask for a lot more then they need. Remember that your information is only as safe as the least secure company that has it.
This is also a good time to consider some spring cleaning. Look at old online accounts that you no longer use and consider getting rid of them. Sign up for notifications on Have I Been Pwned so you know if you are part of a leak. Change any passwords that you reuse across different sites and consider using a password manager. And finally stay safe online, we are all using the internet a lot more these days.
Daniel Van Noord is a Software Developer and System Administrator. In his free time he enjoys working on astronomy research projects, microcontrollers and is a general technology enthusiast. If you have any questions you’d like Daniel to consider for future articles, please send an email to [email protected].
Leave a Reply