Skip to main content

Has Your Password Been Hacked in a Data Breach? Troy Hunt Can Help You Find Out

Has Your Password Been Hacked in a Data Breach? Troy Hunt Can Help You Find Out

by M.J. Kelly
As more of our important personal information is stored online behind password-protected accounts, news about data breaches sends us scrambling to find out if our passwords were hacked. One of the best places to find out is Troy Hunt’s website, www.haveibeenpwned.com, where anyone can input their email address to learn if it has been compromised.
Hunt, an Australian information security expert, has spent thousands of hours studying data breaches to understand what happened and who was at risk.
“I kept finding the same accounts exposed over and over again, often with the same passwords, which then put the victims at further risk of their other accounts being compromised,” Hunt said.
He became concerned that everyday people were unaware of how big the problem was. In 2013 when an Adobe customer account breach put more than 150 million user names, email addresses, passwords and password hints at risk, Hunt launched his site. He runs it on a “shoestring budget” out of his own pocket, and his approach has been to keep it simple and keep it free.
Business, unfortunately, has never been better.
“Data breaches have increased dramatically since I started, both in terms of frequency of the incidents and the scale as well.”
He points to a handful of reasons. To start, people have more devices connected to the Internet every year, from phones to refrigerators to teddy bears. With more connected devices and more accounts created with them, more data is being collected.
“The cloud is another thing that has exacerbated the whole problem because as awesome as it is for many things, it also makes it very cheap to stand up services, so we’re seeing more services [with logins],” he said. “It’s also very cheap to store data, so we see organizations hoarding information. Companies like to have as much data as they can so they can market to people.”
We’re also entering the digital native era, a time when more people are online who have never known a time when it was different.
“Their propensity for sharing information and their sensitivity toward their personal privacy is all very different than it is for those of us who reached adulthood before we had the Internet,” he said.
All of this adds up to more information out there from a lot more sources. And not every company is doing a stellar job of protecting that information or destroying it when it’s no longer needed, which makes it vulnerable.
“The reason we have these headlines everyday is because clearly we’re not taking security seriously enough,” Hunt said. “The really big stuff — like your Twitter and your Facebook — is very solid these days, and the vast volume of our Internet behavior is on sites that have done a very good job. The problem is when you get to middle or lower tier sites where you’ve got a lot less funding, and you don’t have dedicated security teams.”
Pwned,” which rhymes with “owned,” is a slang term meaning your account has been utterly defeated, cracked and, yes, owned. Shortly after his site’s launch, Hunt added a feature where one can sign up to be notified if email address gets pwned in future data leaks. In February 2017, he hit one million subscribers. When Hunt started, he poked around in forums, dark web sites and even public web sites to find leaked data. What he discovered was fascinating.
“There is this whole scene where people share data breaches,” he said. “It’s very often kids, young males, teenagers, who are hoarding data. They collect as much as they can, and they exchange it like they would baseball cards. Except unlike with baseball cards, when you exchange data, you still have the original as well.”
Sometimes data is also sold. When the LinkedIn data breach occurred, it was traded for five bitcoins or several thousand U.S. dollars at the time. Hunt says the data is not typically used to break into the account from which it was hacked. Rather it’s used in an attempt to break into other accounts, such as your bank or your email, which is often the best way to unlock an account. If you reuse passwords, you’re putting yourself at risk.
Today, people get in touch with Hunt when they come across a data breach.
“Fortunately I have a reliable trustworthy network that sends me information and makes it a lot easier to maintain the service. It would be very hard for me to go out and source all of this myself.”
Hunt takes great care when he learns of a data breach. His first step is to determine if it’s legitimate.
“A lot of the stuff out there is fake,” he said. “For example there’s a lot of news at the moment about Spotify accounts, and these Spotify accounts are just reused names and passwords from other places. They weren’t hacked out of Spotify.”
Once that box is checked, he reaches out to the company to alert them, which he says is a surprising challenge. Though he works hard to responsibly disclose the breaches to the companies affected, he has many stories of companies who ignore alerts that their customer data has been compromised. Finally, he loads the email accounts onto his site alongside those from MySpace, xBox 360, Badoo, Adobe, Elance and many more.
Hunt also gives talks about information security to audiences around the world with the goal of getting more businesses and developers to approach projects with a defensive mentality. One of his sessions is a “Hack yourself first” workshop that shows developers how to break into their own work, giving them an opportunity to see offensive techniques first-hand.
“There’s like a lightbulb that goes off when people do get first-hand experience with that,” he said. “It’s enormously powerful as a way of learning.”

At Mozilla, we believe cybersecurity is a shared responsibility, and your actions help make the Internet a safer, healthier place.

Be smart about your logins

As an Internet citizen, there are a few fundamental things you can do to boost your account security online:
  1. Use unique passwords.
  2. Since it’s difficult to remember so many unique passwords, use a password manager.
  3. Use multi-step verification
Check out Mozilla’s Guide to Safer Logins, which covers these tips in more depth.

Update your software

It’s all too easy to ignore software update alerts on your phone and computer, but your cybersecurity may depend on them. Updating to the latest security software, browser and operating system provides an important defense against viruses, malware and other online threats like the recent WannaCry ransomware attack.

Use Lean Data Practices

As a business or developer that handles data, you should always be working to create a more trusted relationship with your users around their data. Building trust with your users around their data doesn’t have to be complicated. But it does mean that you need to think about user privacy and security in every aspect of your product. Lean Data Practices are simple, and even come with a toolkit to make them easy to implement:
  1. Stay lean by focusing on data you need,
  2. Build in security appropriate to the data you have and
  3. Engage your users to help them understand how you use their data.

Popular posts from this blog

Hidden Wiki

Welcome to The Hidden WikiNew hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!!
Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it.
The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with.
Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction PointsAhmia.fi - Clearnet search engine for Tor Hidden Services (allows you to add new sites to its database). DuckDuckGo - A Hidden S…

[SOLVED] IDM WAS REGISTERED WITH A FAKE SERIAL NUMBER

[SOLVED] IDM WAS REGISTERED WITH A FAKE SERIAL NUMBER
Good News [May 08, 2015]: IDM developers got smarter, but the crackers are always a step ahead. Follow this article and send an email to uglyduckblog@gmail.com if you are desperate. I can NOT post any crack here for legal reasons. Happy Downloading with IDM. ;) *********** first tip is to use latest crack for idm from  onhax.net idm universal web crack and make sure u are using all latest vers I am sure many of us are too much dependent on Internet Download Manager a.k.a. IDM. The main reason didn’t permanently switch to linux was IDM. I mainly use it for batch downloading and download streaming videos. Till yesterday, IDM was working fine with me (of course with fake serial numbers, keygen, crack, patch etc. which could be found with little effort). But few days ago, with the latest update version 6.18 build 7 (released on Nov 09, 2013) Internet Download Manager was literally had a breakthrough and crushed all the serial numbers, …

DoubleAgent Attack Turns Your Antivirus Into Malware And Hijacks Your PC



Short Bytes: Cybellum security researchers have uncovered a new attack mechanism that can be used to take control of your antivirus and turn it into a malware. Called DoubleAgent, this attack exploits an old and undocumented vulnerability in Windows operating system. This Zero Day code injection technique affects all major antivirus vendors and has the power to hijack permissions. The security researchers from Cybellum have found a new technique that can be used by the cybercriminals to hijack your computer by injecting malicious code. This new Zero-Day attack can be used to take full control over all the major antivirus software. Instead of hiding from the antivirus, this attack takes control of the antivirus itself. Called DoubleAgent, this attack makes use of a 15-year-old legitimate feature of Windows (read vulnerability)–that’s why it can’t be patched. It affects all versions of Microsoft Windows. Cybellum blog mentions that this flaw is still unpatched by most antivirus v…