Have you heard of the website https://haveibeenpwned.com ?
Well you should have. Have I Been Pwned is a website created by security expert Troy Hunt that keeps track of data breaches and allows you to search and find ones that affect you. As I write this Troy Hunt has tracked 3,752,984,562 pwned accounts from 216 pwned websites.
What does “pwned” mean?
pwn means to compromise or control, specifically another computer (server or PC), website, gateway device, or application. (as defined on wikipedia)
Originally, pwn and its variants were pronounced /ˈoʊn/ in the same way as the verb own, the tail of the p being “silent”.
In terms of this site Troy Hunt defines it as:
A “breach” is an incident where a hacker illegally obtains data from a vulnerable system, usually by exploiting weaknesses in the software. All the data in the site comes from website breaches which have been made publicly available.
What can I do?
As an individual you can search for your email address in Have I Been Pwned, I am in 7 data breaches.
As a person responsible for an email domain you can search and find which of your users are in a data breach.
You can also sign up to get notified of any future data breaches you might get caught up in.
If you are in a data breach change your password. If you use the same password across multiple sites or services change them as well. Consider using a password manager so you can have unique complex passwords for every services you use and not have to worry about forgetting them.
If you look after a website or service then follow Troy Hunt. Think about security, is your site vulnerable to SQL injection, do you store passwords with reversible encryption?
How worried should I be?
Data breaches are happening more and more often. Its not showing any sign of slowing down, in fact I expect there to be lots more in the years to come. However there are things you can do to mitigate the damage of being in a breach.
- Use a password manager
- Don’t share passwords between sites
- Regularly change your passwords
- Think of passwords as pass phrases and include spaces between the different words
Consider what information a company has about you. How worried would you be if this became public knowledge? Consider if you want this online, weigh up the benefits etc
Comments