Have I Been Pwned?

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Have I Been Pwned?
An apostrophe, a semicolon, and two hyphens, followed by the text "have i been pwned" and a question mark. The text is in black, and is surrounded by a black rectangular border with rounded corners.
Screenshot
The homepage of haveibeenpwned.com. The website features white text on blue and black backgrounds. Prominently centered is the site's logo in white. Below the logo is a search box labeled "email address or username" with a button beside it labeled "pwned?". Below the search box is a series of statistics about the size of the website's database. Below that is a list of the top ten largest breaches.
Type of site
Internet security
Created by Troy Hunt
Website haveibeenpwned.com
Alexa rank Increase 19,628 (Global 4/2018)
Commercial No
Registration Optional
Users 2 million verified email subscribers[1]
Launched 4 December 2013; 4 years ago (2013-12-04)
Current status Online

Have I Been Pwned? (HIBP) is a website that allows internet users to check if their personal data has been compromised by data breaches. The service collects and analyzes dozens of database dumps and pastes containing information about hundreds of millions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for internet users wishing to protect their own security and privacy.[2][3] Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

As of November 2017, Have I Been Pwned? receives around sixty thousand daily visitors, the site has over 1.7 million active email subscribers and contains records of over 4.8 billion accounts from over 251 data breaches.[4]

Features[edit]

The primary function of Have I Been Pwned? since it was launched is to provide the general public a means to check if their private information has been leaked or compromised. Visitors to the website can enter an email address, and see a list of all known data breaches with records tied to that email address. The website also provides details about each data breach, such as the backstory of the breach and what specific types of data were included in it.

Have I Been Pwned? also offers a "Notify me" service that allows visitors to subscribe to notifications about future breaches. Once someone signs up with this notification mailing service, they will receive an email message any time their personal information is found in a new data breach.

In September 2014, Hunt added functionality that enabled new data breaches to be automatically added to HIBP's database. The new feature used Dump Monitor, a Twitter bot which detects and broadcasts likely password dumps found on pastebin pastes, to automatically add new potential breaches in real-time. Data breaches often show up on pastebins before they are widely reported on; thus, monitoring this source allows consumers to be notified sooner if they've been compromised.[5]

Along with detailing which data breach events the email account has been affected by, the website also points those who appear in their database search to install a password manager, namely: 1password, which Troy Hunt has recently endorsed.[6] An online explanation on his website [7] explains his motives and maintains that monetary gain is not the goal of this partnership.

Pwned Passwords[edit]

In August 2017, Hunt made public 306 million passwords which could be accessed via a web search or downloadable in bulk.[8]

In February 2018 British computer scientist, Junade Ali, created a communication protocol (using K-Anonymity and cryptographic hashing) to anonymously verify if a password was leaked without fully disclosing the searched password.[9][10] This protocol was implemented as a public API in Hunt's service[11] and is now consumed by multiple websites and services including Password Managers[12][13] and browser extensions.[14][15]

History[edit]

Launch[edit]

A portrait photograph of Troy Hunt's head and shoulders. Hunt has light skin and brown hair, which is short and slicked back. He is looking directly at the viewer and smiling with his top row of teeth showing. He is wearing a dark blue shirt, and is against a dark green and black background.
Troy Hunt, the creator of Have I Been Pwned?

In late 2013, web security expert Troy Hunt was analyzing data breaches for trends and patterns. He realized breaches could greatly impact users who might not even be aware their data was compromised, and as a result, began developing HIBP. "Probably the main catalyst was Adobe," said Hunt of his motivation for starting the site, referring to the Adobe Systems security breach that affected 153 million accounts in October 2013.[16]

Hunt launched Have I Been Pwned? on 4 December 2013 with an announcement on his blog. At this time, the site had just five data breaches indexed: Adobe Systems, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures.[17] However, the site now had the functionality to easily add future breaches as soon as they were made public:

Now that I have a platform on which to build I'll be able to rapidly integrate future breaches and make them quickly searchable by people who may have been impacted. It's a bit of an unfair game at the moment – attackers and others wishing to use data breaches for malicious purposes can very quickly obtain and analyse the data but your average consumer has no feasible way of pulling gigabytes of gzipped accounts from a torrent and discovering whether they've been compromised or not.

— Troy Hunt[17]

Data breaches[edit]

Since its launch, the primary development focus of HIBP has been to add new data breaches as quickly as possible after they are leaked to the public.

In July 2015, online dating service Ashley Madison, known for encouraging users to have an extramarital affair, suffered a data breach, and the identities of more than 30 million users of the service were leaked to the public. The data breach received wide media coverage, presumably due to the large number of impacted users and the perceived shame of having an affair. According to Hunt, the breach's publicity resulted in a 57,000% increase in traffic to HIBP.[18] Following this breach, Hunt added functionality to HIBP by which breaches considered "sensitive" would not be publicly searchable, and would only be revealed to subscribers of the email notification system. This functionality was enabled for the Ashley Madison data, as well as for data from other potentially scandalous sites, such as Adult FriendFinder.[3]

In October 2015, Hunt was contacted by an anonymous source who provided him with a dump of 13.5 million users' email addresses and plaintext passwords, claiming it came from 000webhost, a free web hosting provider. Working with Thomas Fox-Brewster of Forbes, he verified that the dump was most likely legitimate by testing email addresses from it and by confirming sensitive information with several 000webhost customers. Hunt and Fox-Brewster attempted many times to contact 000webhost to further confirm the authenticity of the breach, but were unable to get a response. On 29 October 2015, following a reset of all passwords and the publication of Fox-Brewster's article about the breach, 000webhost announced the data breach via their Facebook page.[19][20]

In early November 2015, two breaches of gambling payment providers Neteller and Skrill were confirmed to be legitimate by the Paysafe Group, the parent company of both providers. The data included 3.6 million records from Neteller obtained in 2009 using an exploit in Joomla, and 4.2 million records from Skrill (then known as Moneybookers) that leaked in 2010 after a virtual private network was compromised. The combined 7.8 million records were added to HIBP's database.[21]

Later that month, electronic toy maker VTech was hacked, and an anonymous source privately provided a database containing nearly five million parents' records to HIBP. According to Hunt, this was the fourth largest consumer privacy breach to date.[22]

In May 2016, an unprecedented series of very large data breaches that dated back several years were all released in a short timespan. These breaches included 360 million Myspace accounts from circa 2009, 164 million LinkedIn accounts from 2012, 65 million Tumblr accounts from early 2013, and 40 million accounts from adult dating service Fling.com. These datasets were all put up for sale by an anonymous hacker named "peace_of_mind", and were shortly thereafter provided to Hunt to be included in HIBP.[23] In June 2016, an additional "mega breach" of 171 million accounts from Russian social network VK was added to HIBP's database.[24]

In August 2017, BBC News featured Have I Been Pwned? on Hunt's discovery of a spamming operation that has been drawing on a list of 711.5 million email addresses.[25]

Branding[edit]

The name "Have I Been Pwned?" is based on the script kiddie jargon term "pwn", which means "to compromise or take control, specifically of another computer or application."

HIBP's logo includes the text ';--, which is a common SQL injection attack string. A hacker trying to take control of a website's database might use such an attack string to manipulate a website into running malicious code. Injection attacks are one of the most common vectors by which a database breach can occur; they are the #1 most common web application vulnerability on the OWASP Top 10 list.[26]

See also[edit]

References[edit]

  1. ^ "We're Baking Have I Been Pwned into Firefox and 1Password". troyhunt.com. 25 June 2018. 
  2. ^ Seltzer, Larry (5 December 2013). "How to find out if your password has been stolen". ZDNet. Retrieved 18 March 2016. 
  3. ^ a b Price, Rob (20 August 2015). "HaveIBeenPwned.com lets you see if you're in the Ashley Madison hack leak". Business Insider. Retrieved 18 March 2016. 
  4. ^ Hunt, Troy (16 November 2017). "HIBP site stats update, direct from the site owner, via Twitter". Troy Hunt. Retrieved 16 November 2017. 
  5. ^ O'Neill, Patrick Howell (16 September 2014). "How to find out if you've been hacked in under a minute". The Daily Dot. Retrieved 20 May 2016. 
  6. ^ "Finding Pwned Passwords with 1Password - AgileBits Blog". agilebits.com. 22 February 2018. 
  7. ^ "Have I Been Pwned is Now Partnering With 1Password". troyhunt.com. 29 March 2018. 
  8. ^ "Need a new password? Don't choose one of these 306 million". Engadget. Retrieved 2018-05-29. 
  9. ^ "Find out if your password has been pwned—without sending it to a server". Ars Technica. Retrieved 2018-05-24. 
  10. ^ "1Password bolts on a 'pwned password' check – TechCrunch". techcrunch.com. Retrieved 2018-05-24. 
  11. ^ "How to find out if your password has been leaked by hackers with this simple Google Chrome trick". The Sun. 2018-05-24. Retrieved 2018-05-24. 
  12. ^ "1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online". Retrieved 2018-05-24. 
  13. ^ Conger, Kate. "1Password Helps You Find Out if Your Password Is Pwned". Gizmodo. Retrieved 2018-05-24. 
  14. ^ Condon, Stephanie. "Okta offers free multi-factor authentication with new product, One App | ZDNet". ZDNet. Retrieved 2018-05-24. 
  15. ^ Coren, Michael J. "The world's biggest database of hacked passwords is now a Chrome extension that checks yours automatically". Quartz. Retrieved 2018-05-24. 
  16. ^ Coz, Joseph (10 March 2016). "The Rise of 'Have I Been Pwned?', an Invaluable Resource in the Hacking Age". Vice. Retrieved 18 March 2016. 
  17. ^ a b Cluley, Graham (5 December 2013). "Check if you're the victim of a data breach with 'Have I Been Pwned?'". grahamcluley.com. Retrieved 20 May 2016. 
  18. ^ Rash, Wayne (28 May 2016). "How Troy Hunt Is Alerting Web Users Ensnared in Huge Data Breaches". eWeek. Retrieved 15 June 2016. 
  19. ^ Fox-Brewster, Thomas (28 October 2015). "13 Million Passwords Appear To Have Leaked From This Free Web Host - UPDATED". Forbes. Retrieved 20 May 2016. 
  20. ^ 000webhost (29 October 2015). "We have witnessed a database breach on our main server". Facebook. Retrieved 20 May 2016. 
  21. ^ Fox-Brewster, Thomas (30 November 2015). "Gambling Darling Paysafe Confirms 7.8 Million Customers Hit In Epic Old Hacks". Forbes. Retrieved 20 May 2016. 
  22. ^ Franceschi-Bicchierai, Lorenzo (27 November 2015). "One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids". Vice. Retrieved 31 March 2016. 
  23. ^ Storm, Darlene (30 May 2016). "Pwned: 65 million Tumblr accounts, 40 million from Fling, 360 million from MySpace". Computerworld. Retrieved 15 June 2016. 
  24. ^ Whittaker, Zack (10 June 2016). "More "mega breaches" to come, as rival hackers vie for sales". ZDNet. Retrieved 15 June 2016. 
  25. ^ Kelion, Leo (30 Aug 2017). "Giant spambot scooped up 711 million email addresses". BBC News. Retrieved 30 Aug 2017. 
  26. ^ "Top 10 2013-Top 10". OWASP. Retrieved 20 May 2016. 

External links[edit]