haveibeenpwned.com
Data breaches are rampant and many people don't appreciate the scale or frequency with which they occur. A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software.
How is the legitimacy of a data breach established?Attackers often give "breach" announcements, which are later revealed to be hoaxes. There is a delicate balance to be struck between making data searchable as soon as possible and conducting proper due diligence to confirm the breach's validity. In order to verify the authenticity of a violation, the following steps are normally taken:
- Has the affected provider made a public statement about the security breach?
- Does the information stolen in the breach show up in a Google search (i.e., it was simply copied from another source)?
- Is the structure of the data consistent with what you'd expect to see in a breach?
- Have the perpetrators given enough proof to prove the attack vector?
- Is there a history of the attackers reliably publishing breaches or falsifying them?
The good news is that there is a website that can help you find out if your email address has been compromised in a data breach before. It was established by Troy hunt who is a Microsoft Regional Director and a blogger. He's also an MVP and the author of many top-rating security courses for web developers on Pluralsight.
This site came about after what was, at the time, the largest ever single breach of customer accounts — Adobe. He often performed post-breach review of user credentials and repeatedly discovered the same accounts exposed, often with the same passwords, putting the victims at risk of having their other accounts compromised as well. All of the information on this platform comes from "breach" situations in which data is revealed to people who shouldn't have had access to it in the first place.
He developed HIBP(haveibeenpwned) as a free resource for everyone to easily determine whether their online account has been compromised or "pwned" in a data breach, putting them at risk. He made it as easy as possible to use and completely free so that it could help the community as much as possible. By aggregating the data here, it not only helps victims learn of compromises of their accounts, but also highlights the severity of the risks of online attacks on today's internet.
So How Do You Check For Pwnage?
It is as easy as typing your email address or phone number(international format) on HIBP. Below is an example of my own email address which has been pwned before. For security reasons, I will blur out my email address. After typing in your email address press enter or the pwned? button.
If your email address has been pwned, the result should appear in a redish background as shown above and also indicate the number of breaches you have been pwned in. It also shows the companies from which your data was compromised as well as the compromised data. For example, bio, IP address, Gender, Contacts and many more. The website also provides measures you can take if your email address has been compromised.
However, if your email has never been compromised before, the background of the search result will be green in colour. Consider the image below
What To Do if Your Email Address Has Been Compromised.
1. Change Your Password.
A strong secure password ideally consists of the following
- Is at least 12 characters long. The longer your password is – the better.
- Uses uppercase and lowercase letters, numbers and special symbols. Passwords that consist of mixed characters are harder to crack.
- Doesn’t contain memorable keyboard paths.
- Is not based on your personal information.
- Password is unique for each account you have.
This may not be easy to remember especially if your password is different for each account. One way to get around this is by using a trustworthy password manager. There are several which can be found on the internet but among the best are 1password.com and NordPass. I recommend doing your own research before signing up with any password manager.
Here are some good examples of strong passwords:
- X5j13$#eCM1cG@Kdc
- %j8kr^Zfpr!Kf#ZjnGb$
- PkxgbEM%@hdBnub4T
- vUUN7E@!2v5TtJSyZ
They all consist of a seemingly random and long (more that 15 characters) collection of uppercase and lowercase letters, numbers and special characters. These passwords are not generic, and don’t contain any memorable keypaths or personal information which hackers could use.
If you are not sure on how to create a long password, don't stress. Just use a password generator. It is a quick and easy way to get a unique and strong password. A password generator will create a sequence of random characters. Copy and
use it as a password for your device, email, social media account, or
anything else that requires private access.
2. Enable two-factor authentication on your email account.
Even if someone does manage to steal your password, you can still prevent them from accessing your account by adding in an additional layer of security with two-factor authentication (2FA). This means that anyone trying to login to your account will have to enter a second piece of information after the correct password. This is usually a one-time code that’ll be sent directly to you.
Sometimes this will be sent to you via text message, although this isn’t necessarily the most secure way of receiving that code. After all, a hacker could steal your mobile number through SIM swap fraud and access your verification code.
We’ve found it’s much safer to use a two-factor authentication app instead, as they’re much trickier to intercept. Our favourites include:
- Google Authenticator
- Microsoft Authenticator
- Authy
HIBP also shows a list of all companies or websites that have been hacked or compromised. This list can be found on the Who's been pwned tab of the website.
You can also sign up to be notified when future pwnage occurs and your account is compromised. This can be done on their Notify me tab.
It is possible to check pwned passwords on HIBP. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts.
Last but not least you can check the list of the most recent data breaches as well as a list of the largest data breaches. Both lists can be found at the bottom of the home page. Leave a comment below if you have any questions or just enjoyed the article. I would love to hear from you.
Awesome
ReplyDeleteKeep going girl
Appreciated
DeleteVery informative
ReplyDeletethis some good knowledge am getting from this
ReplyDeleteHappy to know!!!Share it with your friends so they can also be in the know.
Delete