Have I Been Pwned on:
[Wikipedia]
[Google]
[Amazon]
Have I Been Pwned? (HIBP; stylized in all lowercase as "‘;--have i been pwned?") is a website that allows Internet users to check whether their personal data has been compromised by
In late 2013, web security expert Troy Hunt was analyzing data breaches for trends and patterns.
He realized breaches could greatly impact users who might not even be aware their data was compromised, and as a result, began developing HIBP.
"Probably the main catalyst was Adobe," said Hunt of his motivation for starting the site, referring to the
Have I Been Pwned? announcement blog post
on troyhunt.com Internet security Database security 2013 establishments in Australia Technology websites English-language websites Australian websites
data breach
A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".
Attackers have a variety of motives, from financial gain to political activism, political repression, and espionage. There ...
es. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt
Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal informati ...
on 4 December 2013.
, Have I Been Pwned? averages around one hundred and sixty thousand daily visitors, the site has nearly three million active email subscribers and contains records of almost eight billion accounts.
Features
The primary function of Have I Been Pwned? since it was launched is to provide the general public with a means to check if their private information has been leaked or compromised. The service collects and analyzes hundreds ofdatabase dump
A database dump contains a record of the table structure and/or the data from a database and is usually in the form of a list of SQL statements ("SQL dump"). A database dump is most often used for backing up a database so that its contents can ...
s and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address.
Users can also sign up to be notified if their email address appears in future dumps.
Usage of Dump Monitor
In September 2014, Hunt added functionality that enabled new data breaches to be automatically added to HIBP's database. The new feature used Dump Monitor, aTwitter
Twitter, officially known as X since 2023, is an American microblogging and social networking service. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, image ...
bot which detects and broadcasts likely password dumps found on pastebin
A pastebin or text storage site is a type of online content-hosting service where users can store plain text (e.g. source code snippets for code review via Internet Relay Chat (IRC)). The most famous pastebin is the eponymous pastebin.com. Ot ...
pastes, to automatically add new potential breaches in real-time.
Data breaches often show up on pastebins before they are widely reported on; thus, monitoring this source allows consumers to be notified sooner if they've been compromised.
Endorsement of 1Password
Along with detailing which data breach events the email account has been affected by, the website also points those who appear in their database search to install1Password
1Password is a password manager developed by the Canadian software company AgileBits Inc. It supports multiple platforms such as iOS, Android, Windows, Linux, and macOS. It provides a place for users to store various passwords, software licenses ...
, a password manager which Troy Hunt has recently endorsed.
An online explanation on his website explains his motives.
Pwned passwords
In August 2017, Hunt made public 306 million passwords which could be accessed via a web search or downloadable in bulk. In February 2018, British computer scientist Junade Ali created a communication protocol (using ''k''-anonymity and cryptographic hashing) to anonymously verify if a password was leaked without fully disclosing the searched password. This protocol was implemented as a public API in Hunt's service and is now consumed by multiple websites and services includingpassword manager
A password manager is a software program to prevent password fatigue by Random password generator, automatically generating, Autofill, autofilling and storing Password, passwords. It can do this for Application software, local applications or web ...
s and browser extension
A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and st ...
s.
This approach was later replicated by Google
Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...
's Password Checkup feature.
Ali worked with academics at Cornell University
Cornell University is a Private university, private Ivy League research university based in Ithaca, New York, United States. The university was co-founded by American philanthropist Ezra Cornell and historian and educator Andrew Dickson W ...
to formally analyse the protocol to identify limitations and develop two new versions of this protocol known as ''Frequency Size Bucketization'' and ''Identifier Based Bucketization''.
In March 2020, cryptographic padding was added to this protocol.
History
Launch
In late 2013, web security expert Troy Hunt was analyzing data breaches for trends and patterns.
He realized breaches could greatly impact users who might not even be aware their data was compromised, and as a result, began developing HIBP.
"Probably the main catalyst was Adobe," said Hunt of his motivation for starting the site, referring to the Adobe Systems security breach
Adobe Inc. ( ), formerly Adobe Systems Incorporated, is an American computer software company based in San Jose, California. It offers a wide range of programs from web design tools, photo manipulation and vector creation, through to video/audi ...
that affected 153 million accounts in October 2013.
Hunt launched Have I Been Pwned? on 4 December 2013 with an announcement on his blog. At that time, the site had just five data breaches indexed: Adobe Systems, Stratfor
Strategic Forecasting Inc., commonly known as Stratfor, is an American strategic intelligence publishing company founded in 1996. Stratfor's business model is to provide individual and enterprise subscriptions to Stratfor Worldview, its online p ...
, Gawker
''Gawker'' was an American blog founded by Nick Denton and Elizabeth Spiers that was based in New York City and focused on celebrities and the media industry. According to SimilarWeb, the site had over 23 million visits per month in 2015. Fo ...
, Yahoo! Voices
Yahoo! Voices, formerly Associated Content (AC), was a division of Yahoo! that focused on online publishing. Yahoo! Voices distributed a large variety of writing through its website and content partners, including Yahoo! News. In early December ...
, and Sony Pictures.
However, the site now had the functionality to easily add future breaches as soon as they were made public. Hunt wrote:
Unsuccessful effort to sell
Midway through June 2019, Hunt announced plans to sell Have I Been Pwned? to a yet to be determined organisation. In his blog, he outlined his wishes to reduce personal stress and expand the site beyond what he was able to accomplish himself. As of the release of the blog post, he was working with KPMG to find companies he deemed suitable which were interested in the acquisition. However, in March 2020, he announced on his blog that HIBP would remain independent for the foreseeable future.Open-sourcing
On August 7, 2020, Hunt announced on his blog his intention to open-source the Have I Been Pwned? codebase. Hunt started publishing some code on May 28, 2021.Branding
The name "Have I Been Pwned?" uses the hacker jargon term "pwn
Leet (or "1337"), also known as eleet or leetspeak, or simply hacker speech, is a system of modified spellings used primarily on the Internet. It often uses character replacements in ways that play on the similarity of their glyphs via refle ...
", which means "to gain unauthorized access to or compromise" a computer system.
HIBP's logo includes the text ';--, which is a common SQL injection
In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injec ...
attack string. A hacker trying to take control of a website's database might use such an attack string to manipulate a website into running malicious code.
Injection attacks are one of the most common vectors by which a database breach can occur; they are the top most common web application vulnerability on the OWASP
The Open Worldwide Application Security Project (formerly Open Web Application Security Project) (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of Io ...
Top 10 list.
Data breaches
Since its launch, the primary development focus of HIBP has been to add new data breaches as quickly as possible after they are leaked to the public.Ashley Madison
In July 2015, online dating serviceAshley Madison
Ashley Madison, or The Ashley Madison Agency, is a Canadian-French online dating service and social networking service. It was launched in 2002 and marketed to people who are married (or people in relationships) who are looking for affairs. T ...
, known for encouraging users to have extramarital affair
An affair is a relationship typically between two people, one or both of whom are either married or in a long-term Monogamy, monogamous or emotionally-exclusive relationship with someone else. The affair can be solely sexual, solely physical or ...
s, suffered a data breach, and the identities of more than 30 million users of the service were leaked to the public.
The data breach received wide media coverage, presumably due to the large number of impacted users and the perceived shame of having an affair.
According to Hunt, the breach's publicity resulted in a 57,000% increase in traffic to HIBP.
Following this breach, Hunt added functionality to HIBP by which breaches considered "sensitive" would not be publicly searchable, and would only be revealed to subscribers of the email notification system.
This functionality was enabled for the Ashley Madison data, as well as for data from other potentially scandalous sites, such as Adult FriendFinder
Adult FriendFinder (AFF) is an internet-based, adult-oriented social networking service, online dating service and swinger personals community website, founded by Andrew Conru in 1996.
In 2007 AFF was one of the 100 most popular sites in the Un ...
.
000webhost
In October 2015, Hunt was contacted by an anonymous source who provided him with a dump of 13.5 million users' email addresses and plaintext passwords, claiming it came from 000webhost, a freeweb hosting
A web hosting service is a type of Internet hosting service that hosts websites for clients, i.e. it offers the facilities required for them to create and maintain a site and makes it accessible on the World Wide Web. Companies providing web ho ...
provider.
Working with Thomas Fox-Brewster of ''Forbes
''Forbes'' () is an American business magazine founded by B. C. Forbes in 1917. It has been owned by the Hong Kong–based investment group Integrated Whale Media Investments since 2014. Its chairman and editor-in-chief is Steve Forbes. The co ...
'', he verified that the dump was most likely genuine by testing email addresses from it and by confirming sensitive information with several 000webhost customers.
Hunt and Fox-Brewster attempted many times to contact 000webhost to further confirm the authenticity of the breach, but were unable to get a response.
On 29 October 2015, following a reset of all passwords and the publication of Fox-Brewster's article about the breach, 000webhost announced the data breach via their Facebook
Facebook is a social media and social networking service owned by the American technology conglomerate Meta Platforms, Meta. Created in 2004 by Mark Zuckerberg with four other Harvard College students and roommates, Eduardo Saverin, Andre ...
page.
Paysafe Group
In early November 2015, two breaches of gambling payment providers Neteller and Skrill were confirmed to be genuine by thePaysafe Group
Paysafe Limited (formerly known as Optimal Payments PLC) is a multinational online payments company. Paysafe offers payment processing, digital wallet and online cash systems to businesses and consumers, with particular experience of serving t ...
, the parent company of both providers.
The data included 3.6 million records from Neteller obtained in 2009 using an exploit in Joomla
Joomla (), also styled Joomla! (with an exclamation mark) and sometimes abbreviated as J!, is a free and open-source content management system (CMS) for publishing web content on websites. Web content applications include discussion forums, p ...
, and 4.2 million records from Skrill (then known as Moneybookers) that leaked in 2010 after a virtual private network
Virtual private network (VPN) is a network architecture for virtually extending a private network (i.e. any computer network which is not the public Internet) across one or multiple other networks which are either untrusted (as they are not con ...
was compromised.
The combined 7.8 million records were added to HIBP's database.
VTech
Later that month, electronic toy maker VTech was hacked, and an anonymous source privately provided a database containing nearly five million parents' records to HIBP. According to Hunt, this was the fourth largestconsumer privacy
Consumer privacy is information privacy as it relates to the consumers of products and services.
A variety of social, legal and political issues arise from the interaction of the public's potential expectation of privacy and the collection and d ...
breach to date.
Miscellaneous
In May 2016, an unprecedented series of very large data breaches that dated back several years were all released in a short timespan. These breaches included: # 360 millionMyspace
Myspace (formerly stylized as MySpace, currently myspace; and sometimes my␣, with an elongated Whitespace character#Substitute images, open box symbol) is a social networking service based in the United States. Launched on August 1, 2003, it w ...
accounts from circa 2009
# 164 million LinkedIn
LinkedIn () is an American business and employment-oriented Social networking service, social network. It was launched on May 5, 2003 by Reid Hoffman and Eric Ly. Since December 2016, LinkedIn has been a wholly owned subsidiary of Microsoft. ...
accounts from 2012
# 65 million Tumblr
Tumblr (pronounced "tumbler") is a microblogging and Social networking service, social networking website founded by David Karp in 2007 and is owned by American company Automattic. The service allows users to post multimedia and other content ...
accounts from early 2013
# 40 million accounts from adult dating service Fling.com
These datasets were all put up for sale by an anonymous hacker named "peace_of_mind", and were shortly thereafter provided to Hunt to be included in HIBP.
In June 2016, an additional "mega breach" of 171 million accounts from Russian social network VK was added to HIBP's database.
In August 2017, BBC News
BBC News is an operational business division of the British Broadcasting Corporation (BBC) responsible for the gathering and broadcasting of news and current affairs in the UK and around the world. The department is the world's largest broad ...
featured Have I Been Pwned? on Hunt's discovery of a spamming operation that has been drawing on a list of 711.5 million email addresses.
See also
* Mozilla Monitor *Database security
Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as tech ...
Notes
References
External links
* {{Official website, https://haveibeenpwned.comHave I Been Pwned? announcement blog post
on troyhunt.com Internet security Database security 2013 establishments in Australia Technology websites English-language websites Australian websites