‘;–have i been pwned?

There is a well known “white-hat” web site called “‘;–have i been pwned?” which :-

  1. Publicises large data breaches of personal information.
  2. Collects data breaches looking for compromised accounts.
  3. Allows people to check if their own account has been compromised.
  4. Sends domain owners (if you have signed up) notifications of relevant data breaches.

It should be emphasised that this is not a malicious site – it is providing a service to the community. If you check that site for your UoP email address (and it is more than a year or two old), you will almost certainly find out it is listed. For example, my “account” was leaked in the following breaches :-

  1. Anti Public Combo List
  2. Apollo
  3. Collection #1
  4. Data Enrichment Exposure From PDL Customer
  5. Dropbox
  6. Kayo.moe Credential Stuffing List
  7. LinkedIn
  8. Onliner Spambot 
  9. Trik Spam Botnet
  10. Verifications.io

It should be noted that my email address is over 25 years old and I do sign up to lots of strange services “out there”. So this list might be slightly longer than average.

If your “account” is compromised, don’t panic. And it isn’t your fault. There are actions you should look at doing to reduce your risk … which we’ll get to.

My Account Is Leaked!?‽

If we take one example from the list above – Dropbox – in that case, Dropbox was broken into and the account details of Dropbox were obtained by an attacker. So your Dropbox account was compromised; hopefully you were notified at the time and had to change your Dropbox password.

This does not mean that your UoP account is at risk if you do not use the same password here.

If you have a perfect personal security score (and very few of us do), that’s all. However if you use the password for your Dropbox account elsewhere, then it is possible that someone is trying to break into those accounts. So when you’re notified of a password breach at a site like Dropbox, and that same password is used on other sites, you should be changing passwords on those other sites.

And if you do use the same password on your UoP account as on a compromised web site, you should change this password too.

Anonymous Leaks

If you refer back up to that list of leaks containing my email address, you will see that well over half are not associated with a well-known web site. The others are leaks from the “dark web”, and unfortunately are often distributed with no indication of from where they originated.

It is widely believed that the leaks from the “dark web” represent a tiny minority of the amount of data to be found there – to those with the money to pay for it!

How Did The Leaks Occur?

The leaks very simply fit into two categories – leaks from well known web services (“Dropbox”), and leaks from the “dark web” where personal data dumps from unknown sources are available for sale.

When a large public web service is compromised, and the attackers steal large amounts of account credentials (and any associated personal information), the news often hits the main stream security news sites (see: https://nakedsecurity.sophos.com/2020/01/22/big-microsoft-data-breach-250-million-records-exposed/). The “haveibeenpwned” site on the other hand attempts to get a copy of the leaked data, so people (including you) can check to see if their account has been leaked.

The “compromise” can consist of an infinite number of possible ways data can be leaked, but the two most significant are :-

  1. A security vulnerability in the web site allows an attacker to break into the servers and access whatever data sits on the web site server(s).
  2. A cloud-based database or database backup is not properly secured and is available to anyone to connect to and read data. In some ways this is worse than the first as it is just a mistake in configuration that allows the leak.

Finally, there are leaks from the “dark web” – public data leaks are just the tip of the iceberg. It isn’t in the interest of hackers for it to be known that they have stolen large swathes of data because they’re very often in the business of selling that data on-wards. If those hackers themselves have a data leak, it is entirely possible that the data could end up in the hands of security researchers – who very well may pass them onto “haveibeenpwned”.

In some cases where the data is sitting on public file distribution sites, “haveibeenpwned” will pass the link onto domain owners – which is why occasionally IS can inform those whose accounts have been compromised what has happened. But they do not distribute personal information themselves (even when they have the data).

What Are Data Leaks Used For?

Fraud. Specifically any kind of fraud that will obtain money.

In some cases attackers will use account credentials to leak data out of other web services to “enrich” data they already have on you.

See: https://nakedsecurity.sophos.com/2020/02/07/cybercrooks-busted-for-multimillion-dollar-identity-fraud/

Defending Yourself

Whilst it is in no way your fault that third-parties leak your personal data, that is hardly very helpful when you are the victim of identity theft and/or financial fraud. And so, how can we defend ourselves against the mistakes made by third parties?

  1. Try not to use the same password on multiple sites, and if you do, group them into related and low-risk sites. For example, your banking sites need unique strong passwords, but infrequently used shopping sites that do not store your credit card details could share a password.
  2. Use long and strong passwords wherever possible; if you fear forgetting passwords (and frankly given the number of passwords we have to remember, who doesn’t?), install and use a password manager such as KeePassXC.
  3. Where it is available as an option, consider enabling two-factor (or multi-factor) authentication.
  4. Periodically check the web site to see if your details have been compromised since the last time.

Pwned?

Lastly, that strange word “pwn” is a deliberate misspelling of “own” (or “owned”) to indicate that something has been broken into (or “owned”). And yes, this even appears in the OED.

This entry was posted in Active Attacks, Passwords. Bookmark the permalink.