Q: How can I tell if hackers have any of my passwords?
A: If you’ve been using the internet for more than a couple of years, you can assume that one or several of your passwords have been compromised.
This assumption has little to do with any specific mistakes you’ve made and more to do with how common data breaches are these days.
The Privacy Rights Clearinghouse’s page on data breaches from 2018 alone shows a total of 1,370,710,977 records from 807 reported breaches.
These are just from the breaches that were made public, so you can bet there were lots more that went unreported.
Have I Been ‘Pwned’?
Just this week, a well-known security researcher that runs a useful site called “Have I Been Pwned” reported that another huge cache of email addresses and passwords had been posted to a hacking forum.
He discovered that 772,904,991 unique email addresses and associated passwords that total to more than 1 billion possible combinations are floating around the online underworld.
Because so many users tend to use the same username and password everywhere, automated bots are used to execute what is known as “credential stuffing,” which will test these known combinations on virtually every popular login page in a matter of minutes.
This is why turning on Two-Factor Authentication or using USB Security Keys is so important.
What is ‘pwned’?
In the gaming world, when one player dominates another, they are said to be “owned,” but a game developer accidentally hit the letter “p” which is next to the letter “o” on a popular game and the gaming world adopted it as their own.
How to check
The Have I Been Pwned website offers a variety of free tools that are useful for both individuals and businesses that want to know if they have been compromised.
From the home page, you can simply type in any of your email addresses and hit the “pwned?” button to get a report on how many places that email address has been involved in a breach.
In some cases, the associated passwords may not have been exposed, but other personal info was, which is listed for each incident in the “compromised data” section.
If you want to check to see if a specific password you use has been included in any of the breaches, you can click on the ‘Passwords’ menu at the top to check each one. Although this may seem risky, I have reviewed the technical details of how the tool works in conjunction with another company that I trust (Cloudflare) to keep your password search private.
Business tool
If you own a domain with lots of associated email addresses, you can use the “domain search” option to find all email addresses associated with your domain that have been breached.
Get notified and donate
If you’d like to have the site notify you when a new data breach includes your email address, click on the “notify me” link at the top to sign up.
All of these services are free, but I’d highly recommend that if you find them useful, you consider donating to the cause to help keep the service going.
Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question on Facebook or Twitter.