Pwned? What's Next?
The first step in fixing anything is knowing that it is broken. On the internet, a "break" in your security will not always be reported to you. Sometimes you have to take the initiative. Fortunately, you can employ a free detective to discover email data breaches.
 |
| Thanks to Troy Hunt! (from Wikipedia) |
Created by Troy Hunt in 2013, and since incorporated as an optional extension in Firefox and Chrome, haveibeenpwned.com is yours to use free of charge.
According to Wikipedia,
Have I Been Pwned? (HIBP, with "Pwned" pronounced like "poned"[2]) is a website that allows internet users to check if their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps...The primary function of Have I Been Pwned? since it was launched is to provide the general public a means to check if their private information has been leaked or compromised. Visitors to the website can enter an email address, and see a list of all known data breaches with records tied to that email address. The website also provides details about each data breach, such as the backstory of the breach and what specific types of data were included in it...The name "Have I Been Pwned?" is based on the script kiddie jargon term "pwn", which means "to compromise or take control, specifically of another computer or application."
HIBP's logo includes the text';--, which is a common SQL injection attack string. A hacker trying to take control of a website's database might use such an attack string to manipulate a website into running malicious code....
Yes, I found one of my emails had been pwned. It was my University account, the oldest of my email accounts and so far as I know, did not result in any harm. I also discovered, somewhat to my surprise, that one of my email accounts had not been hacked (yet)!
Here's the report for the hacked account. Inconveniently, they did not list in chronological order. Some are ancient (2008) and some are recent.
Breaches you were pwned in
A "breach" is an incident where data has been unintentionally exposed to the
public. Using the 1Password password manager
helps you ensure all your passwords are strong and unique such that a breach of one service
doesn't put your other services at risk.
Adapt: In November 2018, security researcher Bob Diachenko identified an unprotected database hosted by data aggregator "Adapt".
A provider of "Fresh Quality Contacts", the service exposed over 9.3M
unique records of individuals and employer information including their
names, employers, job titles, contact information and data relating to
the employer including organisation description, size and revenue. No
response was received from Adapt when contacted.
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses, Social media profiles
Apollo: In July 2018, the sales engagement startup Apollo left a database containing billions of data points publicly exposed without a password. The data was discovered by security researcher Vinny Troia
who subsequently sent a subset of the data containing 126 million
unique email addresses to Have I Been Pwned. The data left exposed by
Apollo was used in their "revenue acceleration platform" and included
personal information such as names and email addresses as well as
professional information including places of employment, the roles
people hold and where they're located. Apollo stressed that the exposed
data did not include sensitive information such as passwords, social
security numbers or financial data. The Apollo website has a contact form for those looking to get in touch with the organisation.
Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Salutations, Social media profiles
B2B USA Businesses (spam list):
In mid-2017, a spam list of over 105 million individuals in corporate
America was discovered online. Referred to as "B2B USA Businesses", the
list categorised email addresses by employer, providing information on
individuals' job titles plus their work phone numbers and physical
addresses. Read more about spam lists in HIBP.
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses
Collection #1 (unverified):
In January 2019, a large collection of credential stuffing lists
(combinations of email addresses and passwords used to hijack accounts
on other services) was discovered being distributed on a popular hacking
forum. The data contained almost 2.7 billion records including
773 million unique email addresses alongside passwords those addresses
had used on other breached services. Full details on the incident and
how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.
Compromised data: Email addresses, Passwords
Exactis: In June 2018, the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data. Security researcher Vinny Troia of Night Lion Security
discovered the leak contained multiple terabytes of personal
information spread across hundreds of separate fields including
addresses, phone numbers, family structures and extensive profiling
data. The data was collected as part of Exactis' service as a "compiler
and aggregator of premium business & consumer data" which they then
sell for profiling and marketing purposes. A small subset of the exposed
fields were provided to Have I Been Pwned and contained 132 million
unique email addresses.
Compromised data:
Credit status information, Dates of birth, Education levels, Email
addresses, Ethnicities, Family structure, Financial investments,
Genders, Home ownership statuses, Income levels, IP addresses, Marital
statuses, Names, Net worths, Occupations, Personal interests, Phone
numbers, Physical addresses, Religions, Spoken languages
Kayo.moe Credential Stuffing List (unverified):
In September 2018, a collection of almost 42 million email address and
plain text password pairs was uploaded to the anonymous file sharing
service kayo.moe.
The operator of the service contacted HIBP to report the data which,
upon further investigation, turned out to be a large credential stuffing
list. For more information, read about The 42M Record kayo.moe Credential Stuffing Data.
Compromised data: Email addresses, Passwords
LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed.
Originally hacked in 2012, the data remained out of sight until being
offered for sale on a dark market site 4 years later. The passwords in
the breach were stored as SHA1 hashes without salt, the vast majority of
which were quickly cracked in the days following the release of the
data.
Compromised data: Email addresses, Passwords
MySpace: In approximately 2008, MySpace suffered a data breach that exposed almost 360 million accounts.
In May 2016 the data was offered up for sale on the "Real Deal" dark
market website and included email addresses, usernames and SHA1 hashes
of the first 10 characters of the password converted to lowercase and
stored without a salt. The exact breach date is unknown, but analysis of the data suggests it was 8 years before being made public.
Compromised data: Email addresses, Passwords, Usernames
Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq.
The malicious software contained a server-based component located on an
IP address in the Netherlands which exposed a large number of files
containing personal information. In total, there were 711 million unique
email addresses, many of which were also accompanied by corresponding
passwords. A full write-up on what data was found is in the blog post
titled Inside the Massive 711 Million Record Onliner Spambot Dump.
Compromised data: Email addresses, Passwords
River City Media Spam List (spam list): In January 2017, a massive trove of data from River City Media was found exposed online.
The data was found to contain almost 1.4 billion records including
email and IP addresses, names and physical addresses, all of which was
used as part of an enormous spam operation. Once de-duplicated, there
were 393 million unique email addresses within the exposed data.
Compromised data: Email addresses, IP addresses, Names, Physical addresses
Trik Spam Botnet (spam list): In June 2018, the command and control server of a malicious botnet known as the "Trik Spam Botnet" was misconfigured such that it exposed the email addresses of more than 43 million people.
The researchers who discovered the exposed Russian server believe the
list of addresses was used to distribute various malware strains via
malspam campaigns (emails designed to deliver malware).
Compromised data: Email addresses
Verifications.io: In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia,
the breach was due to the data being stored in a MongoDB instance left
publicly facing without a password and resulted in 763 million unique
email addresses being exposed. Many records within the data also
included additional personal attributes such as names, phone numbers, IP
addresses, dates of birth and genders. No passwords were included in
the data. The Verifications.io website went offline during the
disclosure process, although an archived copy remains viewable.
Compromised data:
Dates of birth, Email addresses, Employers, Genders, Geographic
locations, IP addresses, Job titles, Names, Phone numbers, Physical
addresses
1. Change your password or substitute a USB key. Here's an introductory video on this using one of the available USB keys and LastPass (beginning at 10:30):
2. Check your settings (see Four Things You Should Do When Your Email Gets Hacked)
3. Scan ALL your devices for malware.
4. Implement preventive measures (such as using private networks and bookmarking trusted sites). Remember, you can always use a browser such as TOR to disguise your web searches and defend against tracking and surveillance!
Nice Article!!
ReplyDeleteBest Digital Marketing Company in Jaipur
Thanks! Glad you found it useful!
Delete