Published on April 9th, 2020 📆 | 7209 Views ⚑
010 Billion Wrecked Accounts Show Why You Need ‘Have I Been Pwned’
Popular data-breach tracker Have I Been Pwned is closing in on 10 billion compromised accounts. Just think about that for a minute: ten. billion. accounts. To put that figure in perspective, the Earth has around 7.7 billion people on it. It would be as if every single person on the planet had a compromised Facebook accountâand then some.
I took a look at the numbers from Have I Been Pwnedâs RSS feed, which I think is even missing a few recent breach announcements, and weâre already up to 71+ million compromised accounts for the year. The biggest breach the site added to its records in 2020 so far was a disaster from Israeli marketing firm Straffic, which exposed a database containing 140GB of personal data (including 49 million unique email addresses, as well as various usersâ names, phone numbers, and addresses).
In other words, now is as good as a time as any to absolutely sign up for Have I Been Pwned. But letâs go over the basics, in case you arenât convinced.
Getting to know Have I Been Pwned
The siteâs creator, Microsoft regional director and infosec maven Troy Hunt, offers a service thatâs completely free for you to use. All this service requires is your email address; when said email address shows up in one of the many data breaches that happen throughout the year, you get a message about it. This message convinces you to tighten up your security on that service and, if you were lazy, alerts you to the fact that the single password you share across many services is now in jeopardy. You should change that right now (and please stop using the same password for multiple sites or services).
Donât trust companies to notify you about data breaches in time
The best part about Have I Been Pwned, as we covered in an earlier version of this article, is that the site sometimes beats companies to the punch with disclosures. When CafePress had its huge data breach back in February of 2019, you would have learned that you were affected from Have I Been Pwned, not CafePress. And even when CafePress did notify its users about a breach, it wasnât forthcoming: It only told users that they needed to change their passwords without indicating the reason for this seemingly random request.
Signing up for Have I Been Pwnedâs notification service is easy. But you donât even have to use this form if you donât want to. Tools like Firefox Monitor and 1Password already integrate Have I Been Pwnedâs database, so you should also receive notifications that way if your saved passwords are involved in an breach. (I prefer a scary email, which ensures I pay attention to the alert, but thatâs just me.)
Some security utilities donât use Have I Been Pwned, and thatâs OK
And even though there are plenty of other tools that donât use Have I been Pwnedâs information, theyâre still useful if youâre looking to know whether your accounts are potentially compromised. Googleâs Password Checkup extension comes to mind, which you might not even need if you save your passwords via the browser itself.
Thereâs also pwdquery, which teases which passwords of yours definitely need to be changed instead of simply alerting you that any service associated with your email address is at risk. If your password manager supports them, you might even be able to find a plugin that checks your accounts against Have I Been Pwnedâs database, too.
Avoid scammers looking to prey on your data-security fears
There also a number of similarly themed sites and extensions youâll want to avoid. Ghostproject.fr is one such example. While you can certainly use it to see what leaked passwords might be associated with your email address, the site also cajoles you to pay them money to unlock the full password itself. In other words, itâs basically telling scriptkiddies, âgive us cash and any emails you want, and weâll tell you that personâs password.â
Admittedly, anyone halfway decent should just be able to find a number of breaches that likely contain enough details to allow them to log in as you somewhere, assuming youâre still using the same credentials as you were in a breach. And that, above all else, is why a service like Have I Been Pwned is so importantâit gives you the best chance for getting ahead of a data disaster, given how easy it is for someone to beat you to the punch. Lifehacker canât recommend this service enough, given how valuable of a tool it is in addition to all the other methods you need to use to stay safe online.
This article was originally published in 2019 by David Murphy and updated on April 9, 2020 by David Murphy. We reworked the entire article to reflect more relevant information about account security and the latest security breaches. This includes changing and modifying screenshots, editing the headline, and editing the body text.
Gloss