How Do I Know If My Email Has Been Leaked in a Data Breach?
The Dangers of Bad Password Hygiene
Many people use their email addresses and a small set of passwords (or even just one password) to log in to their online accounts. Unfortunately, this means that any hacker with your email address already has half your login details. Add in numerous password breaches from big-name digital service providers and you have a recipe for disaster.
Since most people still recycle versions of their passwords, once one of them is released in a data leak, it could mean that all of your online accounts are compromised thanks to bad password hygiene.
Even if you’re one of the many people who uses a selection of different passwords based on some sort of theme or the rearrangement of certain elements, an attacker could combine knowledge of one password with a brute force attack or social engineering to more easily discover your other passwords.
Have I Been Pwned? Good Question!
Luckily there’s a well-trusted website where anyone can quickly find out if their email address has been compromised in an email leak and which company leaked your data. Have I Been Pwned? (HIBP) was set up by Troy Hunt, a highly respected digital security expert.
It’s simple to find out if your email address has been compromised. Just go to Have I Been Pwned? to search their database of leaked details.
HIBP doesn’t just include leaked emails, but (as my friend found out) other personal data that has been exposed on the web. What you learn may surprise you—I asked a friend to try a few of their emails, and though all of their passwords were safe, other bits of personal data had been leaked by several marketing data aggregation companies.
Hackers make use of many types of personal data, combining databases with known passwords when they do leak to make cracking your accounts that much quicker, so any sort of data leak can be risky.
Check a few of your emails on the site, and chances are that at least one of them will have been involved in a data leak at some point, even if your passwords haven’t been released.
There’s also a handy password checker to find out if a certain password has made its way into the public domain. (Don’t worry, the site uses hashing to keep your password anonymous and doesn’t store it.)
Out of curiosity I checked the statistics for using “password” as a password—it turned out to have been pwned 3,533,661 times, a stark reminder that common sense doesn’t always triumph when humans are left to their own devices regarding password strength.
Subscribing to Have I Been Pwned is free and doing so will alert you to future leaks involving that email address as soon as they become public; adding additional emails is straightforward and doesn’t incur any additional fees. As a website owner or administrator, you can also set up alerts that let you know if any email addresses associated with your domain have been compromised.
Note: In September 2018, Firefox Monitor partnered with Troy Hunt to launch their own branded version of Have I Been Pwned? for searching leaked emails. Some people may feel more comfortable using a service endorsed by an organization like Mozilla.
What Should I Do if I Find My Address in an Email Leak?
1. Change Your Passwords
Once you’ve checked your email addresses for breaches, the next step is to change all of your passwords that are related to that email to something strong and complex. Choosing strong, unique passwords can be difficult for some people – believe it or not, a random string of letters, numbers, and symbols can be just as easy for a machine to crack as any other password.
XKCD explains it pretty well in this cartoon; think “pass phrases” of unrelated terms, rather than just a “password.” And no, changing letters for numbers (l33t style) is far too common to make this a safe way to create a cunning password!
If your password comes up as having been leaked on the password checker, it doesn’t necessarily mean that your personal password has been leaked. Maybe your choice of secret word wasn’t as unique as you thought it was.
What it does mean is that your password is likely to be in a database along with other confirmed passwords that a cracker program will use first when trying a brute-force attack on your account. Combine a compromised password with a leaked email for an account without multi-factor authentication, and you’ve just handed anyone with those two databases full account access.
And what do we mean by unique? Not unique to you, but unique to each site or login you use. Remember never to use any of your biographical data in your passwords either; many of the data breaches on Have I Been Pwned? are from marketing companies that don’t actually have people’s passwords. What they do leak is a handy, searchable database of lots of your other information (including things like kids’ birthdays, work anniversaries, and so forth).
2. Use a password manager
Of course, with all these unique passwords, you may be tempted to write them all down. If you want to keep your new set of passwords safe, though, consider using a password manager (with a strong, unique password that you can remember). There are a number of options, many of them free, that will help you store your passwords safely.
LastPass and Dashlane are the two most popular options, and both have points in their favour. If you take your online security seriously, it’s worthwhile paying for a premium version.They’re relatively inexpensive and include important features like syncing across devices and advanced multi-factor authentication. Where possible, you should enable multi-factor authentication on all of your accounts.
Leaks of any type of customer data can be both embarrassing and expensive for businesses. An increasing number of countries have steep penalties for any kind of data breach, in some cases attracting unlimited fines or large percentages of an organization’s annual turnover (yes turnover, not after-tax profit). If you’re responsible for your company’s data security or digital platforms, then you’re probably acutely aware of this fact.
LoginRadius has a vested interest in maintaining the highest levels of data protection.