Have You Been PWND?

haveibeenpwned
   Reading time 5

Have You Been PWND?

PWND means “Owned”. The PWND is typically used after losing badly during an online game (e.g., I was really PWND, man.) When one player completely annihilates another, the loser is said to have been PWND (i.e., owned, beaten, defeated)

It is often used by hackers when they hack a website or a user and they “PWND” that person or that site.

Have you ever wondered if your email address or phone number has been hacked or stolen? Well, there is a website for that. You can go to https://haveibeenpwned.com/, and enter either your email address or phone number and it will search its extensive database and see if your details are part of the millions of records that have been discovered in major online hacks.

How Does It Work?
I will use HaveIBeenPWND as my example, they scour the web and the deep and dark web for compromised account lists. They are often sold on the dark web for a small chunk of change, a hacker would purchase the list and start trying to hack into accounts. In the case of HaveIBeenPWND, they parse the list and add it to their database of compromised accounts. At the time of this post, they have 11,454,726,823 accounts in their database, that is 11.4 billion compromised accounts.

Real-World Test Results
In my case (see screenshot below), I entered my email address and I discovered 11 different known breaches that my email address has been found in. It will also tell you what was compromised so you know what details you will need to change. In my case, it shows that my LinkedIn account is part of a May 2016 hack of 164 million LinkedIn accounts. This means that I need to change my LinkedIn account password (which I did in 2016 when I first heard of this hack).

There are several other similar websites that have similar databases that may contain details about different hacks or compromises. I ran a quick little test to see how many different results I get from the below sites. I used the same email address for each site.

  • https://www.f-secure.com/us-en/home/free-tools/identity-theft-checker  – f-secure found my email address had been compromised 17 times, but the email they sent only indicated 10 compromises, and many of them were listed as “Collection Combo List”, with no details, it looks like they want to sell their F-Secure ID Protection service and they don’t disclose how larger their database is
  • https://spycloud.com/ – Spycloud claimed that they discovered 22 compromises for my email address, but then wanted me to pay to play. They claim they have 2 billion records of compromised accounts
  • https://haveibeenpwned.com/ – HaveIBeenPwnd found that my email address was compromised 11 times.
  • https://www.checkthem.com/hacked/ – Check Them discovered 11 compromises for my email address, the same as HaveIBeenPwnd.com, they claim they have 3.9 billion records of compromised accounts
  • https://sec.hpi.de/ilc/search?lang=en – Found seven compromises, nothing new, but their email contains a nice chart that is easy to read, they claim that they have 12.4 billion records of compromised accounts
  • https://breachalarm.com/  – Breach Alarm found that my email address was compromised two times. However I didn’t pay any money to see what accounts had been compromised, they claim that they have 1.2 billion records of compromised accounts
  • https://leakpeek.com/ – Leak Peek found that my email address was compromised once, but nothing different, they have 8.2 billion records
  • https://www.avast.com/hackcheck  – Avast found that my email address was compromised four times, but nothing different, they have 3.9 billion records
  • https://scatteredsecrets.com/ – Scattered Secrets required me to pay to play, they have 5 billion records
  • https://www.dehashed.com/ – Dehashed required me to pay to play, they claim they have 14.4 billion records

The one thing you need to understand is that in some of the cases, your account may not have actually been compromised, but your account details show up in a massive list of compromised accounts, so it is a safe assumption that your account has been compromised. It is a very good practice to change the password to any account that has been listed, after all, it is better safe than sorry.

In Conclusion
Based on my testing, I will stick with HaveIBeenPWND.com, not only do they have one of the largest databases of compromised accounts, but it is free, accurate, and easy to use. I discovered Hasso Plattner Institute during research for this post and I will augment the monthly search of my email address with them.

haveibeenpwned

Average Jow Weekly Logo
Average Joe

Welcome to the Average Joe Weekly blog. This is basically my place on the web where I can help spread some of the knowledge that I have accumulated over the years. I served 10+ years in the Marine Corps on Active Duty, but that was some 25 years ago.

Author

  • Average Joe

    Welcome to the Average Joe Weekly blog. This is basically my place on the web where I can help spread some of the knowledge that I have accumulated over the years. I served 10+ years in the Marine Corps on Active Duty, but that was some 25 years ago.

    View all posts
Avatar photo

By Average Joe

Welcome to the Average Joe Weekly blog. This is basically my place on the web where I can help spread some of the knowledge that I have accumulated over the years. I served 10+ years in the Marine Corps on Active Duty, but that was some 25 years ago.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.