If your password appears on 'Have I Been Pwned', you should change it immediately.
An Australian website now allows internet users to test out passwords before using them to see if they were leaked in one of the many data breaches in recent years.
By entering a password into the new “password” section of haveibeenpwned.com (HIBP), you can see if it is on a database of 306 million that have previously been leaked.
The aim of the website is to help those creating new passwords to improve their online security and reduce the risk of their accounts being compromised.
If a user’s login information is flagged up on HIBP, a list is provided of the sites on which the breach or breaches occurred and when.
The site makes clear that users should not rely on the service for checking passwords used on current online accounts, but rather to test new ones.
What is being ‘pwned’?
Derived from the verb ‘own’, the term implies domination or humiliation of a rival and is often used in Internet-based video game circles.
In this case, a “pwned” password is one accessed by a hacker who illegally obtained the data from a vulnerable system.
Why was the website created?
The site was created by Troy Hunt, a Microsoft Regional Director, after the Adobe breach in 2013 which saw 150 million people affected by a loss of customer data.
“Data breaches are rampant and many people don’t appreciate the scale or frequency with which they occur,” he said.
Hunt wants to “help victims learn of compromises of their accounts” but also “highlight the severity of the risks of online attacks on today’s internet”.
The risk of reusing passwords
The Microsoft director also hopes to underline the risks associated with reusing passwords.
When doing a post-breach analysis of the Adobe case he found “the same accounts (were) exposed over and over again, often with the same passwords which then put the victims at further risk of their other accounts being compromised”.
Is my information logged?
For those worried that their data is being collected when using HIBP, Hunt responded to this question in the site’s FAQs.
“Nothing is explicitly logged by the website,” he wrote.
What should I do if I’ve been pwned?
If a breach is detected in your online security when using HIBP, the site will specify what information is at risk (email addresses, passwords, credit cards etc.) so you can take appropriate action, such as changing passwords.