Recent news that half a billion Yahoo accounts have been compromised has prompted me to again tell friends about a great website for exploring the effect of security breaches on your online accounts. The site is called: haveibeenpwned and I encourage you to explore it.
The site is run by Troy Hunt, a security researcher at Microsoft and a Microsoft MVP, as in Most Valuable Professional awardee for Developer Security (I am very familiar with the MVP designation because my good friend and fellow ESET researcher, Aryeh Goretsky, is a multiple MVP awardee - MVPs are good people!). You can read more about Troy on his very interesting blog at troyhunt.com and there is a very clear explanation of the site at https://haveibeenpwned.com/About.
By now you will have realized that pwned is not a typo. It is hacker slang derived from the verb pwn meaning: "to appropriate or to conquer, to gain ownership (Wikipedia). I'm not a big fan of the term pwn because it can lend an air of coolness to illegal and unethical acts that are definitely not cool.
But I am a big fan of Troy and this site. Why? Because it is the one place I know where you can easily check if one of your accounts is compromised in a headline grabbing breach, sometimes years after the fact (something that has happened five times in less than five years to one of my accounts). Furthermore, you can sign up to be notified if a breach affects an account. For example, on May 24 of this year I received this message from haveibeenpwned:
In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.That arrived in my inbox more than 24 hours before I heard from LinkedIn, and it included a couple of data points that LinkedIn did not. I'm not picking on LinkedIn here - anyone who has suffered a data breach is a victim, and victim blaming is not going to deter cybercrime. Bringing swift justice to criminals is what's missing at the moment and shaming our politicians into enabling more of that is what's needed.
Now, you may have read that the Yahoo breach was state sponsored. If it was, that is also a matter for politicians to handle, and as citizens who value a free and open internet we need to urge them to act to end such activities. For more about the Yahoo breach see:
- Yahoo announcement
- More infor from NY Times
- It's more than Yahoo, Flickr or Tumblr
- Opinion and reaction