Massive data breaches have become a common occurrence in the infosec world, and with consumers often using the same credentials across several websites and services, victims are left struggling to keep track of which accounts have been exposed and what details need to be changed. To solve this problem, a newly launched website wants to be a one-stop aggregator for exposed account information.
Of course, websites that enable possible data breach victims to determine whether their credentials have been stolen are nothing new. Several sites alone were devoted to the recent breach at Adobe that exposed approximately 153 million accounts, including a high-profile one built by the online password aggregation service LastPass that actually detailed how many victims had used the same password. The problem with such sites is their focus on specific breaches, which leaves consumers unable to piece together the bigger picture and determine how many of their accounts may have been compromised. That's where haveibeenpwned.com enters the picture.
Built by Troy Hunt, software architect and Microsoft Most Valuable Professional for developer security, haveibeenpwned aggregates compromised accounts from several major security breaches, not just the customary one. The site functions largely the same as any other such tool. A possible victim can simply query an email address (no password information is stored), and the site will determine whether the credentials are among a database of exposed credentials.
As of now, haveibeenpwned only utilizes data from five breaches, including the October 2013 Adobe breach, the July 2012 Yahoo breach, the December 2011 Stratfor breach, the 2011 Sony PlayStation network breach and the 2010 Gawker breach. Hunt plans to add more data from other breaches to the site, though the recent LinkedIn breach will not be among the additions because it only exposed passwords and not email addresses.
Perhaps more important is the role Hunt envisions the site playing in the handling of future data breaches.
"It's a bit of an unfair game at the moment -- attackers and others wishing to use data breaches for malicious purposes can very quickly obtain and analyze the data, but your average consumer has no feasible way of pulling gigabytes of gzipped accounts from a torrent and discovering whether they've been compromised or not," Hunt said on a blog post detailing the site's launch. "Now that I have a platform on which to build, I'll be able to rapidly integrate future breaches and make them quickly searchable by people who may have been impacted … [opening up] a range of other opportunities to help consumers deal with account compromises in the future."
As for the inspiration behind the site, both Hunt's work and personal accounts were actually exposed as part of the massive Adobe breach, a fact that he only discovered after querying the LastPass site. Left to wonder why he even had credentials with Adobe, Hunt speculated that he may have created an account with the software giant as far back as when he was building classic Active Server Pages using Dreamweaver.
"The point is that these accounts had been floating around for so long that by the time a breach actually occurred, I had no idea that my account had been compromised because the site was simply no longer on my radar," Hunt said.
The first day live already saw haveibeenpwned attract 63,000 visitors that performed 162,000 searches, according to Hunt's Twitter account. Thirty-two percent of the queried email addresses were in the databases. Readers can check their credentials at haveibeenpwned.com now.