Troy Hunt, a software architech and Microsoft MVP, has created a site answering the question on everyone's mind after a corporate data breach - Have I been pwned?
That is to say, Hunt has obtained the publically available breached account data from the likes of breach victims Sony, Yahoo!, Gawker, Adobe, and others, and created a simple search field allowing users to check if their email is present in the list of leaked credentials. If your email isn't present in the breach data for the six websites shown, you're greeted with this happy message:
Note that, just because an email was not found in his system, doesn't mean your user data is safe and sound - there have been plenty of other leaks that aren't yet accounted for by this search. Now, if you've been the victim of one of the listed data breaches, you're instead greeted with an imposing message like this:
Better change that password, stat.
Of course the other thing is that I’ve only got five data breaches here and there are many more out there which I’m yet to integrate.
In his blog post announcing the site, Hunt explains that his isn't the first site to let users check if their credentials have been leaked, but rather haveibeenpwned.com is unique in that it allows users to search multiple site leaks at once. The nice part is, now that the platform has been built to support checking against multiple breach lists, Hunt is able to add new data as soon as its available (the bad part is that more data means more breaches have occurred, but c'est la vie).
Try as we might to be proactive about data security, breaches and leaks happen now and then. Thankfully, sites like Hunt's HIBP give users a fighting chance to react to credential leaks before things can go from bad to worse.
Special thanks to Tripwire for inspiring this post.