⚠️ ';--have i been pwned? How to check if your account credentials have been breached ⚠️

In 2016 alone over one billion records containing personal information including email addresses were put up for sale or made public after a rash of leaked data from numerous breaches.

Researchers 'Beknow' and Troy Hunt recently gained access to the data of one such repository (thanks to Beknow): the spam bot "Onliner" best known for spreading the Ursnif banking Trojan, and discovered a massive trove of hundreds of millions of records including email addresses, email and password combinations (some in cleartext), and SMTP credentials and configuration files.

80 million credentials were found among the data, although determining provenance is near impossible. However, about two million were determined to originate from a Facebook phishing campaign.

“...mind-boggling amount of data.”

“Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe,”

- Troy Hunt

• One file alone contained 1.2 million email addresses and cleartext passwords, many of which are likely from the LinkedIn breach which leaked passwords as SHA1 hashes with no salt
• Another file contained 4.2 million email addresses and passwords, according to Hunt each one were found in a list from the Exploit[.]In underground forum
• Around 2 million came from a Facebook phishing campaign
• Also found in separate files, thousands of records containing email addresses, passwords and SMTP server and port designations

Hunt said that the particular Onliner server, hosted in the Netherlands, was still up and running and law enforcement had been notified.

---

"have i been pwned?" is a service you can use to check if an account has been compromised in a data breach. Using the service is very straight forward, simply enter the email address or username to check & hit "pwned?", but be aware that:

• Sensitive breaches are not publicly searchable
• Unverified breaches may be sourced from elsewhere
• Spam Lists are used for spam marketing

Green is good, in at least as the account isn't present in known breach data, see Advice* below.

Red means stop is not so good, jump to Advice* section now.

The service began after its creator Troy Hunt (a Microsoft Regional Director & international web security speaker/author) continued to find the same accounts in repeated post-breach analysis, often with the same passwords, putting the victims at risk of further accounts being compromised.

All build and running costs are funded directly from Troy's own pocket, but Paypal or Bitcoin (121CEyDDEewZfp7mpFLd6WvfD9fcyWpwQe) donations are very gratefully accepted.

---

*Advice

"...there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.

- Donald Rumsfield, former US Secretary of Department of Defense

A word to the wise: if you find a match for your user or account name, change your password for the indicated service(s).

A word to the unwise: if you use the same password in multiple locations, or, gods help you, everywhere, then you should change the compromised password everywhere you've use it, preferably to a unique one at each site/service, preferably even if it hasn't been compromised.

There's also a Notify Me service that can send alerts when if HIBP find your email address again in future data breach dumps (you changed to a unique, complex password, right?).

If you're daunted by the prospect of managing a number of unique and complex passwords then check out my series of articles on this very subject:
🔐 How vulnerable are you: secure, ubiquitous, ease of access
🔐 How vulnerable are you: managing complexity

I've been working towards an article on more secure computer practices and behaviour, but Hive account@profit-generator has just beaten me to the punch with just such an article, I suggest you read it.

I'll probably still write an article on the topic anyway. P-G will likely write more too, as will Hive account@an0nkn0wledge and Hive account@ausbitbank and etc et al. Over time you may get a bit sick of the continued best-practice digital security advice, but we won't quit, we'll just STEEM ON!

If you need any further encouragement just check the list and totals of compromised sites/accounts below.

---

The HIBP pwage list is extensive, it includes site/services, details the number and types of accounts compromised, and provides dates, links and other details where available. Among the data security breaches listed are:

• 4,789,599 Bitcoin Security Forum Gmail Dump email addresses, passwords in September 2014
• 501,407 Bitcoin Talk dates of birth, email addresses, genders, IP addresses, passwords, security questions and answers, usernames, website activity in May 2015
• 568,340 BTC-E account balances, email addresses, IP addresses, passwords, usernames, website activity in October 2014

As at writing the current Top 10 breaches are:

1. Onliner Spambot - 711,477,622 Onliner Spambot accounts
2. Exploit.In - 593,427,119 Exploit.In accounts
3. Anti Public Combo List - 457,962,538 Anti Public Combo List accounts
4. River City Media Spam List - 393,430,309 River City Media Spam List accounts
5. MySpace - 359,420,698 MySpace accounts
6. NetEase - 234,842,089 NetEase accounts
7. LinkedIn - 164,611,595 LinkedIn accounts
8. Adobe - 152,445,165 Adobe accounts
9. Badoo - 112,005,531 Badoo accounts
10. B2B USA Businesses - 105,059,554 B2B USA Businesses accounts

---

Questions and comments are welcomed in the replies. If you'd like to see more articles like this then ^vote, resteem, and comment below. Considerable effort has gone into researching, testing, and formatting for this article.

If you liked it, then you shoulda put a ^vote on it!

---