what does “pwned” mean?
The word “pwned” originates from video game culture and is a derivation of the word “owned”, due to the proximity of the “o” and “p” keys. It is usually used to imply that someone has been controlled or compromised, for example “I got caught in the Adobe data breach”. Read more about how “pwned” went from hacker jargon to the internet’s favorite jibe.
what is a “gap” and where does the data come from?
A “breach” is an incident in which data is inadvertently exposed on a vulnerable system, typically due to insufficient access controls or security weaknesses in the software. hibp aggregates breaches and allows individuals to assess where their personal data has been exposed.
Are user passwords stored on this site?
When data breach email addresses are uploaded to the site, corresponding passwords are not uploaded with them. Regardless of the Protected Address Lookup feature, the Protected Passwords service allows you to check whether an individual password has previously been seen in a data breach. no password is stored along with any personally identifiable data (such as an email address) and each password has a sha-1 hash (read why sha-1 was chosen in the pwned password launch blog post).
can I send users their exposed passwords?
Nope. any ability to send people passwords puts them and me at greater risk. this topic is discussed in detail in the blog post on all the reasons I don’t make passwords available through this service.
Is there a list of everyone’s email addresses or usernames available?
The public search function cannot return anything more than one user-provided email address or username at a time. the domain lookup feature can recover multiple breached accounts, but only after successfully verifying that the person performing the lookup is authorized to access domain assets.
what about breaches where passwords are not leaked?
Occasionally, a violation will be added to the system that does not include credentials for an online service. this can happen when data about people is leaked and may not include a username and password. however, this data still has an impact on privacy; it is data that those affected would not reasonably expect to be publicly disclosed and, as such, have a vested interest in being able to be notified of this.
how do you verify that a violation is legitimate?
There are often “holes” advertised by attackers which, in turn, are exposed as hoaxes. there is a balance between making data searchable early and performing sufficient due diligence to establish the legitimacy of the breach. The following activities are generally performed to validate the legitimacy of the infringement:
- Has the affected service publicly acknowledged the violation?
- Does the violation data show up in a google search (i.e. was it simply copied from another source)?
- is the structure of the data consistent with what you would expect to see in a breach?
- have the attackers provided sufficient evidence to demonstrate the attack vector?
- ? Do attackers have a history of reliably releasing or faking breaches?
what is a “paste” and why include it on this site?
A “paste” is information that has been “pasted” to a public website designed to share content such as pastebin. these services are preferred by hackers due to the ease of sharing information anonymously, and are often the first place a breach appears.
hip searches through pastes that are broadcast by accounts on the twitter paste source list and are reported to have emails that are a potential indicator of a violation. Finding an email address in a paste does not immediately mean that it has been disclosed as a result of a breach. review the paste and determine if your account has been compromised, then take appropriate action, such as changing passwords.
my email was reported to appear in a paste, but now the paste can’t be found
pastes are usually transient; they appear briefly and then are removed. hip typically indexes a new paste within 40 seconds of its appearance and stores the email addresses that appeared in the paste along with some metadata such as date, title, and author (if any). the paste itself is not stored and cannot be displayed if it no longer exists in the source.
my email was not found. Does that mean I haven’t been pwned?
Although hibp is kept up to date with as much data as possible, it only contains a small subset of all records that have been breached over the years. many breaches never result in the public disclosure of data and, in fact, many breaches even go completely unnoticed. “absence of evidence is not evidence of absence” or, in other words, the fact that your email address was not found here does not mean that it has not been compromised in another violation.
how does hibp handle “further aliasing” on email addresses?
Some people choose to create accounts using a pattern known as “more aliases” in their email addresses. this allows them to express their email address with additional data in the alias, which usually reflects the site they signed up with, such as test+netflix@example.com or test+amazon@example.com. there is currently a user voice tip requesting support for this pattern in hibp. however, as explained in that tip, the use of more aliases is extremely rare, appearing in only about 0.03% of addresses uploaded to hip. Please vote for the suggestion and follow its progress if this feature is important to you.
how is the data stored?
Violated accounts are found in azure windows table storage which contains nothing more than the email address or username and a list of the sites it appeared in the violations. if you’re interested in the details, it’s all covered in working with 154 million records in azure table storage: the story of got pwned?
Is anything logged when people search for an account?
the website doesn’t log anything explicitly. the only logging of any kind is through google analytics, application information performance monitoring and any implicitly collected diagnostic data if an exception occurs in the system.
why do I see my username violated on a service I never signed up for?
When you search for a username that is not an email address, you may see that name appear against violations from sites you never registered with. Usually, this is simply because someone else chooses to use the same username that you regularly use. even if your username seems very unique, the simple fact that there are several billion internet users worldwide means that there is a good chance that most usernames have been used by other people on the web. one moment or another.
why do I see my email address compromised on a service I never signed up for?
When you search for an email address, you may see that address appear against violations from sites you don’t remember signing up for. There are many possible reasons for this, including your data having been acquired by another service, the service rebranding itself as something else, or someone else registering it. For a more complete overview, see why am I in a data breach for a site I never signed up for?
can I receive notifications from an email address I don’t have access to?
Nope. For privacy reasons, all notifications are sent to the address that is being monitored, so you cannot monitor someone else’s address, nor can you monitor an address that you no longer have access to. you can always perform an on-demand search for an address, but sensitive violations will not be returned.
Does the notification service store email addresses?
yes, you have to to track who to contact in case they get caught in a subsequent data breach. only the email address, the date they subscribed, and a random token for verification are stored.
Can a violation against my email address be removed after I’ve changed my password?
hibp provides a log of violations involving an email address, regardless of whether or not the password has been changed. the fact that the email address was breached is an immutable historical fact; it cannot be changed later. If you don’t want any address violations to appear publicly, please use the opt-out feature.
Which email address are notifications sent from?
all emails sent by hibp come from noreply@haveibeenpwned.com. If you’re expecting an email (for example, the verification email sent when you signed up for notifications) and it’s not coming, try whitelisting that address. 99.x% of the time email doesn’t make it to someone’s inbox, it’s because it’s bounced by the destination mail server.
how do I know the site doesn’t just collect searched email addresses?
no, but it is not. the site is simply intended as a free service for people to assess the risk relative to their account of being caught in a breach. As with any website, if you are concerned about intent or security, don’t use it.
Is it possible to “deep link” directly to an account search?
Sure, you can create a link so that the lookup for a particular account will be done automatically when it loads, just pass the name after the “account” path. here is an example:
how do i submit a data breach?
If you come across a data breach that you’d like to submit, please contact me. first check what is currently uploaded to hibp on the pwned websites page if you are not sure if the violation is already in the system.
what is a “sensitive violation”?
hibp allows you to find out if your account was exposed in most data breaches by doing a direct lookup on the system. however, certain breaches are particularly sensitive in that someone’s presence in the breach may negatively affect them if others can discover that they were a member of the site. these violations are classified as “sensitive” and are not publicly searchable.
Only the verified owner of the searched email address can search for a sensitive data breach. this is done through the notification system which consists of sending a verification email to the address with a unique link. when that link is followed, the owner of the address will see all the data breaches and the ones pasted where they appear, including sensitive ones.
There are currently 47 sensitive violations in the system, including adult friendfinder (2015), adult friendfinder (2016), adult-fanfiction.org, ashley madison, beautiful people, bestialitysextaboo, brazzers, carding mafia (Dec 2021), carding mafia (March 2021), crimeagency vbulletin hacks, ctars, cyberserve, doxbin, emotet, fling, florida virtual school, freedom hosting ii, fridae, fur affinity, gab and 27 more.
what is a “withdrawn violation”?
After a security incident that results in the disclosure of account data, the breach can be uploaded to hip, where it then sends notifications to affected subscribers and is searchable. In very rare circumstances, that breach may be permanently removed from hip where it is then classified as a “retired breach”.
A removed violation is typically one in which the data does not appear elsewhere on the web, that is, it is not shared or redistributed. removing it from hibp gives those affected the assurance that their data can no longer be found in any remaining location. For more information, read have I been pwned?, opt out, vtech, and general privacy stuff.
There is currently 1 retired breach on the system which is vtech.
what is an “unverified” violation?
some violations may be marked as “unverified”. in these cases, while legitimate data exists within the alleged infringement, it may not have been possible to establish legitimacy beyond a reasonable doubt. unverified violations are still included in the system because, regardless of their legitimacy, they still contain personal information about people who want to understand their web exposure. More background on unverified violations can be found in the blog post titled Introducing Unverified Violations So I’ve Been Pwned.
what is a “manufactured” violation?
some violations may be marked as “fabricated”. in these cases, the breach is highly unlikely to contain legitimate data from the alleged site, but it can still be sold or traded under the auspices of legitimacy. Often these incidents are made up of data aggregated from other locations (or may be completely fabricated), but still contain real email addresses unknown to the account holder. fabricated violations are still included in the system because, regardless of their legitimacy, they still contain personal information about people who want to understand their web exposure. More background on unverified violations can be found in the blog post titled Introducing “Manufactured” Violations So I’ve Been Pwned.
what is a “spam list”?
Occasionally, large volumes of personal data are found that are used for the purpose of sending targeted spam. this often includes many of the same attributes frequently found in data breaches, such as names, addresses, phone numbers, and dates of birth. the lists are often aggregated from multiple sources, frequently obtaining personal information from individuals with the promise of a monetary reward. while the data may not have been obtained from a breached system, the personal nature of the information and the fact that it is redistributed in this way without the owners’ knowledge justifies its inclusion here. read more about hibp spam lists.
what is a malware violation?
data breaches in hibp are not always the result of a security compromise of an online service, and sometimes data obtained by malware campaigns is also uploaded. for example, data from the emotet malware was provided to hip by the american fbi and the dutch nhtcu in april 2021. the risk to individuals in these incidents is different (your personal device may be compromised), therefore the presence of this flag in hibp.
what does it mean if my password is in pwned passwords?
If a password is found in the pwned password service, it has previously appeared in a data breach. hip does not store any information about who the password belonged to, just that it has been previously publicly exposed and how many times it has been viewed. A pwned password should no longer be used, as its exposure increases the risk of it being used to log into accounts using the now exposed secret.
I looked up my email address on hibp and then got hacked, what’s wrong?
First of all, lookups are not logged, so no addresses are collected. All searches done are done over an encrypted connection so that no one has access to web traffic except those hosting hibp services. even if they did, it’s just an email address and not enough to gain access to someone’s online accounts. if pwned passwords have also been used to look up a password, it is anonymized before being sent to hip, so even a lookup of the email address and password does not provide a usable pair of credentials. correlation does not imply cause; it’s a coincidence
here are a bit of details, where can i get more information?
The design and build of this project have been extensively documented on troyhunt.com under the tag have i be pwned. These blog posts explain much of the reasoning behind the various features and how they have been implemented in Microsoft’s Azure Windows Cloud Platform.