Advice about using websites for checking if your password has been compromised in recent breaches
20 December 2013
A variety of websites have been launched that allow you to check to see if your personal information was included in some of the more significant recent data breaches.
Large scale data losses, such as the recent Adobe data breach, have left many people unsure about whether their information was lost. As a result, a number of sites have emerged that attempt to retain your privacy, but also allow you to search some of these data sets to see if your information was compromised.
While these are useful and reputable sites, we always advise caution about submitting your personal information to any website. Please see the discussion on privacy below.
The latest of these websites, http://haveibeenpwned.com/ currently searches the available data from six recent high profile data leaks. It asks you enter your email address in order to perform the search.
If your search does return positive results, you should take action to change your password for that site, and anywhere else you use that password. See our recent advice on passwords.
There are a growing number of sites offering checking, and monitoring services related to breaches, including:
Pwned List, which also offers an alert service that checks new sources of leaked credentials.
More and more companies are experiencing “data leaks”, where their database is copied (stolen) by hackers. In some cases, these are sold on to other criminals, in other cases the information is used by the hackers to break into other online accounts (such as online banking). For some attacks, these databases are simply made public.
Regardless of the hacker’s intentions, if you suspect your account has been compromised, you should take action to change your password for that site and anywhere else you use it, and continue to monitor your accounts.
Websites, such as those listed above, have been developed around the concept of searching leaked databases for stolen credentials, and each requires minimal information from you to perform the search.
Although a username or email address can be considered personal information, you may decide it is appropriate in this case to disclose your username or email address to these sites in order to receive this service.
While sites such as these are well-intentioned, there are also other known malicious websites that may attempt to steal your identity using similar means. Malicious websites will usually ask for more information than is needed to perform a check. Some sites will ask for personal information such as your name, address or phone number to perform the search. This information should not be provided and is not needed to perform searches of this nature.
Some malicious sites will even ask you to enter your password to see if it has been stolen.
You should never enter your passwords into a website that is different from the one for which it was created. This includes data leak checking websites, phishing websites or any technical website asking for your password. A password is a private piece of information, and the only person that should know your password is yourself.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.