I got pwned. Did you?

There’s little sense in hiding behind the fact that, like millions of LinkedIn members, I was alarmed to read that some 117 million passwords were released last month in relation to a 2012 data breach – and less than certain I wasn’t among the users who hadn’t changed their passwords since then.

(Incidentally, the June 6 headlines about Facebook founder Mark Zuckerberg himself being compromised are related to the same breach.)

I first learned about the attack, as I learn so much about the tech industry, on Twitter – which is also where I discovered the existence of “Have I been pwned?”, a free service run by Troy Hunt, a Microsoft channel representative and freelance security expert from Australia who writes articles for online technology training website Pluralsight, and travels around the world running a two-day workshop called “Hack Yourself First” that teaches software developers how to pre-emptively defend themselves against attackers.

“Have I been pwned?” couldn’t be easier to use: Simply enter your email address and the website will let you know if you’ve been the victim of a data breach.

Seconds after entering mine, I learned that not only had my LinkedIn account been compromised, but my Adobe account had been too – and I didn’t even realize I had an Adobe account.

The horror!
The horror!

It turned out that Adobe Systems Inc. was the victim of data breach back in 2013, with hackers stealing the internal ID, username, email, encrypted password, and password hint from 153 million Adobe accounts.

Adobe declined to be interviewed for this story, while LinkedIn forwarded the message it sent to all compromised users (including me).

So what happens next?

Hunt started “Have I been pwned?” soon after the Adobe data breach.

Troy Hunt headshot
“Have I been pwned” owner Troy Hunt started the service to help users control their response to data breaches.

“I’d been doing a lot of analysis across different breaches, and looking at some of the patterns that were emerging,” he explains. “One of the things I found very interesting was that I was seeing the same people appear over and over again, often with re-used credentials… so I thought it would be interesting if people could actually find out just how much had been compromised about them.”

Of course, to give users the ability to search for stolen personal information, Hunt needed to store stolen personal information himself. He takes the responsibility extremely seriously: “Have I been pwned?” saves email addresses on Microsoft’s Azure cloud platform, but nothing else, and compromised users can remove their email addresses from public search results.

“I don’t save any credentials or any other personal entry data,” Hunt says. “In fact, I’m quite certain that one of the things that’s kept me out of hot water with companies and from any potential legal recourse is that… you can’t use ‘Have I been pwned?’ to find your password, or whether your husband is cheating on you, or anything like that.”

Often Hunt will privately contact companies which have been victims of a data breach before publishing the data, noting that in some cases he’s reached companies before the data has been redistributed, which means that depending on the mandatory disclosure laws governing the type of data leaked, the breach can be kept relatively quiet.

“Obviously organizations don’t particularly want to say ‘we’ve been breached,’ but of course when it’s user credentials floating around I’ve got a bit of a moral obligation and, depending on the jurisdiction, a legal obligation to make a public statement about the fact that there’s been a breach,” he says.

Two months ago, for example, Hunt deleted leaked data involving some 4.8 million VTech accounts, because some of it involved children, and few people had access.

“We all agreed – ‘we all’ being everyone from myself to the class-action lawyers to the VTech council to the FBI – I had discussions with all of them, very amicable discussions too… that it’s better for everyone that this data just doesn’t exist,” he says.

Last year, before uploading the infamous Ashley Madison data breach, Hunt decided that ethically it would be indefensible to simply create a searchable database where, essentially, someone could look up whether their partner had attempted to have an affair. Instead he made it so that someone could only see whether they were part of the breach by checking their e-mail.

“A huge amount of effort is put into deciding the ethics of how I run this thing,” he says. “I’m really conscious that, on the one hand, this is data that has been illegally obtained, and some people would say it’s stolen… On the other hand, it’s enormously useful for so many people.”

In fact, donations often seem to go up after an especially high-profile breach, he says.

“Very often I’ll hear is things like, ‘thank you so much for letting me know – LinkedIn never sent me an e-mail to tell me about this,’ or ‘I had no idea that I was exposed in ABC data breach some years ago – this might explain why my accounts keep getting taken over for some reason,'” Hunt says. “So the ethics of it are enormously important, and over time I keep reflecting on them and making tweaks here and there.”

Silence isn’t the answer

There is, of course, another lesson here for the companies involved: when responding to a breach, transparency is key.

No company wants to be hacked, but when personal information has been compromised enterprises should be sending the leaked data to users so they can decide what to do next, Hunt says.

Instead, many a frustrated individual has contacted him after hearing little more than radio silence from corporate victims such as Adobe or LinkedIn.

Many users who recently wrote LinkedIn asking which password was leaked, for example, were told that because their passwords had been changed the company no longer had their old passwords on file, Hunt says. That’s not a helpful answer for victims of the breach.

“I’m increasingly incensed at these organizations that clearly have made some bad security decisions – and granted, they’ve had someone come in and illegally hack into their things, which is never okay – but we’re in this situation where people are understandably concerned and the company that screwed up and lost the data is unwilling to support them when it could.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Eric Emin Wood
Eric Emin Wood
Former editor of ITBusiness.ca turned consultant with public relations firm Porter Novelli. When not writing for the tech industry enjoys photography, movies, travelling, the Oxford comma, and will talk your ear off about animation if you give him an opening.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs