I have been pwned, what do I do now?
We've been fans of Troy Hunt's Have I Been Pwned? for quite a while at Cynch Security and encourage our members to sign-up to the free service as part of our Password Management for Small Business security pathway. If you haven't yet checked your email address in the service, we encourage you to head over there now and do so. Troy regularly loads large data breaches to haveibeenpwned, but this week's list of 711 million pwned accounts (around the number of people in Europe) is his largest to date and we felt it would be worth spending some time discussing what it means and what actions you should take if your email address shows up.
What was pwned?
First up let's briefly discuss where this list came from. Troy goes into more detail on his blog but in essence, the list was found on a poorly secured server used by something called the "Onliner Spambot". Spambots are used by cyber criminals to send spam and phishing e-mails to people and they use lists of emails and email passwords to get around filters and other things that would otherwise keep them out of our inboxes.
These lists can come from many sources and based on the analysis of Troy and other security researchers it appears that this particular list is a collection of others that have been leaked over the years, including last year's LinkedIn data breach. Unfortunately, the fact that the data has come from multiple sources makes it extremely hard to say how accurate it is which is why this is being treated as a "Spam List" and not a "Verified Data Breach".
What should I do if my email address was pwned by Onliner Spambot?
As Troy notes in a response to this question on Twitter, "if you've got strong, unique passwords. I wouldn't do anything".
Frankly, if you've got strong, unique passwords, I wouldn't do anything. Plus it would make you exceptional :)— Troy Hunt (@troyhunt) August 30, 2017
For privacy reasons, Troy doesn't save the passwords in these lists so the service isn't able to tell you if your specific account or password was compromised. The best course of action then is to assume it has been. For many that don't use strong and unique passwords everywhere, this means you should change your passwords.
Another critically important step is to enable Multi-factor Authentication (sometimes called 2 Factor or 2 step authentication) for your accounts. This will require you entering another code from your phone or another device, often sent as a text message to your phone, and prevent anyone without your phone using your account.
What should I do if my business emails were pwned by Onliner Spambot?
As a business owner, there are a few extra things you should be aware of with this data breach. Firstly haveibeenpwned provides a way for you to get a list of all the email addresses associated with your domain name that have appeared in a data breach. This can be found in the menu at the top of the page under Domain Search. There are a few steps you may need IT support to help you with, but it's worth going through and the service will email if your domain shows up in the future data breaches as well. Here's the pwned email accounts report for cynch.com.au as of today:
What's interesting to note here is that there is no Karen at Cynch Security and this email address doesn't exist. This means that some of the email addresses are completely made up. Others have found the same thing for their domains as well and there is a good chance that if you run a domain search for your business you will find something similar.
So while it's likely you'll find emails from your domain on this list, there's a good chance spam sent to them won't actually go anywhere. If you do find valid email addresses through, the same recommendation to change your passwords applies. We know how daunting this can be for a small business, which is why we created our Password Management for Small Business security pathway.
For 50% off the usual $30 cost, use the code:
And one last thing to be aware of as a business is that this list was likely found and downloaded by people other than Troy Hunt so there's a strong possibility you may start to see more spam hitting your inbox over the coming weeks. Make sure you tell your staff to extra aware and consider discussing email security options with your IT support team next chance you get.
If you have any questions about this threat, would like some help running a domain search or would like help with the security of your small businesses, leave us a message via the chat bubble in the bottom right of this page and we'll be in touch as soon as possible.