I have been pwned, what do I do now?
We've been fans of Troy Hunt's Have I Been Pwned? for quite a while at Cynch Security and encourage our members to sign-up to the free service as part of our Cyber Fitness Platform. If you haven't yet checked your email address in the service, we encourage you to head over there now and do so.
Troy regularly loads large data breaches to haveibeenpwned, so much so that there are now around 8 Billion records in his database. The chances you’re not in there are now pretty low so we felt it would be worth spending some time discussing what it means to have been pwned and what actions you should take if your email address shows up.
What was pwned?
First up let's briefly discuss where this list came from. Troy goes into more detail in his FAQ but in essence, the list of pwned accounts has been collected from all over the web and shared by cyber criminals to send spam and phishing e-mails, attack accounts and generally cause havoc to anyone just trying to get on with life online.
These lists can come from many sources and based on the analysis of Troy and other security researchers could be combined from collections that have been shared around in hacker groups for years.
What should I do if my email address was pwned?
As Troy notes in a response to this question on Twitter, "if you've got strong, unique passwords. I wouldn't do anything".
Frankly, if you've got strong, unique passwords, I wouldn't do anything. Plus it would make you exceptional :)— Troy Hunt (@troyhunt) August 30, 2017
For privacy reasons, Troy doesn't save the passwords in these lists so the service isn't able to tell you if your specific account or password was compromised. The best course of action then is to assume it has been. For many that don't use strong and unique passwords everywhere, this means you should change your passwords.
Another critically important step is to enable Multi-factor Authentication (sometimes called 2 Factor or 2 step authentication) for your accounts. This will require you entering another code from your phone or another device, often sent as a text message to your phone, and prevent anyone without your phone using your account.
What should I do if my business emails were pwned?
As a business owner, there are a few extra things you should be aware of with this data breach. Firstly haveibeenpwned provides a way for you to get a list of all the email addresses associated with your domain name that have appeared in a data breach. This can be found in the menu at the top of the page under Domain Search. There are a few steps you may need IT support to help you with, but it's worth going through and the service will email if your domain shows up in the future data breaches as well. Here's the pwned email accounts report for Cynch:
What's interesting to note here is that there is no Karen at Cynch Security and this email address doesn't exist. This means that some of the email addresses are completely made up. Others have found the same thing for their domains as well and there is a good chance that if you run a domain search for your business you will find something similar.
So while it's likely you'll find emails from your domain on this list, there's a good chance spam sent to them won't actually go anywhere. If you do find valid email addresses through, the same recommendation to change your passwords applies. We know how daunting this can be for a small business, which is why we created our Cyber Fitness program for small business owners.
One last thing to be aware of as a business is that these lists are likely in the hands of people other than Troy Hunt so there's a strong possibility they’re being used to send spam or phishing emails to your inbox. Make sure you help your staff stay aware of these types of threats and consider discussing email security options with your IT support team next chance you get.
If you have any questions about this threat, would like some help running a domain search or would like help with the security of your small businesses consider checking out our 6-week Cyber Boot Camp program where we can step you through everything in less than 20 minutes a week.