I have been pwned, what do I do now?
We’re big fans of Troy Hunt's Have I Been Pwned? service. If you haven't yet checked your email address in the service, we strongly recommend heading over there now. We even help our members to sign-up to the free domain monitoring service as part of our Cyber Fitness Program.
Troy regularly loads large data breaches to haveibeenpwned, so much so that there are now around 8.5 Billion records in his database. The chances your email shows up in there is pretty high.
Read on for an explanation of what it means to have your email ‘pwned’ and tips for what you can do about it.
What DOES pwned MEAN?
First up let's briefly discuss where this list comes from. Troy goes into more detail in his FAQ but basically the list of pwned accounts comes from large databases used by the shadier parts of the web to send spam and phishing e-mails, try to break into accounts and generally cause havoc to anyone just trying to get on with their digital lives.
These lists are from all sorts of places and are freely shared with HaveIBeenPwned as a way of letting people know that their details are out there and might be misused.
What should I do if my email address was pwned?
As Troy notes in a response to this question on Twitter, "if you've got strong, unique passwords. I wouldn't do anything".
Frankly, if you've got strong, unique passwords, I wouldn't do anything. Plus it would make you exceptional :)
— Troy Hunt (@troyhunt) August 30, 2017
For privacy reasons, Troy doesn't save the passwords in these lists so the service can’t tell you which one was compromised. The best option then is to assume it has been.
For anyone not using strong and unique passwords everywhere, this means you should change your passwords.
You should also look for ways of enabling Multi-factor Authentication (sometimes called 2-Factor or 2-Step authentication) for your accounts, particularly those really important ones like your email login. Accounts with Multi-factor authentication enabled will ask you for another code sent as a message to or copied from an app on your phone. This extra step, while being a little bit painful for you, makes it much harder for someone to break into your online accounts without also having access to your phone.
What should I do if my business emails were pwned?
As a business owner, there are a few extra things you should be aware of with a pwned email address.
Firstly HaveIBeenPwned? provides a way for you to get a list of all the email addresses from your domain name that have appeared in a data breach. This can be found in the menu at the top of the page under Domain Search. You might need your IT support provider’s help, but it's worth doing and the service will let you know if your domain shows up in the future data breaches as well.
Here's the pwned email accounts report for Cynch:
Have I Been Pwned domain report for cynch.com.au
What's interesting is that there is no Karen at Cynch Security. The email address isn’t real!
Some of the email addresses in these reports will be made up, so don’t be alarmed if you see something similar for your domain.
Interesting feedback: someone found fabricated addresses in the 711m I loaded today AND were getting spam to them https://t.co/yzn29y5q5E
— Troy Hunt (@troyhunt) August 30, 2017
So while it's likely you'll find emails from your domain on this list, there's a chance spam sent to them won't go anywhere. If you do find real email addresses, the same recommendation to change passwords applies. We know how daunting this can be for a small business, which is why we created our Cyber Fitness program for small business owners.
One last thing to be aware of as a business is that these lists are likely in the hands of dodgy people. This means there’s a good chance they’ll be targeted with spam or phishing emails. Help your staff stay aware of these risks and look into your email security options the next chance you get.