As information technologies becoming more efficient and convenient, our personal information is starting to deeply associate with the internet and service databases. Security risks among information breaches are continuously increasing over the years shifting our identities toward the danger of breach and exploit.
There are online services that will help check if an email address or password is involved in any of the breached incidents in the record. By using these services one can measure the safety status of an account and apply measures if necessary.
We will introduce 6 free online services to check if personal information is hacked, and proper measures to take in case of risk.
Have I Been Pwned
Have I Been Pwned is a free web service that lets you check if your personal information is leaked by providing your email address. The service has been running since 2013 and known to have the best site to track identity breaches.
As for March 2020, Users can reference over 9.5 billion leaked accounts and 435 breached website information stored in their database to find any personal identity leakage and incidents associated with an email address. Various victim information profiles can be confirmed here including the date and time of the leakage, username, password, date of birth, and phone number.
Leaked email addresses and passwords are usually traded on the dark web and hacker forums to be used for criminal activities. There are exploit tools designed to automatically test the validity of the username and password against common social network sites, financial services, and online shopping accounts.
In case you found out that your personal information is leaked through Have I Been Pwned, make sure to take a measure by changing the password or informing the service provider about the incident.
How to Use Have I Been Pwned
The usage of Have I Been Pwned is very simple. Access the web service page from the following link and enter your email address.
If your email address is safe and not breached, Great! "Good news -- no pwnage found!" message will appear with a green background. You can check as many emails as you want.
Otherwise, if your email address matches any of the breached incidents, the message "Oh no -- pwned!" will alert the user.
Incident Details Associated to the Breach
Have I Been Pwned does not only inform if your account is hacked or not, but also the incident details associated with the breach.
Below the alert, you will find the source services and files associated with the leaked email, background details of the incident, date and time of the occurrence, number of affected accounts, and types of data that was exposed.
In this case, we found 269 sites that involved the incident of breaches. For example, the description shows that Dropbox was the cause of data breach in 2012 leaking email addresses and passwords. There are many other global organizations listed by the service, including Adobe,
Mastercard, Linkedln, and hundreds more.
Pwned Passwords is a service presented by the same organization that runs the Have I Been Pwned service. Instead of checking breach incidents associated with an email address, Pwned Passwords will specifically check if your password is exposed by a data breach incident. Service will reference over 550 million passwords to check for any record of password usage.
How to Use Pwned Password
Similarly to the usage of Have I Been Pwned, access the web service by clicking the following link and enter your password.
If no password leak was found, the message "Good news -- no pwnage found!" will appear indicating that your password is safe.
For breached password, the "Oh no -- pwned!" message will display. We experiment with the worst password of the history "123456" resulting in more than 23.5 million cases, showing how dangerous it can be using a simple password.
Mozilla development team created an awesome service called Firefox Monitor that will scan recorded breach events related to an email. They have over 13 years of collected breach data to analyze.
Visit the Firefox Monitor website by clicking the below link.
Enter your email address and click the Check for Breaches button to start the analysis.
Any detected breach incidents will display with incident details. Breached data types such as password and email address, date of a breach event, and associated service domain can be viewed.
The service is a bi-product of the Firefox browser feature which will alert users when a breach incident is detected associated with the email address and visited website. Their security concerns have improved with care toward digital identity protection.
Norton LifeLock Breach Detection
Norton LifeLock provides a web service for users to check identity threats based on an email address. Although the number of account records used to reference threat incidents is unclear, we all know that Norton has a massive threat database that we can rely on.
The Norton Breach Detection interface is quite simple. Open the following link and type in your email address.
An email with a clean record will display "No breached info found".
Unsecure emails associated with any breach will show basic breach information including the number of breach occasions, date of the incidents, and types of information involved in a breach.
BreachAlarm is an email breach check web service where you can find out if your email is safe or not. Over 150 million accounts were compromised within a year by BreachAlarm adding to their total of 993 million accounts in records.
While the email check service is completely free, there are also advanced features available in paid version to proactively alert users if any incident associated with the given email gets reported.
Access the BreachAlarm site by clicking the following link and enter your email address. A dialog may appear to confirm you are not a robot or an exploit tool.
If no breach was detected, your email address is safe!
In case an associated breach was found, an alert will appear with the number of compromise occasions and the latest date of the incident. Make sure to update your email as soon as possible.
While other services mainly focus on email address checks, DeHashed allows users to see if other profiles appear on their records of the hacked account list. Profile types that can be scanned include email address, username, password, IP address, real name, home address, phone number, and more.
The service has collected over 12.3 billion hacked digital assets in records to be referenced for any person or organization compromise checks.
Go to the DeHashed website and enter information that you want to search for breach. The type of information (i.e. email, password, phone number) can be specified by toggling the buttons under the input box.
For non-exploit search terms, the "No document matches the specified search terms" message will show.
If the searched term is involved in some exploit, a list of dump domain will be presented to let users further investigate.
Because BeHashed looks through a variety of digital asset types, the result may be looser than other services. We recommend performing a deeper check if you receive any exploit match.
What to Do If Personal Information is Breached
If you encounter any personal information breach alert while using the web services introduced in this article, or confirmed identity exploits through any other method, apply proper measures by the following methods.
Change Password Associated to the Breached Email
First thing first is to change the password used to login with the email. This is an important step even for the case of abandoning the email as hackers may keep using them for criminal purposes.
Go through each service that breach was detected and change the password one by one. Never use the same password twice as it will increase the risk especially for accounts that were already hacked.
Finally change the password used to login to the email provider, such as Gmail, Protonmail, Outlook. This step is to prevent further exploitation in case the hacker has access to the email account itself.
Delete Breached Service Account
Using a hacked account is the worst idea even with a new password. This is because the email or username used to login to the account may be already listed on the hackers' hack list.
There is a much higher chance for attackers to target accounts that are once hacked. In worst cases, an account might be manipulated in a deeper layer by malicious recovery email or security answers.
As for an additional measure, we recommend informing the service provider about the incident so that they can blacklist the account to monitor any unauthorized access to the account.
Replace Your Email Address
If your email address got breached, we recommend you create a new email address and destroy the breached address for safety purposes. Hacked email address is not safe in many ways as it may trace the original owner for more harms, exploited by multiple attackers, or involved in criminal activities.
Use a different password when creating the new email address in case the new email address gets traced to the user profile. This is especially common for social media accounts where user identity is open and remains the same.
Don't forget to update existing online accounts that are associated with the email, especially anything related to finance and social media.
Contact Finance or Online Service Providers
In case the breached information is related to credit card or web service login credentials, immediately contact the service providers about the incident. It is especially important to take action to prevent any access to your financial accounts.
Communicate with the service providers by requesting an access block and monitor to the breached account.
We introduced a variety of online services that will help us check if our identity is hacked or not.
Our digital identities have become part of our lifestyle. To protect ourselves from unwanted and unexpected harms, it is a good practice to periodically check our personal information are safe.