Have YOU Been Pwned?

Has your personal data ever been involved in a data breach? How would you know if it had?

Created in 2013, the ‘Have I Been Pwned’ site makes it easy for internet users to find out if their personal data has ever been compromised by data breaches. The site is effectively a database of 306 million previously hacked email addresses, making it possible for anyone to check the security of their online personal information. The site includes hacked data from household names such as Adobe, LinkedIn and Snapchat, informing victims of past breaches and notifying them if they are ever involved in new ones.


What does ‘Pwned’ mean?

Initially a typo, pwned is a term derived from owned and is used amongst the hacker community to describe the taking over of a third party’s site.

Founded by Australian Security Expert Troy Hunt, HIBP receives around ten thousand visitors each day. It was Adobe’s 2013 data breach that motivated Hunt to build the site, determined to give victims more control over their personal information. With data from over 3.9 billion accounts from 227 data breaches, it’s no surprise the site has over 1 million active email subscribers.


How does the site work?

By entering your email address into HIBP, visitors are given access to a list of all known breaches with data linked to that email address. In the site’s own words a breach is an incident where a site’s data has been illegally accessed and stolen by unauthorised attackers.

Armed with this knowledge, users can subsequently reset their password for the potentially compromised email address, strengthening the security of their online presence.  The site also notifies users as to whether this information has ever been pasted – a term used to describe the sharing of data within the hacker community on a wider scale. Additional information about the breach and the specific type of data involved make HIBP an exceptional resource for helping to keep your personal information secure.



The site’s email subscription feature results in immediate notification should an organisation holding your email address be breached. HIBP ensures victims of data leaks are kept in the loop, often far sooner than the breached company will!


How ‘Pwning’ works

Many of us reuse or use similar variations of the same password across multiple sites. If a password associated with your email address is known by an attacker they can potentially gain access to a considerable amount of personal data at an alarming speed.

For example, if I create an online account at JD’s Tyre company, using my abc123@hotmail.com email address, and because I use the same password for everything, I use my trusty Password1 password (don’t do this!). If JD’s Tyres gets breached and the customer database is stolen, then the attackers will have something similar to this:


Customer      Userid        password      email                 date joined
36346         jdoug007      Password1     abc123@hotmail.com    17-Jul-17


Armed with this, attackers will often try to login to the online email portal, in this case, Hotmail, using the password present in the stolen database – 75% of the time, they’ll be successful.

Once logged into your email account attackers quickly scour through Inboxes for credentials, creating a database of trusted individuals and organisations. To put this in context, a fake invoice or notification of a change to bank account details for payments could be sent by one of these ‘trusted sources’ resulting in a fraudulent transaction and subsequently, theft.


Data breaches are becoming increasingly common, with customers often not being notified by companies for a significant amount of time after the attack. Equifax is one recent example of this, where breach notification didn’t happen until months after the breach was detected.


HaveIBeenPwned.com is a powerful tool for cybersecurity, find out the security of your personal data for yourself by visiting https://haveibeenpwned.com.


Contact First Response:

+44 207 1934905

or email us at: