On December 5th, 2013 Troy Hunt launched a new website haveibeenpwned.com. This website allows anyone to enter their email address to see if it has been part of a data breach in the past. The vast number of email addresses on file come from leaks the hackers post online after a breach, these can be easily obtained if you know where to look. If you have used an Adobe, LinkedIn or Yahoo account in the past, chances are your email address will be in the database. If it is, the site will show you a red area with an “Oh no” warning with the name(s) of the companies that had your email address exposed below it.
The service also allows you to set up a notification that will alert you if your email address is involved in a breach in the future. While most companies will notify their users at some point to inform them about the breach, this can take a bit of time. Usually the leaked data can be found online before a company notifies it’s customers so this service can be an early warning system.
Troy Hunt knows a thing or two about properly securing websites so his service is secured by HTTPS. Knowing what today’s biggest concerns are for people he has added a good FAQ as well that answered most of the questions I had about the service right away. Where does the data come from?, How is the data stored?, Is anything logged? and How do I know the site isn’t just harvesting searched email addresses? just a few examples. I don’t know Troy personally but I am aware of his reputation, so when his FAQ answers the last question with “You don’t, but it’s not.” I tend to believe it.
Now your email address is no secret. The amounts of times your email address has travelled the globe is in the hundreds of thousands (sending, receiving, spam lists, servers exchanging it etc etc). so entering it on this website poses no risk. The data is stored in a Microsoft Azure database and while a self-hosted SQL database would have been better from a privacy point of view, again, your email address is no secret to anyone, especially not corporations like Microsoft, Google etc. The site does use Google Analytics according to the FAQ (though I found no connection attempts blocked to that tracking service) and connects to Google for a few other reasons, if you are concerned about this you can block Google completely and use browser plug-ins like DoNotTrackMe and AdBlock Edge so you can visit the page without having to worry about Google tracking you. Keep in mind that the “Notify me..” only works if the site is allowed to connect to Google.
Overall I think it’s a useful service. Finding out your email address (and therefore most likely your password as well) was involved in a data breach will serve as a reminder to check and change passwords, receiving notifications in the future will be an early warning system at best and a duplicate email sitting besides the notice of the affected company at worst. Head on over, read the FAQ, look around and see if you want to take it for a spin.