Cross Identity: Converged IAM Solutions for Enhanced Security

Official Blog

“Have I Been Pwned?” – What Can you do Next?


If you were just a pawn in a game of chess, then you were probably manipulated by your opponents. This might leave you feeling irritated if you’re not a good sport about it.

But if you ever end up asking yourself, “Have I been Pwned?”, then there is so much more at stake.

What does “have I been Pwned” mean?

The website, haveibeenpwned, is a treasure trove dump of breached accounts. Security expert Troy Hunt created this website so that you and I could know if and when our accounts have been part of a data breach and leaked into the dark web.

It was created back in December 4th, 2013. The Adobe systems breach that occurred in October 2013, revealing 153 million accounts was the impetus for this website. It started with information on data breaches from a handful of businesses. The site now has 8,513,925,254 email addresses, which were revealed in data breaches.

Using your email address, you can check if your account has ever been a victim of a data breach. If it says you are safe, for now, then you can opt for the ‘notify me’ option. So, whenever your credentials are leaked, you can quickly take the appropriate measures.

A data breach is a matter of ‘when,’ not ‘if’

According to the University of Maryland, a cyber attack happens every 39 seconds. These cyber-attacks are not made with the sole intention of taking financial advantage of an enterprise. These attacks are made with a wide array of reasons financial, legal, medical, among others.

If you are an employee, user, consumer, partner, or anyhow associated with a business that was a victim to a data breach, then you must understand the severity of it. You must also know what measures to undertake to safeguard your accounts after a breach.

A major concern when credentials are leaked is identity theft. Identity theft is when a bad actor takes advantage of your personally identifiable information and impersonates you. When identity theft happens, you are at a threat of someone using your resources like bank accounts, credit scores, health insurance, and so on to their advantage. Or, to violate your information by carrying out illegal activities under your name to get off the hook.

Understanding these repercussions and how dire they can be is essential. You must be aware when your email address, unfortunately, is leaked—before your accounts are compromised.

The leak of PII doesn’t necessarily mean your account has been compromised. It means it is now vulnerable. Your email address and passwords are now probably for sale somewhere on the web, available for someone to take advantage of it. So, there is a window where you can prevent it from happening with the right measures.

The problem with this is sometimes organizations take time to report the breach, although there are regulations to report it within a stipulated time. Yet, they have to get the right law enforcement measures in place and the right statement, too—which are time-consuming. Most commonly, organizations take time even to realize there has been a breach. According to a study by the Ponemon Institute, the average time to detect a data breach is 197 days! The data breach at Desjardins is a classic example of this situation.

Simply put—from the time data breach occurs to the time you are notified—sometimes, it might be too late.

Know if you have been pwned sooner rather than later

The website, Have I Been Pwned is currently enabled with the twitter bot, Dump Monitor, which automatically adds new data breach details to their database.

The accounts affected are detected from pastes on public-facing websites like Pastebin—which allows users to share text online.

The accounts that have been leaked in breaches from several years ago can resurface online. This happens at the will of the hacker who wants to make some good money on it.

360 million Myspace accounts from 2009, 164 million LinkedIn accounts form 2012, 65 million Tumblr accounts from 2013, and 40 million accounts from were all released in May 2016 by a hacker for sale. They were quickly added to the Have I Been Pwned website.

From Pastebins and the help of the ‘good hackers’ or the White Hat, information on leaked accounts are added on to this site.

What should you do after you have been pwned?

You can know if your business or your personal accounts have been pwned. Whichever may be the case, ensure you follow these steps as soon as you find out.

Step 1: Change your passwords

You know your credentials have been leaked, and your email address is out there for someone to possibly brute force and access your accounts. So, the first thing you should do is change your password.

Ensure that your new password is not already available in the list of previously breached accounts.

Step 2: Change your password habits along with the passwords!

Do you have the same password across your business applications as well as your personal accounts? We read this basic password hygiene all the time—to not repeat passwords, but more often than not, these are the instructions that you ignore.

It is necessary that you follow them. Because if your personal account on a social media is breached and you very well change this password. But what happens if your business accounts still have the same password? For a hacker with a bad intention, it is not too hard to determine where you work, guess your possible work email, and then voila! You would’ve single-handedly put your entire organization at risk.

So remember what your password habits are, trace back your steps and rectify.

Step 3: Check your email

This is obvious but necessary. If someone has gotten hold of your email address and has successfully logged in, then there is a high chance they have redirected your sensitive emails. Now, imagine if the hacker has redirected your bank details? The amount of ammunition he/she receives is immense.

Thus, it is necessary that you check all your settings and recover any diverted account.

Step 4: Do a thorough malware check

When someone gets hold of your credentials, they can probably render your devices with malware through a wrong email. Run a check with a good antivirus and get rid of it.

Step 5: Don’t be too social on your social media

Social media accounts have indeed been created to share one’s life details with others. But sometimes these accounts can reveal too personal information which the hacker can piece together to get hold of your accounts.

Your social media reveals the name of your pet. Now your security question is what the name of your pet is? Do you see how you might be in trouble?

Especially if you find out if you have been pwned, do a thorough check of your details online.

Step 6: Check your bank statements

This one is a long shot but also necessary. If your credentials are leaked and your identity has been stolen, then the hacker can violate your financials. Ensure these haven’t already been done. If you find suspicious activity, then report it immediately.

Step 7: Multifactor authentication, always!

MFA is especially important in an enterprise. If you find your company email ids have been pwned, then make sure you enable authentication.

This way, whenever a hacker tries to log in, depending on the sensitivity of the application, you can set multiple layers of authentication.

Another critical tool is adaptive MFA. Context MFA adds context to all your authentication.

If your employee A who is always logging in from location X, but suddenly requests a login from location Y, then adaptive MFA flags this attempt. Depending on the application at risk, either different parameters for authentication will be required, or the request will be blocked altogether until the matter is looked into.

Better yet—don’t wait till you get pwned. Implement an Identity Management solution with MFA in your organization before you let anyone breach your data. As they say, it is better to be safe than sorry.

Or in this case, stay secure, not pwned.

Related Posts

Leave a comment