Scribd Logo
Upload

Welcome to Scribd!

  • Have I Been Pwned - FAQs

    Uploaded by

    ProfLoresio
    69 views5 pages
    What to be pawned means

    Original Title

    Have I Been Pwned_ FAQs

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    What to be pawned means

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    69 views5 pages

    Have I Been Pwned - FAQs

    Uploaded by

    ProfLoresio
    What to be pawned means

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    12/10/2016 Have I been pwned?

    FAQs

    FAQs
    NeedtoknowsomethingaboutHaveIbeenpwned?(HIBP)

    Whatisa"breach"andwherehasthedatacomefrom?
    A"breach"isanincidentwhereahackerillegallyobtainsdatafromavulnerablesystem,
    usuallybyexploitingweaknessesinthesoftware.Allthedatainthesitecomesfrom
    websitebreacheswhichhavebeenmadepubliclyavailable.

    Areuserpasswordsstoredinthissite?
    No.Theintentionofthesiteistomapemailaddressesandusernamestodatabreaches
    andstoringthepasswordsherewoulddonothingtoachievethatend.

    Isalistofeveryone'semailaddressorusernameavailable?
    Thepublicsearchfacilitycannotreturnanythingotherthantheresultsforasingleuser
    providedemailaddressorusernameatatime.Multiplebreachedaccountscanbe
    retrievedbythedomainsearchfeature(/DomainSearch)butonlyaftersuccessfully
    verifyingthatthepersonperformingthesearchisauthorisedtoaccessassetsonthe
    domain.

    Whataboutbreacheswherepasswordsaren'tleaked?
    Occasionally,abreachwillbeaddedtothesystemwhichdoesn'tincludecredentialsforan
    onlineservice.Thismayoccurwhendataaboutindividualsisleakedanditmaynotinclude
    ausernameandpassword.Howeverthisdatastillhasaprivacyimpactitisdatathatthose
    impactedwouldnotreasonablyexpecttobepubliclyreleasedandassuchtheyhavea
    vestedinterestinhavingtheabilitytobenotifiedofthis.

    Howisabreachverifiedaslegitimate?
    Thereareoften"breaches"announcedbyattackerswhichinturnareexposedashoaxes.
    Thereisabalancebetweenmakingdatasearchableearlyandperformingsufficientdue
    diligencetoestablishthelegitimacyofthebreach.Thefollowingactivitiesareusually
    performedinordertovalidatebreachlegitimacy:
    https://haveibeenpwned.com/FAQs#DataSource 1/5
    12/10/2016 Have I been pwned? FAQs

    1.Hastheimpactedservicepubliclyacknowledgedthebreach?
    2.DoesthedatainthebreachturnupinaGooglesearch(i.e.it'sjustcopiedfrom
    anothersource)?
    3.Isthestructureofthedataconsistentwithwhatyou'dexpecttoseeinabreach?
    4.Havetheattackersprovidedsufficientevidencetodemonstratetheattackvector?
    5.Dotheattackershaveatrackrecordofeitherreliablyreleasingbreachesorfalsifying
    them?

    Whatisa"paste"andwhyincludeitonthissite?
    A"paste"isinformationthathasbeen"pasted"toapubliclyfacingwebsitedesignedto
    sharecontentsuchasPastebin(http://pastebin.com).Theseservicesarefavouredby
    hackersduetotheeaseofanonymouslysharinginformationandthey'refrequentlythefirst
    placeabreachappears.
    HIBPsearchesthroughpastesthatarebroadcastbythe@dumpmon
    (https://twitter.com/dumpmon)Twitteraccountandreportedashavingemailsthatarea
    potentialindicatorofabreach.Findinganemailaddressinapastedoesnotimmediately
    meanithasbeendisclosedastheresultofabreach.Reviewthepasteanddetermineif
    youraccounthasbeencompromisedthentakeappropriateactionsuchaschanging
    passwords.

    Myemailwasreportedasappearinginapastebutthepaste
    nowcan'tbefound
    Pastesareoftentransienttheyappearbrieflyandarethenremoved.HIBPusuallyindexes
    anewpastewithin40secondsofitappearingandstorestheemailaddressesthat
    appearedinthepastealongwithsomemetadatasuchasthedate,titleandauthor(ifthey
    exist).Thepasteitselfisnotstoredandcannotbedisplayedifitnolongerexistsatthe
    source.

    MyemailwasnotfounddoesthatmeanIhaven'tbeen
    pwned?
    WhilstHIBPiskeptuptodatewithasmuchdataaspossible,itcontainsbutasmallsubset
    ofalltherecordsthathavebeenbreachedovertheyears.Manybreachesneverresultin
    thepublicreleaseofdataandindeedmanybreachesevengoentirelyundetected.
    "Absenceofevidenceisnotevidenceofabsence"orinotherwords,justbecauseyour
    emailaddresswasn'tfoundheredoesn'tmeanthatishasn'tbeencompromisedinanother
    breach.

    Howisthedatastored?
    https://haveibeenpwned.com/FAQs#DataSource 2/5
    12/10/2016 Have I been pwned? FAQs

    Howisthedatastored?
    ThebreachedaccountssitinWindowsAzuretablestoragewhichcontainsnothingmore
    thantheemailaddressorusernameandalistofsitesitappearedinbreacheson.Ifyou're
    interestedinthedetails,it'salldescribedinWorkingwith154millionrecordsonAzure
    TableStoragethestoryof"HaveIbeenpwned?"
    (http://www.troyhunt.com/2013/12/workingwith154millionrecordson.html)

    Isanythingloggedwhenpeoplesearchforanaccount?
    Nothingisexplicitlyloggedbythewebsite.TheonlyloggingofanykindisviaGoogle
    AnalyticsandNewRelic(http://newrelic.com)performancemonitoringandanydiagnostic
    dataimplicitlycollectedifanexceptionoccursinthesystem.

    WhydoIseemyusernameasbreachedonaserviceInever
    signedupto?
    Whenyousearchforausernamethatisnotanemailaddress,youmayseethatname
    appearagainstbreachesofsitesyouneversignedupto.Usuallythisissimplydueto
    someoneelseelectingtousethesameusernameasyouusuallydo.Evenwhenyour
    usernameappearsveryunique,thesimplefactthatthereareseveralbillioninternetusers
    worldwidemeansthere'sastrongprobabilitythatmostusernameshavebeenusedby
    otherindividualsatonetimeoranother.

    Doesthenotificationservicestoreemailaddresses?
    Yes,ithastoinordertotrackwhotocontactshouldtheybecaughtupinasubsequent
    databreach.Onlytheemailaddress,thedatetheysubscribedonandarandomtokenfor
    verificationisstored.

    HowdoIknowthesiteisn'tjustharvestingsearchedemail
    addresses?
    Youdon't,butit'snot.Thesiteissimplyintendedtobeafreeserviceforpeopletoassess
    riskinrelationtotheiraccountbeingcaughtupinabreach.Aswithanywebsite,ifyou're
    concernedabouttheintentorsecurity,don'tuseit.

    Isitpossibleto"deeplink"directlytothesearchforan
    https://haveibeenpwned.com/FAQs#DataSource 3/5
    12/10/2016 Have I been pwned? FAQs

    Isitpossibleto"deeplink"directlytothesearchforan
    account?
    Sure,youcanconstructalinksothatthesearchforaparticularaccounthappens
    automaticallywhenit'sloaded,justpassthenameafterthe"account"path.Here'san
    example(/account/test@example.com):

    https://haveibeenpwned.com/account/test@example.com

    Whatisa"sensitivebreach"?
    HIBPenablesyoutodiscoverifyouraccountwasexposedinmostofthedatabreachesby
    directlysearchingthesystem.However,certainbreachesareparticularlysensitiveinthat
    someone'spresenceinthebreachmayadverselyimpactthemifothersareabletofindthat
    theywereamemberofthesite.Thesebreachesareclassedas"sensitive"andmaynotbe
    publiclysearched.
    Asensitivedatabreachcanonlybesearchedbytheverifiedowneroftheemailaddress
    beingsearchedfor.Thisisdoneviathenotificationsystem(/NotifyMe)whichinvolves
    sendingaverificationemailtotheaddresswithauniquelink.Whenthatlinkisfollowed,the
    owneroftheaddresswillseealldatabreachesandpastestheyappearin,includingthe
    sensitiveones.
    Therearepresently13sensitivebreachesinthesystemincludingAdultFriendFinder,
    AshleyMadison,BeautifulPeople,Brazzers,Fling,Fridae,FurAffinity,Mate1.com,Muslim
    Match,NaughtyAmerica,RosebuttBoard,TheFappeningandYouPorn.

    Whatisa"retiredbreach"?
    Afterasecurityincidentwhichresultsinthedisclosureofaccountdata,thebreachmaybe
    loadedintoHIBPwhereitthensendsnotificationstoimpactedsubscribersandbecomes
    searchable.Inveryrarecircumstances,thatbreachmaylaterbepermanentlyremovefrom
    HIBPwhereitisthenclassedasa"retiredbreach".
    Aretiredbreachistypicallyonewherethedatadoesnotappearinotherlocationsonthe
    web,thatisit'snotbeingtradedorredistributed.DeletingitfromHIBPprovidesthose
    impactedwithassurancethattheirdatacannolongerbefoundinanyremaininglocations.
    Formorebackground,readHaveIbeenpwned,optingout,VTechandgeneralprivacy
    things(http://www.troyhunt.com/2016/04/haveibeenpwnedoptingoutvtechand.html).
    Thereispresently1retiredbreachinthesystemwhichisVTech.

    Whatisan"unverified"breach?
    https://haveibeenpwned.com/FAQs#DataSource 4/5
    12/10/2016 Have I been pwned? FAQs

    Somebreachesmaybeflaggedas"unverified".Inthesecases,itmaynothavebeen
    possibletoestablishthelegitimacyofthebreachbeyondreasonabledoubt.Unverified
    breachesarestillincludedinthesystembecauseregardlessoftheirlegitimacy,theystill
    containpersonalinformationaboutindividualswhowanttounderstandtheirexposureon
    theweb.Furtherbackgroundonunverifiedbreachescanbefoundintheblogposttitled
    IntroducingunverifiedbreachestoHaveIbeenpwned
    (https://www.troyhunt.com/introducingunverifiedbreachestohaveibeenpwned).

    It'sabitlightondetailhere,wherecanIgetmoreinfo?
    Thedesignandbuildofthisprojecthasbeenextensivelydocumentedontroyhunt.com
    (http://www.troyhunt.com)undertheHaveIbeenpwned?tag
    (http://www.troyhunt.com/search/label/Have%20I%20been%20pwned%3F).Theseblog
    postsexplainmuchofthereasoningbehindthevariousfeaturesandhowthey'vebeen
    implementedonMicrosoft'sWindowsAzurecloudplatform.

    Atroyhunt.comproject(http://www.troyhunt.com)

    (https://www.facebook.com/troyahunt)
    (https://twitter.com/troyhunt)
    (http://www.troyhunt.com/p/contact.html)
    (https://plus.google.com/+TroyHunt)

    https://haveibeenpwned.com/FAQs#DataSource 5/5

    You might also like