You are on page 1of 5

12/10/2016 Have I been pwned?

FAQs

FAQs
NeedtoknowsomethingaboutHaveIbeenpwned?(HIBP)

Whatisa"breach"andwherehasthedatacomefrom?
A"breach"isanincidentwhereahackerillegallyobtainsdatafromavulnerablesystem,
usuallybyexploitingweaknessesinthesoftware.Allthedatainthesitecomesfrom
websitebreacheswhichhavebeenmadepubliclyavailable.

Areuserpasswordsstoredinthissite?
No.Theintentionofthesiteistomapemailaddressesandusernamestodatabreaches
andstoringthepasswordsherewoulddonothingtoachievethatend.

Isalistofeveryone'semailaddressorusernameavailable?
Thepublicsearchfacilitycannotreturnanythingotherthantheresultsforasingleuser
providedemailaddressorusernameatatime.Multiplebreachedaccountscanbe
retrievedbythedomainsearchfeature(/DomainSearch)butonlyaftersuccessfully
verifyingthatthepersonperformingthesearchisauthorisedtoaccessassetsonthe
domain.

Whataboutbreacheswherepasswordsaren'tleaked?
Occasionally,abreachwillbeaddedtothesystemwhichdoesn'tincludecredentialsforan
onlineservice.Thismayoccurwhendataaboutindividualsisleakedanditmaynotinclude
ausernameandpassword.Howeverthisdatastillhasaprivacyimpactitisdatathatthose
impactedwouldnotreasonablyexpecttobepubliclyreleasedandassuchtheyhavea
vestedinterestinhavingtheabilitytobenotifiedofthis.

Howisabreachverifiedaslegitimate?
Thereareoften"breaches"announcedbyattackerswhichinturnareexposedashoaxes.
Thereisabalancebetweenmakingdatasearchableearlyandperformingsufficientdue
diligencetoestablishthelegitimacyofthebreach.Thefollowingactivitiesareusually
performedinordertovalidatebreachlegitimacy:
https://haveibeenpwned.com/FAQs#DataSource 1/5
12/10/2016 Have I been pwned? FAQs

1.Hastheimpactedservicepubliclyacknowledgedthebreach?
2.DoesthedatainthebreachturnupinaGooglesearch(i.e.it'sjustcopiedfrom
anothersource)?
3.Isthestructureofthedataconsistentwithwhatyou'dexpecttoseeinabreach?
4.Havetheattackersprovidedsufficientevidencetodemonstratetheattackvector?
5.Dotheattackershaveatrackrecordofeitherreliablyreleasingbreachesorfalsifying
them?

Whatisa"paste"andwhyincludeitonthissite?
A"paste"isinformationthathasbeen"pasted"toapubliclyfacingwebsitedesignedto
sharecontentsuchasPastebin(http://pastebin.com).Theseservicesarefavouredby
hackersduetotheeaseofanonymouslysharinginformationandthey'refrequentlythefirst
placeabreachappears.
HIBPsearchesthroughpastesthatarebroadcastbythe@dumpmon
(https://twitter.com/dumpmon)Twitteraccountandreportedashavingemailsthatarea
potentialindicatorofabreach.Findinganemailaddressinapastedoesnotimmediately
meanithasbeendisclosedastheresultofabreach.Reviewthepasteanddetermineif
youraccounthasbeencompromisedthentakeappropriateactionsuchaschanging
passwords.

Myemailwasreportedasappearinginapastebutthepaste
nowcan'tbefound
Pastesareoftentransienttheyappearbrieflyandarethenremoved.HIBPusuallyindexes
anewpastewithin40secondsofitappearingandstorestheemailaddressesthat
appearedinthepastealongwithsomemetadatasuchasthedate,titleandauthor(ifthey
exist).Thepasteitselfisnotstoredandcannotbedisplayedifitnolongerexistsatthe
source.

MyemailwasnotfounddoesthatmeanIhaven'tbeen
pwned?
WhilstHIBPiskeptuptodatewithasmuchdataaspossible,itcontainsbutasmallsubset
ofalltherecordsthathavebeenbreachedovertheyears.Manybreachesneverresultin
thepublicreleaseofdataandindeedmanybreachesevengoentirelyundetected.
"Absenceofevidenceisnotevidenceofabsence"orinotherwords,justbecauseyour
emailaddresswasn'tfoundheredoesn'tmeanthatishasn'tbeencompromisedinanother
breach.

Howisthedatastored?
https://haveibeenpwned.com/FAQs#DataSource 2/5
12/10/2016 Have I been pwned? FAQs

Howisthedatastored?
ThebreachedaccountssitinWindowsAzuretablestoragewhichcontainsnothingmore
thantheemailaddressorusernameandalistofsitesitappearedinbreacheson.Ifyou're
interestedinthedetails,it'salldescribedinWorkingwith154millionrecordsonAzure
TableStoragethestoryof"HaveIbeenpwned?"
(http://www.troyhunt.com/2013/12/workingwith154millionrecordson.html)

Isanythingloggedwhenpeoplesearchforanaccount?
Nothingisexplicitlyloggedbythewebsite.TheonlyloggingofanykindisviaGoogle
AnalyticsandNewRelic(http://newrelic.com)performancemonitoringandanydiagnostic
dataimplicitlycollectedifanexceptionoccursinthesystem.

WhydoIseemyusernameasbreachedonaserviceInever
signedupto?
Whenyousearchforausernamethatisnotanemailaddress,youmayseethatname
appearagainstbreachesofsitesyouneversignedupto.Usuallythisissimplydueto
someoneelseelectingtousethesameusernameasyouusuallydo.Evenwhenyour
usernameappearsveryunique,thesimplefactthatthereareseveralbillioninternetusers
worldwidemeansthere'sastrongprobabilitythatmostusernameshavebeenusedby
otherindividualsatonetimeoranother.

Doesthenotificationservicestoreemailaddresses?
Yes,ithastoinordertotrackwhotocontactshouldtheybecaughtupinasubsequent
databreach.Onlytheemailaddress,thedatetheysubscribedonandarandomtokenfor
verificationisstored.

HowdoIknowthesiteisn'tjustharvestingsearchedemail
addresses?
Youdon't,butit'snot.Thesiteissimplyintendedtobeafreeserviceforpeopletoassess
riskinrelationtotheiraccountbeingcaughtupinabreach.Aswithanywebsite,ifyou're
concernedabouttheintentorsecurity,don'tuseit.

Isitpossibleto"deeplink"directlytothesearchforan
https://haveibeenpwned.com/FAQs#DataSource 3/5
12/10/2016 Have I been pwned? FAQs

Isitpossibleto"deeplink"directlytothesearchforan
account?
Sure,youcanconstructalinksothatthesearchforaparticularaccounthappens
automaticallywhenit'sloaded,justpassthenameafterthe"account"path.Here'san
example(/account/test@example.com):

https://haveibeenpwned.com/account/test@example.com

Whatisa"sensitivebreach"?
HIBPenablesyoutodiscoverifyouraccountwasexposedinmostofthedatabreachesby
directlysearchingthesystem.However,certainbreachesareparticularlysensitiveinthat
someone'spresenceinthebreachmayadverselyimpactthemifothersareabletofindthat
theywereamemberofthesite.Thesebreachesareclassedas"sensitive"andmaynotbe
publiclysearched.
Asensitivedatabreachcanonlybesearchedbytheverifiedowneroftheemailaddress
beingsearchedfor.Thisisdoneviathenotificationsystem(/NotifyMe)whichinvolves
sendingaverificationemailtotheaddresswithauniquelink.Whenthatlinkisfollowed,the
owneroftheaddresswillseealldatabreachesandpastestheyappearin,includingthe
sensitiveones.
Therearepresently13sensitivebreachesinthesystemincludingAdultFriendFinder,
AshleyMadison,BeautifulPeople,Brazzers,Fling,Fridae,FurAffinity,Mate1.com,Muslim
Match,NaughtyAmerica,RosebuttBoard,TheFappeningandYouPorn.

Whatisa"retiredbreach"?
Afterasecurityincidentwhichresultsinthedisclosureofaccountdata,thebreachmaybe
loadedintoHIBPwhereitthensendsnotificationstoimpactedsubscribersandbecomes
searchable.Inveryrarecircumstances,thatbreachmaylaterbepermanentlyremovefrom
HIBPwhereitisthenclassedasa"retiredbreach".
Aretiredbreachistypicallyonewherethedatadoesnotappearinotherlocationsonthe
web,thatisit'snotbeingtradedorredistributed.DeletingitfromHIBPprovidesthose
impactedwithassurancethattheirdatacannolongerbefoundinanyremaininglocations.
Formorebackground,readHaveIbeenpwned,optingout,VTechandgeneralprivacy
things(http://www.troyhunt.com/2016/04/haveibeenpwnedoptingoutvtechand.html).
Thereispresently1retiredbreachinthesystemwhichisVTech.

Whatisan"unverified"breach?
https://haveibeenpwned.com/FAQs#DataSource 4/5
12/10/2016 Have I been pwned? FAQs

Somebreachesmaybeflaggedas"unverified".Inthesecases,itmaynothavebeen
possibletoestablishthelegitimacyofthebreachbeyondreasonabledoubt.Unverified
breachesarestillincludedinthesystembecauseregardlessoftheirlegitimacy,theystill
containpersonalinformationaboutindividualswhowanttounderstandtheirexposureon
theweb.Furtherbackgroundonunverifiedbreachescanbefoundintheblogposttitled
IntroducingunverifiedbreachestoHaveIbeenpwned
(https://www.troyhunt.com/introducingunverifiedbreachestohaveibeenpwned).

It'sabitlightondetailhere,wherecanIgetmoreinfo?
Thedesignandbuildofthisprojecthasbeenextensivelydocumentedontroyhunt.com
(http://www.troyhunt.com)undertheHaveIbeenpwned?tag
(http://www.troyhunt.com/search/label/Have%20I%20been%20pwned%3F).Theseblog
postsexplainmuchofthereasoningbehindthevariousfeaturesandhowthey'vebeen
implementedonMicrosoft'sWindowsAzurecloudplatform.

Atroyhunt.comproject(http://www.troyhunt.com)

(https://www.facebook.com/troyahunt)
(https://twitter.com/troyhunt)
(http://www.troyhunt.com/p/contact.html)
(https://plus.google.com/+TroyHunt)

https://haveibeenpwned.com/FAQs#DataSource 5/5