Is the security check website "Have I Been Pwned?" legit?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
Sandtrap
Posts: 8701
Joined: Sat Nov 26, 2016 6:32 pm
Location: Hawaii No Ka Oi , N. Arizona

Is the security check website "Have I Been Pwned?" legit?

Post by Sandtrap » Fri Jan 18, 2019 9:08 am

I have recently been told about a email security website check website called:
"Have I Been Pwned?"
Is it legitimate?
Thoughts?

Here is a link to Wikipedia talking about the website:
haveibeenpwned (wikipedia link with definition)

I have not included a live link to the website: "Have I been Pwned?" itself in this post.
That can be "Googled".

An excerpt from that Wikipedia link:
Have I Been Pwned? (HIBP, with "Pwned" pronounced like "poned"[2]) is a website that allows internet users to check if their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for internet users wishing to protect their own security and privacy.[3][4] Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

As of November 2017, Have I Been Pwned? receives around sixty thousand daily visitors, the site has over 1.7 million active email subscribers and contains records of over 4.8 billion accounts from over 251 data breaches.[5]
Wiki Bogleheads Wiki: Everything You Need to Know

rantk81
Posts: 269
Joined: Tue Apr 18, 2017 8:12 am

Re: Is the security check website "Have I Been Pwned?" legit?

Post by rantk81 » Fri Jan 18, 2019 9:10 am

Yes, it is legit. They provide a great service to the public at large, IMO.

User avatar
RickBoglehead
Posts: 5608
Joined: Wed Feb 14, 2018 9:10 am
Location: In a house

Re: Is the security check website "Have I Been Pwned?" legit?

Post by RickBoglehead » Fri Jan 18, 2019 9:17 am

And they're collecting information from you that could be a) hacked in the future or b) could be sold in the future. Read their privacy policy, and note what cookies they try to place on your computer.
Avid user of forums on variety of interests-financial, home brewing, F-150, PHEV, home repair, etc. Enjoy learning & passing on knowledge. It's PRINCIPAL, not PRINCIPLE. I ADVISE you to seek ADVICE.

User avatar
Topic Author
Sandtrap
Posts: 8701
Joined: Sat Nov 26, 2016 6:32 pm
Location: Hawaii No Ka Oi , N. Arizona

Re: Is the security check website "Have I Been Pwned?" legit?

Post by Sandtrap » Fri Jan 18, 2019 9:29 am

RickBoglehead wrote:
Fri Jan 18, 2019 9:17 am
And they're collecting information from you that could be a) hacked in the future or b) could be sold in the future. Read their privacy policy, and note what cookies they try to place on your computer.
This is what I am concerned about.
Thanks.
j :happy
Wiki Bogleheads Wiki: Everything You Need to Know

HoosierJim
Posts: 711
Joined: Wed Mar 24, 2010 7:11 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by HoosierJim » Fri Jan 18, 2019 9:39 am

Followed Troy Hunt for many years when he worked for a mega-corp then went out on his own. One of the few I trust.

mcraepat9
Posts: 1506
Joined: Thu Jul 16, 2015 11:46 am

Re: Is the security check website "Have I Been Pwned?" legit?

Post by mcraepat9 » Fri Jan 18, 2019 9:42 am

Troy Hunt is one of the good guys. Follow him religiously - I used his website to develop my own personal security protocols. Legit site.
Amateur investors are not cool-headed logicians.

User avatar
RickBoglehead
Posts: 5608
Joined: Wed Feb 14, 2018 9:10 am
Location: In a house

Re: Is the security check website "Have I Been Pwned?" legit?

Post by RickBoglehead » Fri Jan 18, 2019 9:52 am

Avid user of forums on variety of interests-financial, home brewing, F-150, PHEV, home repair, etc. Enjoy learning & passing on knowledge. It's PRINCIPAL, not PRINCIPLE. I ADVISE you to seek ADVICE.

bryanm
Posts: 226
Joined: Mon Aug 13, 2018 3:48 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by bryanm » Fri Jan 18, 2019 10:11 am

Seems legit to me. Even if his site is hacked itself, I guess I'm not really concerned if someone knows that my email address was checked for security breaches.

3-20Characters
Posts: 699
Joined: Tue Jun 19, 2018 2:20 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by 3-20Characters » Fri Jan 18, 2019 10:19 am

1Password uses it for their watchtower feature, IIRC, so I’d say yes, legit.

quantAndHold
Posts: 3595
Joined: Thu Sep 17, 2015 10:39 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by quantAndHold » Fri Jan 18, 2019 11:09 am

Whether or not Troy Hunt is a good guy (he is), or the site is legit (it is), your email address has little value without any other identifying information. No reason not to use the site.

Rupert
Posts: 4122
Joined: Fri Aug 17, 2012 12:01 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by Rupert » Fri Jan 18, 2019 11:26 am

Funny, my employer's computer systems administrator just sent an email to all our employees today recommending that we regularly check this site. I wonder why it's receiving so much attention all of a sudden? (It's legit, by the way, or our CSA wouldn't be recommending it).

3-20Characters
Posts: 699
Joined: Tue Jun 19, 2018 2:20 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by 3-20Characters » Fri Jan 18, 2019 12:05 pm

Rupert wrote:
Fri Jan 18, 2019 11:26 am
Funny, my employer's computer systems administrator just sent an email to all our employees today recommending that we regularly check this site. I wonder why it's receiving so much attention all of a sudden? (It's legit, by the way, or our CSA wouldn't be recommending it).
It’s been mentioned here a few times before and has been on my radar for while due to 1Password using it. Not sure why it’s coming more lately (if in fact it is).

JBTX
Posts: 5768
Joined: Wed Jul 26, 2017 12:46 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by JBTX » Fri Jan 18, 2019 12:06 pm

You can now go to one of the apps and put in a password, and it will tell you if that password is on any of the compromised lists. It doesn't associated the password with your email, it just tells you if that password is on the list with anyone.

For instance, if you type in "password" I suspect it will give you many hits.

Obviously, if you use this, you need to have a fair amount of trust that this info isn't being collected.

https://haveibeenpwned.com/Passwords

It is actually kind of fun to see how many times certain passwords have popped up on list,

like "password" - Oh no — pwned!
This password has been seen 3,645,804 times before

"123456" - Oh no — pwned!
This password has been seen 23,174,662 times before
Last edited by JBTX on Fri Jan 18, 2019 12:09 pm, edited 1 time in total.

JBTX
Posts: 5768
Joined: Wed Jul 26, 2017 12:46 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by JBTX » Fri Jan 18, 2019 12:07 pm

3-20Characters wrote:
Fri Jan 18, 2019 12:05 pm
Rupert wrote:
Fri Jan 18, 2019 11:26 am
Funny, my employer's computer systems administrator just sent an email to all our employees today recommending that we regularly check this site. I wonder why it's receiving so much attention all of a sudden? (It's legit, by the way, or our CSA wouldn't be recommending it).
It’s been mentioned here a few times before and has been on my radar for while due to 1Password using it. Not sure why it’s coming more lately (if in fact it is).
I just got an email notification yesterday from it yesterday about being on some massive breach. That is probably what is prompting increased interest

see post below, that's it
VV
Last edited by JBTX on Fri Jan 18, 2019 12:15 pm, edited 1 time in total.

stats99
Posts: 146
Joined: Wed Sep 28, 2016 2:15 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by stats99 » Fri Jan 18, 2019 12:09 pm


KyleAAA
Posts: 7758
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Is the security check website "Have I Been Pwned?" legit?

Post by KyleAAA » Fri Jan 18, 2019 12:19 pm

Yes, although they don't have every exploit in their database. They tend to just have the major ones reported on in the news.

User avatar
Pancakes-Eggs-Bacon
Posts: 159
Joined: Wed May 02, 2018 6:17 am

Re: Is the security check website "Have I Been Pwned?" legit?

Post by Pancakes-Eggs-Bacon » Fri Jan 18, 2019 1:54 pm

Big fan of Troy Hunt and his blog and the HaveIBeenPwned website. Yes, it is legitimate.

RetiredArtist
Posts: 113
Joined: Wed Aug 26, 2015 4:38 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by RetiredArtist » Fri Jan 18, 2019 2:00 pm

From Mozilla Blog:
Here’s how Firefox Monitor helps you learn if you’ve been part of a data breach
Step 1 – Visit monitor.firefox.com to see if your email has been part of a data breach

Visit monitor.firefox.com and type in your email address. Through our partnership with Troy Hunt’s “Have I Been Pwned,” your email address will be scanned against a database that serves as a library of data breaches. We’ll let you know if your email address and/or personal info was involved in a publicly known past data breach. Once you know where your email address was compromised you should change your password and any other place where you’ve used that password.

SpaethCo
Posts: 189
Joined: Thu Jan 14, 2016 12:58 am

Re: Is the security check website "Have I Been Pwned?" legit?

Post by SpaethCo » Fri Jan 18, 2019 2:53 pm

JBTX wrote:
Fri Jan 18, 2019 12:06 pm
It is actually kind of fun to see how many times certain passwords have popped up on list,

like "password" - Oh no — pwned!
This password has been seen 3,645,804 times before

"123456" - Oh no — pwned!
This password has been seen 23,174,662 times before
This is the most fascinating aspect of having leaked credentials from so many data breaches to work with; people are overwhelmingly terrible with passwords.

When put into context, it’s almost amazing that account takovers don’t happen with greater frequency than they do today.

JBTX
Posts: 5768
Joined: Wed Jul 26, 2017 12:46 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by JBTX » Fri Jan 18, 2019 3:02 pm

SpaethCo wrote:
Fri Jan 18, 2019 2:53 pm
JBTX wrote:
Fri Jan 18, 2019 12:06 pm
It is actually kind of fun to see how many times certain passwords have popped up on list,

like "password" - Oh no — pwned!
This password has been seen 3,645,804 times before

"123456" - Oh no — pwned!
This password has been seen 23,174,662 times before
This is the most fascinating aspect of having leaked credentials from so many data breaches to work with; people are overwhelmingly terrible with passwords.

When put into context, it’s almost amazing that account takovers don’t happen with greater frequency than they do today.
It was actually a little bit relieving to me. I have been getting the "youve been pwned" alerts for years, but I was able to figure out that one version of a very basic password was out there a lot, that I used decades ago, and another password that is still pretty basic, and I haven't used in decades, but has numbers and letters was only out there 1 time. Other variations weren't on the list (which means they could be out there, they just aren't on the list)

It does reiterate that it probably would be a good idea to change my email address on some of my more critical financial accounts.

SpaethCo
Posts: 189
Joined: Thu Jan 14, 2016 12:58 am

Re: Is the security check website "Have I Been Pwned?" legit?

Post by SpaethCo » Fri Jan 18, 2019 3:29 pm

JBTX wrote:
Fri Jan 18, 2019 3:02 pm
It does reiterate that it probably would be a good idea to change my email address on some of my more critical financial accounts.
I don’t think changing your email address is as important as making sure whatever email service you use is secure. Cable / DSL ISPs are terrible with email security (call them up and say “I forgot my password” and see how disturbingly easy it is to get back in), and leaks like those defined on haveibeenpwned.com show you might still be at risk. Gmail, while offering leading security in most aspects, still has a glaring issue that when you request a password reset one of the verification options is “what’s the last password you remember using?”

Email security is particularly important, because it’s the gateway to resetting access to pretty much all your other online accounts.

https://krebsonsecurity.com/2013/06/the ... l-account/

Jeff Albertson
Posts: 741
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Is the security check website "Have I Been Pwned?" legit?

Post by Jeff Albertson » Fri Jan 18, 2019 3:48 pm

Lastpass security check will also check all your known email addresses:
The following email addresses are associated with sites in your LastPass vault. The next stage of the test is an optional lookup of the email addresses against known security breaches.
...
If any security breaches are found, details will be emailed directly to the affected email addresses. Please deselect any email addresses that you do not want included, or click cancel to skip the test completely.

bluquark
Posts: 887
Joined: Mon Oct 22, 2018 2:30 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by bluquark » Fri Jan 18, 2019 6:37 pm

Yes, I trust them because Mozilla has partnered with them. Mozilla is a nonprofit committed to privacy and security so their endorsement is a strong signal it's legit.

KyleAAA
Posts: 7758
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Is the security check website "Have I Been Pwned?" legit?

Post by KyleAAA » Fri Jan 18, 2019 7:00 pm

Sandtrap wrote:
Fri Jan 18, 2019 9:29 am
RickBoglehead wrote:
Fri Jan 18, 2019 9:17 am
And they're collecting information from you that could be a) hacked in the future or b) could be sold in the future. Read their privacy policy, and note what cookies they try to place on your computer.
This is what I am concerned about.
Thanks.
j :happy
Nothing worth being concerned about, since your email is only stored if it has already been leaked. This guy is very well known and respected in the security community.

https://haveibeenpwned.com/Privacy

User avatar
Topic Author
Sandtrap
Posts: 8701
Joined: Sat Nov 26, 2016 6:32 pm
Location: Hawaii No Ka Oi , N. Arizona

Re: Is the security check website "Have I Been Pwned?" legit?

Post by Sandtrap » Fri Jan 18, 2019 9:29 pm

KyleAAA wrote:
Fri Jan 18, 2019 7:00 pm
Sandtrap wrote:
Fri Jan 18, 2019 9:29 am
RickBoglehead wrote:
Fri Jan 18, 2019 9:17 am
And they're collecting information from you that could be a) hacked in the future or b) could be sold in the future. Read their privacy policy, and note what cookies they try to place on your computer.
This is what I am concerned about.
Thanks.
j :happy
Nothing worth being concerned about, since your email is only stored if it has already been leaked. This guy is very well known and respected in the security community.

https://haveibeenpwned.com/Privacy
Thanks a lot folks.
I used it.
works great.
j :happy
Wiki Bogleheads Wiki: Everything You Need to Know

cryptormorf
Posts: 23
Joined: Thu Oct 25, 2018 11:45 am

Re: Is the security check website "Have I Been Pwned?" legit?

Post by cryptormorf » Fri Jan 18, 2019 10:39 pm

100% legit and a fantastic resource. Troy Hunt (owner) is a very well-regarded security expert, very active in the development community, and recently testified before the US Congress about data breaches. More info if you're interested: https://www.troyhunt.com/heres-what-im- ... -breaches/

nalor511
Posts: 492
Joined: Mon Jul 27, 2015 1:00 am

Re: Is the security check website "Have I Been Pwned?" legit?

Post by nalor511 » Fri Jan 18, 2019 11:42 pm

100% legit, signed up for their service, and get alerts periodically. Great resource.

cantos
Posts: 262
Joined: Tue Dec 20, 2016 11:25 am

Re: Is the security check website "Have I Been Pwned?" legit?

Post by cantos » Sat Jan 19, 2019 5:55 pm

The 'collection 1' data breach may be the most significant one to date. So you'll hear HIBP more. If you think giving your password to a site is a security problem you need to educate yourself. Change your password and get a pw manager.

inbox788
Posts: 6698
Joined: Thu Mar 15, 2012 5:24 pm

Re: Is the security check website "Have I Been Pwned?" legit?

Post by inbox788 » Sat Jan 19, 2019 6:35 pm

Sandtrap wrote:
Fri Jan 18, 2019 9:29 pm
KyleAAA wrote:
Fri Jan 18, 2019 7:00 pm
Sandtrap wrote:
Fri Jan 18, 2019 9:29 am
RickBoglehead wrote:
Fri Jan 18, 2019 9:17 am
And they're collecting information from you that could be a) hacked in the future or b) could be sold in the future. Read their privacy policy, and note what cookies they try to place on your computer.
This is what I am concerned about.
Thanks.
j :happy
Nothing worth being concerned about, since your email is only stored if it has already been leaked. This guy is very well known and respected in the security community.

https://haveibeenpwned.com/Privacy
Thanks a lot folks.
I used it.
works great.
j :happy
Use it, don't use it; it doesn't matter. Whatever the results, one shouldn't change their security practices: always be paranoid and assume you've been compromised (or will be). If you're one of the few that the database doesn't turn up something, you still shouldn't be complacent about your online identity or security.

6,474,028,664
pwned accounts
https://haveibeenpwned.com/

Earth/Population
7.53 billion (2017)
https://www.google.com/publicdata/explo ... l=en&dl=en

Post Reply