If you’ve been on the Internet any length of time, you’ve probably stumbled across the term “pwned.” It’s popular in gaming circles; it’s a deliberate typo of the word “owned,” and it’s use is defined as follows: “Pwn: from the very own, as meaning to appropriate or to conquer, compromise or control.”
Ringing in the new year, I was reading a TechRepublic.com article that talked about security breaches, identity theft, etc. and this directed me to the website haveibeenpwned.com, which is hosted by security expert and Microsoft MVP Troy Hunt. Troy’s website allows you to enter either an email address or username and it will search against several sources of compromised, leaked accounts. As of this writing, Troy’s site searches eight different sets of emails/accounts that were “pwned” by cybercriminals, and lets you know if you’re on the list. If Troy’s site indicates your email/account has been “pwned,” that’s a warning sign that hackers may know more about you, like your name, phone number, password and more.
Of the eight sources Troy’s site includes, one is the “big one” – over 152 million Adobe accounts were obtained in October, 2013. Also included are 4.6 million Snapchat accounts, nearly half a million Yahoo accounts and 37,000 Sony accounts (among others). In the case of the Adobe breach, the data collected included emails, user IDs, encrypted passwords and password hints in plain text, but since the cryptography was poor, the hackers have been easily able to decrypt many passwords.
Sadly for me, two of my email addresses were associated with the Adobe breach, and both used variants of my favorite password.
So why is this such a big deal? Because many (maybe most?) folks reuse their email addresses across many, many sites and many (maybe most?) also reuse the same password over and over again for simplicity.
If hackers were able to decrypt my password, they would essentially have unfettered access to many of my other accounts, including but not limited to Amazon, Newegg, eBay, PayPal, GoDaddy, Apple, Woot, Google, CrashPlan, Home Server Show and yes, even MediaSmartServer.net. Identity thieves could (or would) make my life living hell with that kind of information.
Needless to say, I’ve spent quite a few hours visiting dozens of sites, updating passwords, challenge questions and enabling two-factor authentication where possible. I’ve also come up with many different passwords, so even if one of my new passwords was compromised at a future date, a cyber-criminal would not be able to inflict anywhere near as much damage.
If you have an Apple ID, Apple devices and make use of the Find My iPhone/iPad/Mac feature, and a cyber-criminal got into your account, (s)he could remotely wipe ALL of your Apple devices. If you make use of cloud backup services, the cyber-criminal could download copies of all your personal files.
I encourage you to check out Troy’s website https://haveibeenpwned.com and see if any of your accounts/emails are included in the results. If they turn up on Troy’s website, that means a cyber-criminal has a copy of them as well. And that means you should strongly consider updating passwords and other security information on any website where that email/account name is used. It’s far too easy for cyber-criminals to steal your data and your identity. Don’t make it even easier for them.