Have You Been Pwned?

by Alex Kuretz on January 6, 2014 · 3 comments

in News

The following is a guest post written by Matthew Sawyer (forum member msawyer91) of Dojo North Software, developer of the popular and useful Home Server SMART Add-In for WHS and WHS 2011.

If you’ve been on the Internet any length of time, you’ve probably stumbled across the term “pwned.” It’s popular in gaming circles; it’s a deliberate typo of the word “owned,” and it’s use is defined as follows: “Pwn: from the very own, as meaning to appropriate or to conquer, compromise or control.”

Ringing in the new year, I was reading a TechRepublic.com article that talked about security breaches, identity theft, etc. and this directed me to the website haveibeenpwned.com, which is hosted by security expert and Microsoft MVP Troy Hunt. Troy’s website allows you to enter either an email address or username and it will search against several sources of compromised, leaked accounts. As of this writing, Troy’s site searches eight different sets of emails/accounts that were “pwned” by cybercriminals, and lets you know if you’re on the list. If Troy’s site indicates your email/account has been “pwned,” that’s a warning sign that hackers may know more about you, like your name, phone number, password and more.

Of the eight sources Troy’s site includes, one is the “big one” – over 152 million Adobe accounts were obtained in October, 2013. Also included are 4.6 million Snapchat accounts, nearly half a million Yahoo accounts and 37,000 Sony accounts (among others). In the case of the Adobe breach, the data collected included emails, user IDs, encrypted passwords and password hints in plain text, but since the cryptography was poor, the hackers have been easily able to decrypt many passwords.

Sadly for me, two of my email addresses were associated with the Adobe breach, and both used variants of my favorite password.

So why is this such a big deal? Because many (maybe most?) folks reuse their email addresses across many, many sites and many (maybe most?) also reuse the same password over and over again for simplicity.

If hackers were able to decrypt my password, they would essentially have unfettered access to many of my other accounts, including but not limited to Amazon, Newegg, eBay, PayPal, GoDaddy, Apple, Woot, Google, CrashPlan, Home Server Show and yes, even MediaSmartServer.net. Identity thieves could (or would) make my life living hell with that kind of information.

Needless to say, I’ve spent quite a few hours visiting dozens of sites, updating passwords, challenge questions and enabling two-factor authentication where possible. I’ve also come up with many different passwords, so even if one of my new passwords was compromised at a future date, a cyber-criminal would not be able to inflict anywhere near as much damage.

If you have an Apple ID, Apple devices and make use of the Find My iPhone/iPad/Mac feature, and a cyber-criminal got into your account, (s)he could remotely wipe ALL of your Apple devices. If you make use of cloud backup services, the cyber-criminal could download copies of all your personal files.

I encourage you to check out Troy’s website https://haveibeenpwned.com and see if any of your accounts/emails are included in the results. If they turn up on Troy’s website, that means a cyber-criminal has a copy of them as well. And that means you should strongly consider updating passwords and other security information on any website where that email/account name is used. It’s far too easy for cyber-criminals to steal your data and your identity. Don’t make it even easier for them.


Article by

I'm Alex Kuretz, and I'm the founder of MediaSmartServer.net. I was the Lead Test and Integration Engineer at HP for the MediaSmart Server until April 2008 when I moved on to other opportunities outside HP. I've kept active in the Windows Home Server community, creating several add-ins and helping users make the most of their Home Servers.


{ 3 comments }

Comp1962 January 6, 2014 at 2:35 pm

Thanks for the info and I ran all my email accounts through and knock on wood all test well. Everyone should change their passwords on a regular basis and mix them up and its something I have not done a very good job with but will make it my #1 priority.

Gardian January 16, 2014 at 5:17 am

Great tip, this seems to be a growing problem as we grow our use of the web. Passwords, coming up with a simple way to remember passwords for each site is the trick, but reusing the same one, Oh boy, not good.
A suggestion is use a small base (non word) something you won’t find in a dictionary, then add the first or last 2-3 letters of the site to the front or back and then add the last two or first two digits of someone that is close to you birthday to the front or back and of course there has to be a CAP or a lower case in there. It makes it very easy to remember once you pick your setup and complex enough. The thing that I don’t like is the password reset hint setups, on those I try to pick something that is completely not the real answer. And that paypal account, that should be all by itself password.
To compound things, where I work we are required (by the software we use) to change our password, one software wants a new password every 3 months, another one wants it every 6 months and we have a policy that we are supposed to change them all every 12 months and of course it won’t let you use the old password…
Remember the days when all we had to worry about was crank phone calls, ahhh those were the days. :-) Thx for the reminder Matt, it is to easy to fall into bad habits that can cost you in time and money.

John Pombrio March 17, 2014 at 1:58 am

Alex, I loved this use of the word “pwned” by Stephen Colbert as the RSA conference recently:
“We can trust the NSA because without a doubt it is history’s most powerful, pervasive, sophisticated, unlimited funded surveillance agency ever to be totally pwned by a 29-year-old with a thumb drive.”

Comments are closed, visit the forums to continue the discussion.

Previous post:

Next post: