Tag Archives: hacking

‘;–have i been pwned?

I hate spam and I go through great lengths to minimize it. Internet security is also interesting to me, and I think most people just don’t know not follow good security practices, and aren’t aware of just how awful things are, as in, how inept websites are at securing your data.

Data breaches are rampant and many people don’t appreciate the scale or frequency with which they occur.

Security researcher Troy Hunt maintains ‘;–have i been owned?, an excellent website that aggregates data from lots of known breaches and makes it easy for you to find your information on said breaches. Of course this aggregate data is only the tip of the iceberg, as most breaches are not known or he has no way to get to the data. In any case, it’s interesting to go see who has your email.

I ran this tool on the domain I use for the majority of my emails to see which ones are there. Remember I use a different email address and a different password for each and every website I sign up for. Results weren’t all that bad. Out of 723 email addresses, “only” 4 were found in the database of pwned websites. The winners are:

  1. Adobe (mine and my brother’s)
    Compromised data: Email addresses, Password hints, Passwords, Usernames
  2. Boxee
    Compromised data: Dates of birth, Email addresses, Geographic location, Historical passwords, Instant messenger identities, IP addresses, Passwords, Private messages, User website URLs, Usernames
  3. Gawker
    Compromised data: Email addresses, Passwords, Usernames

This is quite horrific.

Run your email through their search and post to the comments to see if it was found on any compromised websites. It will be interesting to hear.

Online security

Eva thinks I should use this image in this post. Click on the image for others I could have used.

The many high profile hacks that have occurred recently, like the one on Sony and Gawker (and those are the ones we know about) have made me think a lot about my online security. We all know what we need to do: Use different strong passwords that cannot be guessed using dictionary attacks for every single account.

The stakes range from the mildly annoying (someone sending spam from your email account, which can get it deactivated) to the really annoying (damage to your reputation due to inappropriate posts made from your Facebook/Twitter/Google+/whatever account), to the really painful (money stolen from bank accounts, identity theft).

I think password reuse is especially bad: someone gets access to one password database, they can now try them on many popular websites. It will work. Hackers don’t do this because “I” or “you” are terribly interesting people to hack. They do it because it’s profitable. Spam, Google Bombing, you name it. It happens all the time, just see how many fake emails you get from for friend’s email accounts. Just a few weeks ago my friend Rafa had his Skype account compromised and his SkypeOut credit used. It’s real.

Ok, but is there a practical way to have different strong passwords for every service we use? I think there is, and I’ve decided to do it. Follow up post coming.