Popular data-breach tracker Have I Been Pwned is closing in on 10 billion compromised accounts. Just think about that for a minute: ten. billion. accounts. To put that figure in perspective, the Earth has around 7.7 billion people on it. It would be as if every single person on the planet had a compromised Facebook account—and then some.
I took a look at the numbers from Have I Been Pwned’s RSS feed, which I think is even missing a few recent breach announcements, and we’re already up to 71+ million compromised accounts for the year. The biggest breach the site added to its records in 2020 so far was a disaster from Israeli marketing firm Straffic, which exposed a database containing 140GB of personal data (including 49 million unique email addresses, as well as various users’ names, phone numbers, and addresses).
In other words, now is as good as a time as any to absolutely sign up for Have I Been Pwned. But let’s go over the basics, in case you aren’t convinced.
Getting to know Have I Been Pwned
The site’s creator, Microsoft regional director and infosec maven Troy Hunt, offers a service that’s completely free for you to use. All this service requires is your email address; when said email address shows up in one of the many data breaches that happen throughout the year, you get a message about it. This message convinces you to tighten up your security on that service and, if you were lazy, alerts you to the fact that the single password you share across many services is now in jeopardy. You should change that right now (and please stop using the same password for multiple sites or services).
Don’t trust companies to notify you about data breaches in time
The best part about Have I Been Pwned, as we covered in an earlier version of this article, is that the site sometimes beats companies to the punch with disclosures. When CafePress had its huge data breach back in February of 2019, you would have learned that you were affected from Have I Been Pwned, not CafePress. And even when CafePress did notify its users about a breach, it wasn’t forthcoming: It only told users that they needed to change their passwords without indicating the reason for this seemingly random request.
Signing up for Have I Been Pwned’s notification service is easy. But you don’t even have to use this form if you don’t want to. Tools like Firefox Monitor and 1Password already integrate Have I Been Pwned’s database, so you should also receive notifications that way if your saved passwords are involved in an breach. (I prefer a scary email, which ensures I pay attention to the alert, but that’s just me.)
Some security utilities don’t use Have I Been Pwned, and that’s OK
And even though there are plenty of other tools that don’t use Have I been Pwned’s information, they’re still useful if you’re looking to know whether your accounts are potentially compromised. Google’s Password Checkup extension comes to mind, which you might not even need if you save your passwords via the browser itself.
There’s also pwdquery, which teases which passwords of yours definitely need to be changed instead of simply alerting you that any service associated with your email address is at risk. If your password manager supports them, you might even be able to find a plugin that checks your accounts against Have I Been Pwned’s database, too.
Avoid scammers looking to prey on your data-security fears
There also a number of similarly themed sites and extensions you’ll want to avoid. Ghostproject.fr is one such example. While you can certainly use it to see what leaked passwords might be associated with your email address, the site also cajoles you to pay them money to unlock the full password itself. In other words, it’s basically telling scriptkiddies, “give us cash and any emails you want, and we’ll tell you that person’s password.”
Admittedly, anyone halfway decent should just be able to find a number of breaches that likely contain enough details to allow them to log in as you somewhere, assuming you’re still using the same credentials as you were in a breach. And that, above all else, is why a service like Have I Been Pwned is so important—it gives you the best chance for getting ahead of a data disaster, given how easy it is for someone to beat you to the punch. Lifehacker can’t recommend this service enough, given how valuable of a tool it is in addition to all the other methods you need to use to stay safe online.
This article was originally published in 2019 by David Murphy and updated on April 9, 2020 by David Murphy. We reworked the entire article to reflect more relevant information about account security and the latest security breaches. This includes changing and modifying screens