How to check whether you’ve been ‘pwned’… and what to do about it

You may not realise, but over the years you will have registered with many, many different websites. Some will still be in existence, and others will have gone by the wayside long ago.

Those websites will have been created by developers with a wide-range of abilities. Some will have built the website in a security-conscious way, but many others will not have given security a thought!

Even if they did give thought to it, the coding libraries available to developers over the years have themselves varied in terms of security. Upgrades over the years have brought improvements, but in many cases, those old libraries and methods are still available.

Now imagine you’re a hacker. You’re constantly on the lookout for websites using these old libraries and insecure techniques. Imagine you find one. By entering a few simple queries into a contact form for example, you can get the database to give you its entire list of users and passwords! This is called ‘being pwned’ (pronunciation here).

One of the mistakes many rookie developers make is to store the passwords as plain text – that is, with no encryption at all.

So suddenly, the hacker has a list of potentially thousands of usernames and passwords. They post that, or sell it, somewhere on the ‘dark web’, and more hackers get access to the usernames and passwords.

As mentioned in our previous articles (see ‘I caught a whopper‘ and ‘The password is dead‘, it’s well-known that people tend to re-use the same username and password on multiple websites. You may have used the same password for example, on LinkedIn, Facebook and Amazon.
So suddenly the hacker tries your username and password on your Amazon account. The passwords match… and the hacker can now make purchases on your Amazon account, and see your personal data.

This personal data may include your credit card or bank account details.

Now the thought of that is really scary.

Let’s just take a moment to let the potential consequences sink in.

“My god” you may say. How can I find out if this has happened to me?

Luckily there are services which monitor these things. One of the most famous is haveibeenpwned.com

Simply enter your email address into the search box, and it will tell you if you have been ‘pwned’ and where the data-breach came from.

My address turned up: Adobe Software, Bit.ly, PHP Freaks Forum and several others.

IF you do find that you have been pwned, then you should immediately change the passwords for the services listed. As we’ve recommended before, set a secure password, and use a Password Manager.

Here’s a secure password generator, that you might find useful: passwordsgenerator.net

Next, try to identify where you may have used the same username and password combination, and change those as well. Use different, secure passwords each time.

How do I find out where I’ve used the combination before?

Most modern browsers now offer to remember passwords for you. This in itself is slightly dangerous (what if your machine gets hacked into?), and a Password manager will be better. However, you should be able to find a list of all of the usernames and passwords that your browser has stored for you.

To do this in the Google Chrome browser:

Go to Preferences > Privacy and Security.
Scroll down the page to ‘Auto Fill’ and under that, click ‘Passwords’.
Now, take your compromised username and enter it into the search box at the top right. Press enter, and you should get a list of all of the sites where you’ve used that username.
Click the ‘eye’ icon next to each to see the password you’ve used.
Make a note of the sites on which you’ve used it, and go to each, log in, and change your password.

Other browsers will have similar methods, though we can’t list them all here.

This is the best way to minimise the risk of your other accounts getting hacked.

Once you’ve done that, we strongly recommend you use a Password Manager in future!

Best of luck!