Massive data breaches make the headlines on a regular basis, and the number of exposed login credentials has risen into the billions.
As a privacy-concerned internet user, you need to know what to do when you have been pwned.
According to the Urban Dictionary, a crowdsourced online dictionary for slang words and phrases, there are two possible origins of pwned meaning. According to one theory, pwned originated in an online game called Warcraft, where a map designer misspelled the word owned. The second theory attributes the origin of pwned to a prominent Quake player, who also misspelled the word owned.
Regardless of which of these two possible origins of the word pwned is correct, the term has always loosely meant that someone has been dominated by someone else, first in online video games and later on the internet by hackers.
These days, regular internet users are seldom pwned in the traditional sense of the word. The focus of hackers has shifted to companies storing thousands and sometimes even millions of login credentials. When a company gets pwned, its users are automatically pwned as well.
While companies are under strict obligation to report data breaches in a timely manner, not every company obeys the rules, and those that do sometimes try to downplay the whole situation and make it seem less serious than it really is. That’s why all concerned internet users should familiarize themselves with Have I Been Pwned, a massive online database of pwned passwords and pwned email addresses.
Have I Been Pwned was created in 2013 by Australian security researcher Troy Hunt, who has so far collected over 5,600,000,000 pwned accounts from more than 300 data breaches. “I started to wonder how many people are actually aware of just how broad this web is spreading, and how many places their data is now exposed,” said Hunt. “I want the people to be aware that they probably need to change their password, and they need to look out for unusual credit inquiries.”
On Have I Been Pwned, you can enter your email address, press Enter on your keyboard, and instantly see on how many breached sites it has been used. You can also get notified when future pwnage occurs, and your account is compromised, which means that you won’t ever again have to ask, “Have I been pwned?”
Have I Been Pwned also has a massive database of passwords in plain text that have been at some point exposed in a data breach. Hunt has come up with a clever way to allow internet users to check whether a given password has ever appeared in any breach without compromising their security. You can read more about how Have I Been Pwned protects the privacy of searched passwords here.
1Password, a password manager that provides a place for users to store various passwords, software licenses, and other sensitive information in a virtual vault, integrates with Have I Been Pwned, allowing its users to conveniently check if their passwords have been leaked on the internet. Linux users can install a small utility called Am I Pwned to verify if their passwords have been compromised directly from the command line.
“Okay, Have I Been Pwned told me that I’ve been pwned. Now what?” The most important things if one of your online accounts has been pwned is not to panic. While having your login credentials leaked on the internet can be terribly disconcerting, you need to understand that large-scale data breaches happen all the time, so you have at least some time to act and prevent further damage.
If you get pwned, you need to change your password as soon as possible. You should avoid using a password that has been leaked before, so make sure to consult Have I Been Pwned before you finalize your decision. Security experts advocate the use of long passphrases instead of random strings of letters, numbers, and special characters.
Many sites today support Multi-Factor Authentication (MFA), sometimes called 2-Factor or 2-step authentication, and we highly recommend you take advantage of it whenever possible. With MFA, you will be asked to present two or more pieces of evidence in order to be granted access. Most MFA implementations require users to enter a code from their mobile device or email account.
People who use a unique password for every online account are affected by data breaches much less than people who reuse the same few passwords over and over again. One study from 2013 found that 55 percent of people used the same password for all their accounts.
Since then, very little has changed. “52 percent of the users studied have the same passwords (or very similar and easily hackable ones) for different services,” stated researchers at Virginia Tech University and Dashlane analysts after carrying out one of the largest empirical studies on password reuse and modification patterns.
Of course, it would be impossible to remember dozens of different passwords, which is where password managers like 1Password, LastPass, or Bitwarden come in. Password managers can suggest strong password, securely store them in an encrypted vault, and autocomplete them when you want to log in. Even though there are certain security risks associated with them, password managers have again and again proven themselves to be the easiest and safest way to store logins and passwords.
Unfortunately, there’s very little you can do to prevent large-scale data breaches, which is where most pwned emails and pwned passwords come from. However, there’s a lot you can do to strengthen your own personal cybersecurity defenses.
Email is a very common attack vector because it allows malicious hackers to distribute malware with minimal effort and alarmingly great results. Even seasoned computer users who know a lot about cybersecurity sometimes find it difficult to distinguish spam from legitimate emails, and it one mistake is all it takes to get pwned.
The good news is that you can effortlessly block unwanted senders and unsubscribe from all unwanted emails with Clean Email, a bulk email cleaner with powerful filters and intelligent algorithms that only analyze email headers and don’t access the actual content of your emails or attachments.
Visiting Have I Been Pwned and discovering that your password has been leaked online and shared by cybercriminals on the dark web is no fun. Fortunately, there are many things you can do to avoid getting pwned, and most of them don’t require any special skills.
Cybercriminals are constantly on a lookout for unsecured applications and devices, and they don’t hesitate to exploit any unpatched vulnerability they come across. To avoid getting pwned, you need to make sure that you’re always up to date.
Even though many applications and devices these days support automatic updates, we recommend you don’t rely on them too much. You can, however, make your life easier by using an update checker like Patch My PC or Software Updates Monitor (SUMO).
Don’t forget to check your IoT devices, such as a wireless security camera, smart door lock, or internet-connect thermostat, because leaving them unpatched would invite cyber criminals to your network.
Finally, make sure your anti-malware solution is working as it should, protecting you against the latest threats. These days, there’s no need to spend hundreds of dollars to enjoy a reliable protection against viruses, trojan horses, ransomware, and other cyber threats, so don’t hesitate to use a different anti-malware solution if you’re not satisfied with your current one.
Email messages are a common source of malware and scams, so you need to practice safe email habits whenever you enter your inbox. To start with, pay attention to all messages you receive and think twice before you click on anything. When an email message looks suspicious, the chances are that it really is a scam or malware.
If you’re unsure, answer the following questions:
If you’ve answered “no” to one or more of these questions, we recommend you avoid opening the email message since it’s very likely that it’s not legitimate.
Analyzing each and every email message from an unknown sender you receive can be an extremely time-consuming process, which is why it’s paramount to fight junk emails and prevent them from ever reaching your inbox.
Take advantage of Clean Email’s unsubscribe feature and get rid of all subscriptions you don’t want to receive:
To avoid getting on more subscription lists in the future, consider creating another email address and using it exclusively for online shopping and other activities that are likely to result in subscription emails. Use temporary email services like Guerrilla Mail when registering on websites that don’t seem trustworthy to you.
Multi-factor authentication requires you to present two or more unique pieces of evidence to gain access to your account. The first piece of evidence required is usually a password, which is followed by a temporary authentication code, fingerprint scan, or some other form of identification.
These days, multi-factor authentication is supported by virtually all major email providers, as well as countless websites and applications. With multi-factor authentication activated, a cybercriminal won’t be able to gain access to your account even if they know your password.
The only downside of multi-factor authentication is that it makes login attempts more time consuming, but that’s a small price to pay for significantly improved security.
If you would like to take multi-factor authentication to the next level, consider using a physical security token, such as YubiKey, which is a small hardware device with an encryption key on it. Without this hardware device, nobody can gain access to your account.
The sad truth is that you can’t always avoid getting pwned because the security of your personal information and data is also in the hand of the company on which servers they are stored. The best thing you can do is accept data breaches as something inevitable and do as much as possible to minimize the fallout.
More specifically, you should generate a unique password for each account you have. This can be easily done with the help of a password manager like Bitwarden. A password manager can safely store your passwords, keep them synchronized across your devices, and automatically fill login fields to save you time.
If you’ve been pwned, you’re certainly not alone. Countless people become the victims of large-scale data breaches every day, and many more get pwned by spammers sending malicious links via email. In this article, we’ve explained how you can find out if you’ve been pwned and the steps you should take to prevent further damage.
Clean Email is built to work from any device and for all email clients, with additional functionalities and support added on a regular basis as new services emerge and new devices become available. One Clean Email subscription covers your mailbox across ALL your devices!Get Started for Free