Have You Been Pwned? How to Check and What to Do

Massive data breaches make the headlines on a regular basis, and the number of exposed login credentials has risen into the billions.
As a privacy-concerned internet user, you need to know what to do when you have been pwned.

What Does Pwned Mean?

According to the Urban Dictionary, a crowdsourced online dictionary for slang words and phrases, there are two possible origins of pwned meaning. According to one theory, pwned originated in an online game called Warcraft, where a map designer misspelled the word owned. The second theory attributes the origin of pwned to a prominent Quake player, who also misspelled the word owned.

Regardless of which of these two possible origins of the word pwned is correct, the term has always loosely meant that someone has been dominated by someone else, first in online video games and later on the internet by hackers.

These days, regular internet users are seldom pwned in the traditional sense of the word. The focus of hackers has shifted to companies storing thousands and sometimes even millions of login credentials. When a company gets pwned, its users are automatically pwned as well.

While companies are under strict obligation to report data breaches in a timely manner, not every company obeys the rules, and those that do sometimes try to downplay the whole situation and make it seem less serious than it really is. That’s why all concerned internet users should familiarize themselves with Have I Been Pwned, a massive online database of pwned passwords and pwned email addresses.

What is Have I Been Pwned?

Have I Been Pwned was created in 2013 by Australian security researcher Troy Hunt, who has so far collected over 5,600,000,000 pwned accounts from more than 300 data breaches. “I started to wonder how many people are actually aware of just how broad this web is spreading, and how many places their data is now exposed,” said Hunt. “I want the people to be aware that they probably need to change their password, and they need to look out for unusual credit inquiries.”

On Have I Been Pwned, you can enter your email address, press Enter on your keyboard, and instantly see on how many breached sites it has been used. You can also get notified when future pwnage occurs, and your account is compromised, which means that you won’t ever again have to ask, “Have I been pwned?”

Have I Been Pwned also has a massive database of passwords in plain text that have been at some point exposed in a data breach. Hunt has come up with a clever way to allow internet users to check whether a given password has ever appeared in any breach without compromising their security. You can read more about how Have I Been Pwned protects the privacy of searched passwords here.

1Password, a password manager that provides a place for users to store various passwords, software licenses, and other sensitive information in a virtual vault, integrates with Have I Been Pwned, allowing its users to conveniently check if their passwords have been leaked on the internet. Linux users can install a small utility called Am I Pwned to verify if their passwords have been compromised directly from the command line.

What to Do If You Have Been Pwned?

“Okay, Have I Been Pwned told me that I’ve been pwned. Now what?” The most important things if one of your online accounts has been pwned is not to panic. While having your login credentials leaked on the internet can be terribly disconcerting, you need to understand that large-scale data breaches happen all the time, so you have at least some time to act and prevent further damage.

Step 1: Change Your Password

If you get pwned, you need to change your password as soon as possible. You should avoid using a password that has been leaked before, so make sure to consult Have I Been Pwned before you finalize your decision. Security experts advocate the use of long passphrases instead of random strings of letters, numbers, and special characters.

Many sites today support Multi-Factor Authentication (MFA), sometimes called 2-Factor or 2-step authentication, and we highly recommend you take advantage of it whenever possible. With MFA, you will be asked to present two or more pieces of evidence in order to be granted access. Most MFA implementations require users to enter a code from their mobile device or email account.

Step 2: Use a Unique Password for Every Online Account

People who use a unique password for every online account are affected by data breaches much less than people who reuse the same few passwords over and over again. One study from 2013 found that 55 percent of people used the same password for all their accounts.

Since then, very little has changed. “52 percent of the users studied have the same passwords (or very similar and easily hackable ones) for different services,” stated researchers at Virginia Tech University and Dashlane analysts after carrying out one of the largest empirical studies on password reuse and modification patterns.

Of course, it would be impossible to remember dozens of different passwords, which is where password managers like 1Password, LastPass, or Bitwarden come in. Password managers can suggest strong password, securely store them in an encrypted vault, and autocomplete them when you want to log in. Even though there are certain security risks associated with them, password managers have again and again proven themselves to be the easiest and safest way to store logins and passwords.

Step 3: Strengthen Your Cybersecurity Defenses

Unfortunately, there’s very little you can do to prevent large-scale data breaches, which is where most pwned emails and pwned passwords come from. However, there’s a lot you can do to strengthen your own personal cybersecurity defenses.

Email is a very common attack vector because it allows malicious hackers to distribute malware with minimal effort and alarmingly great results. Even seasoned computer users who know a lot about cybersecurity sometimes find it difficult to distinguish spam from legitimate emails, and it one mistake is all it takes to get pwned.

The good news is that you can effortlessly block unwanted senders and unsubscribe from all unwanted emails with Clean Email, a bulk email cleaner with powerful filters and intelligent algorithms that only analyze email headers and don’t access the actual content of your emails or attachments.

Use Clean Email to protect your mailbox from spam

It takes just a few minutes to get started with Clean Email, and it works with all popular email services, including Gmail, Outlook, and Yahoo.

Conclusion

If you’ve been pwned, you’re certainly not alone. Countless people become the victims of large-scale data breaches every day, and many more get pwned by spammers sending malicious links via email. In this article, we’ve explained how you can find out if you’ve been pwned and the steps you should take to prevent further damage.

Start using Clean Email right now!

Clean Email is built to work from any device and for all email clients, with additional functionalities and support added on a regular basis as new services emerge and new devices become available. One Clean Email subscription covers your mailbox across ALL your devices!

Get Started for Free

Clean Email was created in California and is run by a small team from all over the world . Read our story