A “breach” is an incident where data is either accidentally or intentionally exposed in a vulnerable system, usually due to poor security or vulnerabilities in the software. This website uses the free HIBP service to aggregate breaches and enable people to see where their personal data has been exposed.
Wondering How It Works?
When email addresses from a data breach are stored in the HIBP database, no associated passwords are stored with them. Separately to the address search feature, the Check A Password service allows you to check if an individual password has previously been seen in a data breach. No password is stored next to any personally identifiable data (such as an email address) and every password is SHA-1 hashed (read why SHA-1 was chosen in the Pwned Passwords launch blog post.)
The public search facility cannot return anything other than the results for a single user-provided email address or username at a time.
Occasionally, a breach will be added to the system that doesn’t include login details for an online service. This may occur when data about individuals is leaked and it may not include a username and password. However this data still has a privacy impact; it is data that those impacted would not expect to be publicly released and as such they have an interest in being notified of this.
Occasionally there are “breaches” announced by attackers which go on to be exposed as hoaxes. There is a balance between the urgency of making data searchable and performing sufficient research to establish the legitimacy of any breach. The following activities are usually performed in order to validate breach legitimacy:
- Has the impacted service publicly acknowledged the breach?
- Does the data in the breach turn up in a Google search (i.e. it’s just copied from another source)?
- Is the structure of the data consistent with what you’d expect to see in a breach?
- Have the attackers provided sufficient evidence to demonstrate the attack vector?
- Do the attackers have a track record of either reliably releasing breaches or falsifying them?
A “paste” is information that has been “cut & pasted” to a website designed to share content such as Pastebin. These services are favoured by hackers due to the ease of anonymously sharing information and they are frequently the first place a breach appears.
HIBP searches through pastes that are broadcast by the @dumpmon Twitter account and reported as having emails that are a potential indicator of a breach. Finding an email address in a paste does not immediately mean it has been disclosed as the result of a breach. Review the paste and determine if your account has been compromised then take appropriate action such as changing passwords.
Pastes are often transient; they appear briefly and are then removed. HIBP usually indexes a new paste within 40 seconds of it appearing and stores the email addresses that appeared in the paste along with some meta data such as the date, title and author (if they exist). The paste itself is not stored and cannot be displayed if it no longer exists at the source.
Whilst HIBP is kept up to date with as much data as possible, it contains only a small subset of all the records that have been breached over the years. Many breaches never result in the public release of data and, furthermore, many breaches even go undetected. Taken from the HIBP website: “Absence of evidence is not evidence of absence” or in other words, just because your email address wasn’t found here doesn’t mean it has not been compromised in another breach.
Nothing is explicitly logged by Fletchers Data Claims or the HIBP website. The only logging of any kind is via Google Analytics and any diagnostic data implicitly collected if an error occurs in the system.
When you search for a username that is not an email address, you may see that name appear against breaches of sites to which you have never subscribed. Usually this is just a matter of someone else using the same username as you. Even when your username appears unique, the simple fact that there are several billion internet users worldwide means there’s a strong probability that most usernames have been used by other individuals at one time or another.
When you search for an email address, you may see that address appear against breaches of sites you don’t recall subscribing to. There are many possible reasons for this including your data having been acquired by another service, the service rebranding itself as something else or someone else signing you up. For a more comprehensive overview, see Why am I in a data breach for a site I never signed up to?
You don’t, but it’s not. This site is simply intended to offer the free HIBP service for people to assess risk of their account or credentials being caught up in a breach. As with any website, if you’re concerned about the intent or security, you don’t have to use it.
If you’ve come across a data breach which you’d like to submit, get in touch with Have I Been Pwned. Check out what’s currently loaded on this website or HIBP first if you’re not sure whether the breach is already in the system.
This website enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone’s presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as “sensitive” and may not be publicly searched.
A sensitive data breach can only be searched by the verified owner of the email address being searched for. This is done via the notification system on HIBP which involves sending a verification email to the address with a unique link. When that link is followed, the owner of the address will see all data breaches and pastes they appear in, including the sensitive ones.
There are presently 25 sensitive breaches in the system including Adult Friend Finder, Adult-FanFiction.Org, Ashley Madison, Beautiful People, Bestialitysextaboo, Brazzers, CrimeAgency vBulletin Hacks, Fling, Florida Virtual School, Freedom Hosting II, Fridae, Fur Affinity, HongFire, HTH Studios, Mate1.com, Muslim Match, NapsGear, Naughty America, Non Nude Girls, Rosebutt Board and 5 more.
After a security incident which results in the disclosure of account data, the breach may be loaded into the HIBP database where it then sends notifications to impacted subscribers and becomes searchable. In very rare circumstances, that breach may later be permanently remove from HIBP where it is then classed as a “retired breach”.
A retired breach is typically one where the data does not appear elsewhere on the web, inasmuch as it is not being traded or redistributed. Deleting the breach from HIBP provides those impacted with assurance that their data can no longer be found elsewhere. For more background, read Have I Been Pwned, opting out, VTech and general privacy things.
There is presently 1 retired breach in the system which is VTech.
Some breaches may be flagged as “unverified”. In these cases, whilst there is valid data within the alleged breach, it may not have been possible to establish legitimacy beyond doubt. Unverified breaches are still included in the system because regardless of their legitimacy, they still contain personal information about individuals who want to understand their exposure on the web. Further background on unverified breaches can be found in the blog post titled Introducing unverified breaches to Have I Been Pwned.
Some breaches may be flagged as “fabricated”. In these cases, it is highly unlikely that the breach contains valid data sourced from the alleged site but it may still be sold or traded under the guise of being valid. Often these incidents comprise of data taken from other locations (or may be entirely falsified), yet still contain actual email addresses unknown to the account holder. Fabricated breaches are still included in the system because irrespective of their legitimacy, they still contain personal information about individuals who want to understand their exposure on the web. Further background on unverified breaches can be found in the blog post titled Introducing “fabricated” breaches to Have I Been Pwned.
Occasionally, large volumes of personal data are found being used for the purposes of sending targeted spam emails. This often includes many of the same classes of data frequently found in breaches such as names, addresses, telephone numbers and dates of birth. The lists are often taken from multiple sources, frequently by eliciting personal information from people with the promise of a monetary reward . Whilst the data may not have been taken from a breached system, the personal nature of the information and the fact that it is being redistributed in this fashion unkown to the owners warrants inclusion here. Read more about spam lists in HIBP .
We/HIBP do not store any information about who the password belonged to, only that it has previously been exposed publicly and how many times it has been seen. A password such as this should no longer be used because now that it is public, its exposure puts it at higher risk of being used to login to accounts.