How to Use 'Have I Been Pwned' to See If Your Data Was Compromised
The site can reveal whether your log-in credentials, financial data, or other details have been stolen or leaked online, and send email alerts about new data breaches
Data breaches have affected most Americans over the past few years, leading to unauthorized access of log-in credentials, financial information, and personal data that can be used by criminals intent on committing fraud.
To tighten up your digital security, it’s important to know which of your accounts have been affected. That’s a task you can accomplish at the free site Have I Been Pwned, a resource that is widely recommended by security experts. (The term “pwn” is hacker jargon for compromising or taking control of a computer or an application.)
Created by Australian web security consultant Troy Hunt, the site analyzes information from hundreds of breaches and millions of compromised accounts, whose data often ends up posted online and traded by criminals. The site lets you enter an email address or a phone number to find out whether it has appeared in any of the data breaches the site tracks. Then you can change your passwords and take other steps to protect yourself.
Consumer Reports has been steering people to Have I Been Pwned for years, and security-savvy consumers may have used it before. However, the site has gradually become more robust, adding features and expanding its records of compromised data. And, unfortunately, data breaches continue to occur. So even if you’ve checked the site before, it’s worth another visit.
What Have I Been Pwned Lets You Do
The site has a number of functions for both one-time users and returning visitors.
Search for Your Information
The primary function of Have I Been Pwned is to tell you whether your information has been compromised. Enter your email address or phone number and you’ll get a list of data breaches tied to those details. The site will also provide information such as when each data breach happened, the name of the affected company, what data was compromised, how the breach was discovered, and how many accounts were involved.
Troy Hunt's Advice on Staying Safe
Have I Been Pwned is a useful resource for finding out when you’ve been affected by a data breach, but it’s best to get ahead of the problem by making your accounts more secure. Two important steps, Hunt says, are enabling multifactor authentication and using a password manager to generate and save strong passwords.
If you do that, you may end up accessing Hunt’s data without actually visiting his site. The password manager 1Password, which costs $3 per month and up, comes with a feature called Watchtower that lets you compare your passwords against a list of compromised passwords maintained by Have I Been Pwned. Then, 1Password will tell you which passwords to change right away.
Data from Have I Been Pwned is also used in browser extensions such as Okta’s PassProtect for Chrome.
Hunt says one of the best uses for Have I Been Pwned is to learn about how much information you’re sharing online. “There’s a little bit of data minimization that almost everybody can practice,” he says. “For example, do you need to give your date of birth to a site that asks for it? What is the value proposition for you as an individual handing out your date of birth?”
If the site doesn’t really need a piece of information to provide you with the service you want, consider withholding it, he says.