After a spate of high-profile data breaches, including those at social networking sites LinkedIn and MySpace, which have affected hundreds of millions of accounts in total, it's important to know whether you've been hacked. Thankfully, there's a quick, free and easy way to see if you're at risk from a number of recent data breaches.
Update Tuesday 6 September: Since publishing this story, there have been other high-profile large-scale hacks including Dropbox which recently confirmed it was hacked in 2012 and that email addresses and passwords belonging to more than 68 million accounts have been recently made available for purchase online.
The HaveIBeenPwned? website ('pwned' is geek-speak for 'being defeated'; pronounced 'poned') allows anyone to check if their accounts have been compromised. Breaches at LinkedIn, MySpace, Adobe and Ashley Madison are all included, as is a recent reported breach at Tumblr. Here's how to use it (see Stop Scams for more on staying safe online).
How to check if your account's been hacked
Here's how to check if you've been put at risk:
Go to HaveIBeenPwned? and enter your email address. Use any address you're concerned may have been hacked – for example, the one you usually log in to LinkedIn with.
It'll tell you if your account's been hacked. You'll be shown a list of breaches you were 'pwned' in, with some background info on the hack, plus what data was compromised – eg, email address, password, date of birth, etc.
How does it work? Once data following a breach becomes publicly available online, the site's owner locates it and uploads it to the HaveIBeenPwned? database where it's made searchable. Passwords and sensitive data aren't stored on the site – only email addresses or usernames which are used to identify whether a user's account details were stolen.
What about 'sensitive' sites? Results for data breaches at a few 'sensitive' sites such as infidelity website Ashley Madison aren't publicly searchable. You can still check if you've been affected, but to do so you'll need to put in your email address then check your email. This ensures only someone with access to the email address concerned can check if it was listed on that site.
If my details aren't on there does that mean I haven't been hacked? No – the website won't tell you everywhere you may have had data stolen from, so you still need to be vigilant. The site itself acknowledges it only has "a small subset of all the records that have been breached over the years".
Is it legit? We've checked the site out and it's well known by industry experts – the head of Government-backed online safety resource Get Safe Online says it's a "stark reminder to many" of the need to protect yourself online, while it's been featured by the BBC and praised by leading tech sites such as Wired and Vice magazine's Motherboard. HaveIBeenPwned? was set up in 2013 by the Australian web-security specialist Troy Hunt, who has been recognised by Microsoft for his work.
What should I do if my account's been compromised?
If the website shows that your account has been breached, don't panic – but do take action straightaway. Here's what you should do:
- Step 1. Change your passwords – on other sites too. If your details have been stolen from anywhere, reset your password both on that site AND anywhere else that you use the same password. If you can't remember what passwords you've used, your best bet is to change them all. Try a password manager to keep track of them – 1Password has a free version and good ratings – or see Martin's Password help blog.
- Step 2. If your financial details were exposed, check for fraud. If an account of yours with financial details was breached, or any details taken could have been used to access your financial info, check your bank or credit account. If you see anything unusual, contact your bank and Action Fraud online or on 0300 123 2040. Also check your credit file in case anyone's stolen your ID (see our Credit Report guide for how to check for free).
- Step 3. Watch out for spam emails. Some have reported more spam in their inbox this morning, which may be linked to this week's latest data leaks, or caused by separate issues Microsoft has been having with Outlook (and Hotmail) spam filters. Never open spam emails or click on links within them – adjust your filters to try and prevent them (for how to do this, see Gmail or Outlook help).
- Step 4. Don't disclose your data – cold calls/emails may be a scam. If you're contacted by anyone asking you for personal data or passwords (such as for your bank account), it's likely to be a scam. This is always a sensible rule to follow – but it particularly applies in the wake of a data breach, as historically scammers have tried to exploit this kind of incident.
What accounts have been put at risk in the latest round of data leaks?
There have been three high-profile data dumps of users' data over the past few weeks:
LinkedIn – In mid-May details of around 117 million users, including email addresses and passwords, were put up for sale. LinkedIn's confirmed this data relates to the breach in 2012, and in total 165 million accounts are thought to have been affected. Passwords of all affected accounts have now been reset, but if you've used the same password elsewhere you could be at risk.
MySpace – MySpace posted on its official blog that data including email addresses, usernames and passwords was taken in June 2013 – it's now confirmed that at least some of this data has been made available online this week. It hasn't confirmed numbers but Motherboard has reported 427 million passwords and 360 million email addresses have been leaked. Passwords have been reset.
Tumblr – Earlier this month Tumblr posted that it had learned that a third party had accessed user email addresses and passwords from early 2013 and said it would be resetting passwords. It hasn't officially confirmed the data has been made more widely available, though HaveIBeenPwned? claims details of over 65 million exposed accounts were published online this week and has added these details to its site.
Here's a list of ten of the biggest included on the site and how many accounts were affected in each:
- MySpace – 359 million
- LinkedIn – 165 million
- Adobe – 152 million
- Tumblr – 65 million
- Fling.com – 41 million
- Ashley Madison – 31 million
- Mate1.com – 27 million
- 000webhost – 14 million
- R2Games – 13 million
- Gamigo – 8 million
Fling.com, Ashley Madison and Mate1.com are all classed as 'sensitive' and so aren't publicly searchable – as above, you'll need to enter your email address then check your email to see if you've been affected.
Note though that you'll only be able to check for hacks for which the data has been made public online and is therefore searchable on its site, so some notable examples – such as TalkTalk's hack from October 2015 – aren't listed.