Videos
Hello so i know this is stupid since i can just research it and find the answer easily but im currently sick right now and i can barely remember stuff so im making a post just so i can remember and check when im not sick anymore
This is also for both me and my friend and hes a little paranoid so im making a post to also check if its real
So is the real site is the one in the picture and what do i do if it found a data leak? Do i just change password? And how do i check if its a old password? I havent used it so i dont know
Im really paranoid about data breaches and i just really wanna know
This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com
See here:
When you search for an email address
Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
See also the Logging paragraph
And from the FAQ:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.
But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.
But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?
At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.
Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.
See for example, https://1password.com/haveibeenpwned/
As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.
Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.
The following StackExchange post has a response from Troy himself with further clarification on this service: Is "Have I Been Pwned's" Pwned Passwords List really that useful?
Is it safe to use haveibeenpwned.com? Do they store the e-mail/phone number you search? Those who understand back-end processing, please enlighten me on the site.
Due to the recent breach news, a lot of people are checking to see if they were involved. Be careful if searching for haveibeenpwned on certain browsers like duckduckgo. Anywhere from the second to the fifth result is a fake site called havelbeenpwnd.com. It will load the old version of the website and can even link to the new version if navigated on. However, any search leads to a 404 error.
This fake site is actually named: have l(lowercase L) been pwnd(no e here).com. Others suspect it is a data harvesting site at the least. The real site is haveibeenpwned.com. Posting this to potentially help others to avoid this pitfall in privacy.
*Edited for clarity.