First Look

Have you been pwned?!

Given the number of serious corporate Web breaches how do you know if you or your users have been pwned? Now there's a Web site that might be able to tell you ...

max headroom broadcast signal intrusion
Credit: Wikipedia
  • TJX Companies Inc., 2007: More than 46 million records
  • National Archive and Records Administration, 2008: 76 million records
  • Heartland Payment Systems, 2009: 130 million records
  • Sony online entertainment services, 2011: 102 million records
  • Evernote, 2013: More than 50 million records compromised
  • Living Social, 2013: More than 50 million records
  • Target Stores, 2013: 110 million records
  • Home Depot, 2014: 56 million payment cards compromised
  • Anthem, 2015: 69 million to 80 million records compromised

That's just a sampling of recent corporate data breaches ...

The frequency of data breaches - events where companies get hacked or otherwise manage to expose customer records that should be kept private - as accelerated over the last few years to the point where it’s become almost, but not quite (yet) a daily occurrence (see the Privacy Rights Clearinghouse Chronology of Data Breaches).

One of the first indications you have a serious security issue, sometimes before a breached organization admits anything has happened, occurs online when hackers pretty often leak the data publicly. If you think this is something you should track (and you really should think that) there’s a service, Have I been pwned?, that watches the commonly used “paste” sites such as Pastebin for evidence of leaked account data.

Founded by Troy Hunt, a Microsoft Most Valuable Professional awardee for Developer Security, blogger, speaker, and consultant, Have I been pwned? allows you to enter your email address to search the personal account gleaned to see if your account might have been compromised. Here’s the output for my email address and, yep, my accounts at Adobe and Forbes were included!

screen shot 2015 03 07 at 10.12.56 pm

You can sign up to get notified whenever your email address is discovered or register for any account in a domain being found (you have to prove you own the domain; methods include accepting email on a service account in your domain, adding a signature file in the root, and creating a DNS TXT record).

Now here’s your problem: Many of your users will also use personal accounts and you really don’t want to have people accessing compromised accounts from inside your highly defended network. In common with most network admins you’ve probably given up the battle to have personal, non-organizational accounts banned from your network so what are your choices? You could tell users to check their account at Have I been pwned? and have them sign up for notifications but given a large enough user base, a significant percentage will fail to do so.

Now, if you can get away with being a little heavy handed, enforce gatewaying via proxies and have the proxies record every email address (but nothing more). Next, add the addresses to a database and once a week (or whatever frequency seems right) run a script that takes each email address and using Have I been pwned?’s API.

The API is simple and its easiest usage is:

If the account,, has been pwned you’ll get an HTTP response of 200 along with the pwning details in the body in JSON format. On the other hand, if the email address hasn’t been compromised, you’ll get a 404 without a body.

Want to do something with the data? Use curl in a batch file:

curl -s -w "%{http_code}\\n" "$1" -o $1.txt

If the file is named the command line will be hibp and what you’ll get back will be either an empty file or the pwned data in the file … I leave it to the reader to, again and perhaps, reformat the data with the likes of jq to parse the JSON data and send an email message to the compromised user.

Services like Have I been pwned?’s are immensely valuable and as the online threat level increases exponentially, proactive threat management and amelioration are all that stand between you, your network, and disaster.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10