Website Tells You If Your Password's Been Leaked

Is your personal information among the data from millions of Adobe, Yahoo and Gawker accounts compromised in the past few years?

Now there's an easy way to find out if your information is safe. Have I Been Pwned, a website created by software designer Troy Hunt, aggregates the data of more than 154 million accounts stolen since 2010, and lets you search for your email address among all of them. ("Pwned," which rhymes with "owned," is online slang for "compromised" or "defeated.")

The site doesn't incorporate the 2 million stolen Facebook, Yahoo, Google and Twitter accounts revealed earlier this week, but Hunt plans to add data from future breaches.

MORE: 7 Ways to Lock Down Your Online Privacy

Hunt was able to collect all this information into one site because after each of these five breaches, the culprits posted the stolen information online.

If Have I Been Pwned tells you your email address is among these five sets of data, the first thing you'll need to do is change the passwords on those accounts.

If you used the compromised password anywhere else, you can assume that the hackers — and anyone else who took a look at the publicly leaked data — has access to those other accounts and anything associated with them.

In most cases, having a strong password — 10 or more characters, including numbers, symbols and capital letters — goes a long way toward keeping an account safe.

But if hackers can get access to an unencrypted database of passwords, then even the strongest password is no safer than abysmal but common passwords such as "123456" or  "password."

In Adobe's case, users with a stronger password were a little better off because the data was protected with rudimentary encryption. However, cracking the weaker passwords in Adobe's database may have helped the hackers break the encryption on the stronger passwords, which means anyone whose account was leaked in the Adobe breach is potentially at risk.

A leaked password isn't the only potential danger resulting from a data breach. Many of the breached websites stored their users' email addresses in plaintext — unencrypted and perfectly readable.

MORE: Top 10 Apps for Remembering Your Passwords

If your email address is among the exposed, be extra wary of any unfamiliar or suspicious-looking emails in your inbox. Those messages may be part of a phishing attempt, which is when cybercriminals craft an email that looks legitimate or appealing in order to trick you into clicking a bad link or downloading a malware-infested attachment.

The data breaches at Adobe, Gawker, Yahoo, Stratfor and Sony are among the biggest of the past several years, but they're by no means the only ones. Hunt plans to add other publicly exposed data sets to Have I Been Pwned?, which would make the website more thorough.

"Clearly we haven't seen the last of the data breaches, of that there can be no doubt," wrote Hunt on his blog. "Now that I have a platform on which to build, I'll be able to rapidly integrate future breaches and make them quickly searchable by people who may have been impacted."

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • de5_Roy
    154 million accounts stolen in the past few years?!?!? WOW.
    and that's just since 2010 from select websites.....
  • virtualban
    maybe (conspiracy theory) they are collecting valid e-mail addresses to sell to the highest spam bidder.
  • virtualban
    it would have been more fun if they asked for a password too, just to check, and then to crosscheck because it is a well known fact that people use the same password on different sites :P
  • L0tus
    Been using 14-character passwords in obscure languages for years now. HAHAHAHA! not really, I got hacked.
  • wemakeourfuture
    Doesn't matter how complex your password is. Some companies that have had massive breaches are storing passwords as plain text.
  • Deus Gladiorum
    Holy fuck, my password was stolen through Adobe. Thankfully, I just made sure and it was an older password that I no longer associate with my email address. Jesus, Adobe is god awful....
  • CaedenV
    I have a similar website. All you need to do is enter your username and password and we will tell you if your password has ever been leaked!
  • dgingeri
    My password for Adobe was stolen, but I used different passwords between that and the associated email, my hotmail, so I don't believe I have anything to worry about. They might be able to hack my forum accounts, since I use the same passwords for all those, but I don't have the same passwords for my banking or credit cards, or even online gaming. I find it funny that I have to worry about security less on my gaming accounts than my banking passwords because I have authentication apps for the games.

    Someone needs to come up with an authentication dongle for USB that has a key generator like the phone apps, but the user never has to enter the actual key code. It could be hundreds of digits long and triple encrypted so it would be harder to hack. The USB device wouldn't even need to calculate it. plug in the USB device with has the encryption keys, the driver syncs a time code with the central security server, a chip on the USB key calculates the access code from the time code and encryption keys, and the key is sent by the PC to the banking web site to authenticate. We just need an HTML5 standard command to retrieve the code from the USB key and pass it on to the web site.
  • Pherule
    I'm glad I had an account with EverNote. They warned me that my Adobe password had been leaked (I'm not sure how they found out)

    But I've kept a list of my various passwords, and found I'd re-used the password a few other times, something I don't normally do.

    I was quickly able to change the necessary passwords. Props to EverNote. Adobe can burn.
  • rwinches
    Well, now that Gmail uses your Gmail password to log into all of Google the problem is
    much more serious.

    My Gmail now shows my YouTube ID WTF? and Why?

    So, if my Gmail PW is compromised then they have access to my e-mail, cloud storage, play store, YouTube, the red G symbol and the blue G symbol.
    And, there is no apparent way to opt-out, again WTF!

    Where is the oversight?