Most of us are comfortable online nowadays. In fact I’m happier online than I am in a room full of follow humans. Swap the humans for dogs and that switches around again, but you get my point – we all have huge Internet presences these days. Having a large presence online means we share our information with lots of people, and we’ve just got to trust them to keep that information safe. But what about when they don’t? What about when your data comprises part of a data-leak? How would you ever know until it’s too late? Here’s How to find out if your data is at risk.
What Data Could Be at Risk?
What data have you got? I don’t mean to be flippant about that, but any information you entrust to anyone other than yourself could potentially leak.
Think about your purchase history from one of the big online shops – would you be okay with your gran knowing all the things you’ve bought in the past year? Would you be okay with gran knowing all the websites you have visited? Maybe yes, but probably no.
So when you’re signing up for new services, just think about what information you’re giving away, and the implications if that information were to leak. The gran test is a really good thought experiment to focus that thought.
Where Could it Leak From?
Usually it’s upset (ex) staff members working for a given organisation. The media likes to paint a super complex picture of data breaches being the result of back-room crackers defeating untold levels of technical complexities. But in reality, data is usually purposefully leaked by one rogue individual within an organisation.
Where Could it Leak To?
Great question. It depends on the type of data, but usually it is sold on the dark web. If you know where to go, you could head over to the less well-lit areas of the web right now, and buy a batch of known working credit card numbers for a few dollars. That’s where your data would end up.
Another great question – you’re good at this!
We just spoke about credit card numbers above, and that obviously represents a huge problem for the people who do have their credit card numbers stolen. But what about just usernames and passwords? Well most usernames are just your email address these days aren’t they, so that’s probably not a big deal, since you give that out all the time. What about the password? Well in theory, we’re all using password managers like 1Password, LastPass and Dashlane, meaning that the password that leaked from one website isn’t being used anywhere else. Wait, you’re not using a password manager and you do use your passwords for multiple services at the same time? Oh, errr, awkward.
How Do I Find Out if My Data is at Risk?
This brings us nicely to Troy Hunt‘s amazing project, Have I Been Pwned (HIBP). Understanding the word “pwned” means we need to get down with the kids a little bit. To be pawned is to be taken advantage of. To have lost a game or battle. Being on the back-foot. So in this context, if your data has been leaked, the folks who leaked or stole it, have pwned you.
Head over to Have I Been Pwned now, plop in your email address, and hit the button. Done that? See a list of red nasty looking articles of data leaks and password breaches? Yeah, I do too when I plug in my email address. But that’s okay. Those data breaches existed before 5 minutes ago when you searched them. The only difference is that now you know about them, you can do something about them.
Now that we have found out that our data is indeed at risk, and has been “pwned”, what should we do about it? The short answer is; just to change your passwords. Certainly change the ones associated with any accounts which appeared in the list of pwned accounts. But also if you think you might have used the same passwords anywhere else, change those. The reason for that is when username and password combinations appear from a leak of one online service, hackers try the same credentials in other popular services, just because lots of people do use the same password for multiple accounts, and they might get lucky.
And I really do mean it about a password manager – you should totally have one. And if you’re not going to use software to manage your passwords, at least use something like DinoPass to help create memorable, yet strong, passwords.