Stay Safe Online

How to see if your passwords have leaked online, and what to do if they have

We discuss how to check if you’ve been the victim of a large scale data breach and what to do if you have.

You take your online security seriously. You have good security software installed. Have a great back-up solution in place. You use a strong password. Even use a password manager. You keep current with security threats and how to avoid them. And you use social media responsibly and have strict privacy settings.

But even with all that, your email and password for an online account gets leaked online. And it’s not your fault. The website, company or service you created the account with got breached, and as a result, millions of their users had their login details leaked online, including you.

Has this happened to you?

If you’re not sure, we recommend using one of the most useful security tools on the Internet to find out. The site is Have I Been Pwned? and it’s an incredibly useful site to see if you’re login credentials have been leaked online.


Sponsored Content. Continued below...




Have I Been Pwned? gathers the vast amounts of user information that has leaked online as a result of data breaches, and it lets you search it by entering your email address (since almost every website and service require an email address to register an account.)

Once you enter your email address, Have I Been Pwned? gets to work, searching literally billions of records in mere seconds to let you know…
1. If your email address has ever been leaked online as a result of a data breach,
2. How many times it’s happened, and
3. What specific data breach(es) resulted in your details being leaked online, if known.

If you have more than one email address, we recommend entering any email address you would use to create an online account.

What should I do if my details have been leaked?

It doesn’t mean you need to panic; billions of emails and account information has been leaked online over the years, so it’s actually quite likely that your email address will result in a match. However, it does mean you need to review and possibly change a few things.


Sponsored Content. Continued below...




If you enter your email address and it comes up with a match, Have I Been Pwned? will tell you what data breach resulted in your information being leaked, when it happened and what information was leaked online, so first off you need to review that. Many of the data breaches that Have I Been Pwned? searches through are several years old.

If a specific data breach is listed, the chances are high that you have already been forced to change your password for that particular online account by the website or service that suffered the data breach.

But many Internet users will use the same email and password for many different online accounts, and cyber crooks know this. So they will use an attack called credential stuffing, meaning they’ll use the leaked data to enter your leaked email and password into other websites to try and gain access. As such, the next step for you – if you find that your information has been leaked – is to make sure you haven’t reused the same leaked password/email combination for any other accounts you have, and if you did, change the password for those accounts immediately.

When you’re satisfied that you have no other online accounts that have the same password for any of the data breaches that came up, then you should no longer be at risk of credential stuffing attacks.

What if I don’t know the password I used?

If Have I Been Pwned? turns up a data breach to an account you don’t remember the password to, or if the data breach is unverified (meaning Have I Been Pwned? can’t tie the leaked information to a specific breach) then you should adopt a “best safe than sorry” approach and change any password that you may have reused across multiple accounts – which is why it’s best to only use unique passwords for each account!

Also try…

Two factor authentication for important online accounts, so even if your password and email is leaked in a data breach, crooks still won’t be able to access your account. More information on 2FA can be seen here.

Share
Published by
Craig Haley