Have I been pwned? Website is a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach. The public search facility cannot returns results for a single user-provided email address or username at a time. Multiple breached accounts can be retrieved by the domain search feature but only after successfully verifying that the person performing the search is authorized to access assets on the domain.
The following activities are performed in order to validate breach legitimacy:
- Has the impacted service publicly acknowledged the breach?
- Does the data in the breach turn up in a Google search (i.e. it’s just copied from another source)?
- Is the structure of the data consistent with what you’d expect to see in a breach?
- Have the attackers provided sufficient evidence to demonstrate the attack vector?
- Do the attackers have a track record of either reliably releasing breaches or falsifying them?
How it works ?
The breached accounts are collected & sits in Windows Azure table storage which contains the email address or username and a list of sites it appeared in breaches on. If you’re interested in more details, it’s all described in Troy Hunt(Author of this website) post titled Working with 154 million records on Azure Table Storage – the story of “Have I been pwned?”