← Back to Insights

Have I Been Pwned? Best Practices for Email Security

HaveIBeenPwned.com (“HIBP”) is a website that aggregates breaches and enables users to identify where their personal data has been exposed. The word "pwned" has its origins in video game culture and is typically used to imply someone has been controlled or compromised by a breach. A breach is an incident where data is or has been inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software.

HIBP accesses the following qualifiers to validate breach legitimacy:

  1. Has the impacted service publicly acknowledged the breach?
  2. Does the data in the breach turn up in a Google search (i.e., is it present in another source)?
  3. Is the structure of the data consistent with what one would expect to see in a breach?
  4. Has the attacker provided sufficient evidence to demonstrate the attack vector?
  5. Does the attacker have a track record of either reliably releasing breaches or falsifying them?

Although HIBP is kept up to date with as much data as possible, it contains but a small subset of all the records that have been breached over the years. To reframe the site’s often-quoted phrase, "Absence of evidence is not evidence of absence.” In other words, just because your email address isn’t found in the HIBP repository doesn't mean it hasn't been compromised.

HIBP enables you and your employees to discover if your respective accounts were exposed by searching its system. The perceived severity of the breach has different classifications, ranging from “sensitive” (of which there were over forty at last count) to “unverified” and “fabricated.” Data breaches in HIBP may also be due to malware campaigns. For example, the US FBI and Dutch NHTCU provided HIBP with data from the Emotet malware in April 2021. The risk posed to individuals in these incidents is different (their personal device may be compromised), hence the presence of this flag in HIBP.

Notably, when email addresses from a data breach are reported loaded into HIBP’s site, no corresponding passwords are loaded with them. HIBP does, however, offer a separate search feature that allows users to check if an individual password has previously been seen in a data breach. No password is stored next to any personally identifiable data (such as an email address), and every password is SHA-1 hashed. If a password is found in the Pwned Passwords service, it means it has previously appeared in a data breach. HIBP does not store any information about who the password belonged to, only that it has previously been exposed publicly and how many times it has been seen. A Pwned Password should no longer be used, as its exposure puts it at higher risk of being used to log in to accounts using the now-exposed secret.

To minimize the potential for a bad actor to do harm to your company through this attack vector, your company should adopt the following best practices related to email account security:

  • Rotate passwords on a regular and frequent cadence
  • Employ strict password length and complexity rules
  • Restrict reuse of passwords across multiple services
  • Utilize a password manager to help employees manage their passwords
  • Require two-factor authentication (2FA) for all email accounts
  • Discontinue using any password that has been discovered in one or more data dumps and replace it promptly