Original Post from : https://haveibeenpwned.com/
What does “pwned” mean?
The word “pwned” has origins in video game culture and is a leetspeak derivation of the word “owned”, due to the proximity of the “o” and “p” keys. It’s typically used to imply that someone has been controlled or compromised, for example “I was pwned in the Adobe data breach”. Read more about how “pwned” went from hacker slang to the internet’s favourite taunt.
What is a “breach” and where has the data come from?
A “breach” is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. HIBP aggregates breaches and enables people to assess where their personal data has been exposed.
Are user passwords stored in this site?
When email addresses from a data breach are loaded into the site, no corresponding passwords are loaded with them. Separately to the pwned address search feature, the Pwned Passwords service allows you to check if an individual password has previously been seen in a data breach. No password is stored next to any personally identifiable data (such as an email address) and every password is SHA-1 hashed (read why SHA-1 was chosen in the Pwned Passwords launch blog post.)
Can I send users their exposed passwords?
No. Any ability to send passwords to people puts both them and myself at greater risk. This topic is discussed at length in the blog post on all the reasons I don’t make passwords available via this service.
Is a list of everyone’s email address or username available?
The public search facility cannot return anything other than the results for a single user-provided email address or username at a time. Multiple breached accounts can be retrieved by the domain search feature but only after successfully verifying that the person performing the search is authorised to access assets on the domain.
What about breaches where passwords aren’t leaked?
Occasionally, a breach will be added to the system which doesn’t include credentials for an online service. This may occur when data about individuals is leaked and it may not include a username and password. However this data still has a privacy impact; it is data that those impacted would not reasonably expect to be publicly released and as such they have a vested interest in having the ability to be notified of this.
How is a breach verified as legitimate?
There are often “breaches” announced by attackers which in turn are exposed as hoaxes. There is a balance between making data searchable early and performing sufficient due diligence to establish the legitimacy of the breach. The following activities are usually performed in order to validate breach legitimacy:
- Has the impacted service publicly acknowledged the breach?
- Does the data in the breach turn up in a Google search (i.e. it’s just copied from another source)?
- Is the structure of the data consistent with what you’d expect to see in a breach?
- Have the attackers provided sufficient evidence to demonstrate the attack vector?
- Do the attackers have a track record of either reliably releasing breaches or falsifying them?
What is a “paste” and why include it on this site?
A “paste” is information that has been “pasted” to a publicly facing website designed to share content such as Pastebin. These services are favoured by hackers due to the ease of anonymously sharing information and they’re frequently the first place a breach appears.
HIBP searches through pastes that are broadcast by the @dumpmon Twitter account and reported as having emails that are a potential indicator of a breach. Finding an email address in a paste does not immediately mean it has been disclosed as the result of a breach. Review the paste and determine if your account has been compromised then take appropriate action such as changing passwords.
