So you've been PWNED...whatever that is...
I know what PWNED is but it isn't my thing/generation and the definition and use varies a bit.
But, the web site "Have I been PWNED" is very useful.
Let me explain.
Yesterday I received a phone call from a customer in quite some distress about an email they'd received.
This email contained various threats and, it seemed, actual proof having accessed what they said they'd accessed - they had a password.
My customer advised me that what they sent him was in fact a real password that he'd used.
After a bit of questioning it became clear that was, in fact, all they really knew. For example, they claimed to have access to his web camera and as a result a whole swath of information that they'd "do something with" if he didn't comply with their demands.
The thing is, this person doesn't have a web camera and a bunch of the other stuff claimed didn't pan out either.
Basically all they had a was an old password.
So I checked his email address at the "Have I been PWNED" web site, where they compare it to known databases of breached account data. For example, checking my email address...
Brings up 6 results (oh no!!!). However, it isn't all bad news.
The data breach shown in this example was back in 2013.
Because I have subscribed to "Have I Been PWNED" I was emailed about this years ago and dealt with it then. As I did with the other 5 hits my email address registered.
In fact, most of the results I'd already dealt with for other reasons e.g. regularly changing passwords, leaving a service when they go bad, cancelled subscription for whatever reason etc.
These results are going to keep popping up because the data is always going to be out there and tied to my email address.
Chances are that the list will get longer too.
I've spoken at length about passwords. Some of my other posts about it are here...
Even before you are armed with the results of your "Have I Been PWNED" search you should do the following things for any and all the logins you have:
Have a unique password for each - this means a data breach only releases one password for one thing, not the same password for everything.
Change your passwords regularly.
Use multi-factor authentication.
Use strong passwords.
Manage your passwords carefully.
Extreme cases may require the changing of your email address too.
Subscribe to "Have I Been PWNED" and be alerted when you need to take action.
So, for my worried customer I was able to point out what had been compromised and correlate the scammers threats to some breached data.
All he had to do was make sure he never uses that password again and implement the steps above.
So the lesson here is...
When you KNOW exactly what emails and passwords you are using for what you can more accurately assess the actuality and level of a threat. You can filter out the other lies and scary stuff and plot yourself a course of action that renders the threat impotent.
Just because they say it, that doesn't make it true.
Take care out there...and stop using "password" as your password ;-)