Use Have I Been Pwned to Protect Your Identity

HaveIBeenPwned screen shot

Identity theft, fraud and cybercrime are always a concern, but in the age of coronavirus where people are counting every penny, accepting fund payments and giving to charities, we must be even more careful. You can start with a free search for your information at Have I Been Pwned?.

Like a school of fish out for a swim, cash infusions such as those brought about by the recent stimulus packages will attract online predators. They don’t mind allowing many, many fish to wriggle free, because they actually are preying on the ones who are most vulnerable. Don’t let that be you.

I subscribe to a credit monitoring service that also checks the Dark Web for pieces of my identity. Recently I was alerted that one of my email addresses was just spotted on the Dark Web, and closely following that I was notified by one of my accounts that someone had accessed my account from a place that is thousands of miles away.

Fortunately, I have notification alerts on that account, so I found out right away. Without being able to answer the challenge questions on the account, the individual was unable to access the account settings to lock me out of that account. I never lost control, changed my password, and modified my multifactor authentication factors as well to make my account security even better.

Don’t have a monitoring service? You can start with the totally free service offered by Have I Been Pwned? to protect your identity. Just search for your email address to see if it appears on the Dark Web.

What is the Dark Web?

The Dark Web is a segment of the internet that is not listed in search engines, and you must know the exact address to find these websites. A lot of reasonable activity takes place there, such as scientific research, product development, and protected speech. However, some Dark Web activity is meant to evade notice and the law. Often, the contents of data breaches are dumped onto the Dark Web and offered for sale, and this includes information stolen from government and commercial entities – identity details, usernames, passwords… to help thieves steal identities, break into financial accounts to drain them, set up accounts in your name, interfere with commerce and government agencies, and other havoc. To monitor the Dark Web for your information (such as social security numbers and email addresses), you can locate a service online by looking for “dark web monitoring service”.

Have you been Pwned?

Even if you do not have access to a monitoring service, you can periodically check the Dark Web to see if any of your email addresses have been included in a data breach or dump. Have I Been Pwned? is a site created by Troy Hunt. He’s not only a Microsoft Regional Director and Most Valuable Professional awardee for Developer Security; he has a blog (, a web security thought leader, and he has authored several well received security courses used by web developers on Pluralsight. Hunt set up Have I Been Pwned? as a public service, and it is free to use by anyone. The name of the site comes from the slang for being “owned”, or having your tail kicked.

The site is so easy to use, and it may be accessed at any time. Visit, scroll down and type in your email address and click the pwned? button. You can also click the “Notify Me” button at the top of the page, enter the email address you’d like monitored, and get a notification if your name shows up again or at all.

What if you’ve been Pwned?

Even if your email address is found, it does not mean that you are hacked. It means you’ve gotten an advance warning, and the cybercriminal’s element of surprise is lost. Immediately change your email password, as well as the password of any account you use that email address with to log in. If you can, create a unique username in your account settings other than an email address. Make sure you choose a hard to guess password that includes a mix of upper and lower case lettering and numbers, and symbols if they are allowed. Do this for every account. And be sure to set up multi-factor authentication on all of your accounts, so just in case anyone hacks in, you are notified on your smartphone or email address that someone has accessed your account. That way you can take action early to prevent possible theft, identity crime or worse.

  • Questions? Have I Been Pwned answers lots of them on its Frequently Asked Questions page

Be proactive, be safe!

Now is the time to proactively protect your online accounts by monitoring and taking action whenever a weakness is found. Go through all of your online accounts, make sure to turn on multi-factor authentication and notifications, don’t re-use passwords across different services, and keep your identity safe.

Author: caribtek