Here's a
website that will tell if and how your email address has been stolen. I
checked out the site before using it, and not just on Wikipedia. It's mentioned in several security-related articles, and is legit.
Now, I fully expected my email address to be floating out there in the wild because it appears unobfuscated on some web pages (necessary for my business) and is therefore susceptible to scrapers. But I was surprised to see that it appeared in 6 different hacked databases. Not only is my email address for sale, but also my physical address and net worth (not that that would impress anybody).
I've received probably a hundred spam emails whose subject included an actual password that I'd used in the past (with music site last.fm). It was an extortion scam that threatened to expose my porn habits if I didn't give them thousands of dollars in bitcoin. I didn't give it much thought, as I am not into online porn and even if I was, I am a single guy and self-employed so there's really no threat they could hang over me. But it was still unsettling to see a real password show up in my inbox.
Of course, if I did have a paid account with TeenCheerleaderSluts.com it would piss me off that somebody else was running up charges on my credit card.
Here's what Have I Been Pwned told me:
Breaches you were pwned in
Anti Public Combo List (
unverified): In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read
Password reuse, credential stuffing and another billion records in Have I been pwned.
Compromised data: Email addresses, Passwords
Apollo: In July 2018, the sales engagement startup
Apollo left a database containing billions of data points publicly exposed without a password. The data was discovered by security researcher
Vinny Troia who subsequently sent a subset of the data containing 126 million unique email addresses to Have I Been Pwned. The data left exposed by Apollo was used in their "revenue acceleration platform" and included personal information such as names and email addresses as well as professional information including places of employment, the roles people hold and where they're located. Apollo stressed that the exposed data did not include sensitive information such as passwords, social security numbers or financial data.
Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Salutations, Social media profiles
Exactis: In June 2018,
the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data. Security researcher
Vinny Troia of Night Lion Security discovered the leak contained multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family structures and extensive profiling data. The data was collected as part of Exactis' service as a "compiler and aggregator of premium business & consumer data" which they then sell for profiling and marketing purposes. A small subset of the exposed fields were provided to Have I Been Pwned and contained 132 million unique email addresses.
Compromised data: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages
Last.fm: In March 2012, the music website
Last.fm was hacked and 43 million user accounts were exposed. Whilst
Last.fm knew of an incident back in 2012, the scale of the hack was not known until the data was released publicly in September 2016. The breach included 37 million unique email addresses, usernames and passwords stored as unsalted MD5 hashes.
Compromised data: Email addresses, Passwords, Usernames, Website activity
Modern Business Solutions: In October 2016, a large Mongo DB file containing tens of millions of accounts
was shared publicly on Twitter (the file has since been removed). The database contained over 58M unique email addresses along with IP addresses, names, home addresses, genders, job titles, dates of birth and phone numbers. The data was subsequently
attributed to "Modern Business Solutions", a company that provides data storage and database hosting solutions. They've yet to acknowledge the incident or explain how they came to be in possession of the data.
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Job titles, Names, Phone numbers, Physical addresses
NetProspex (
spam list): In 2016, a list of over 33 million individuals in corporate America sourced from Dun & Bradstreet's NetProspex service
was leaked online. D&B believe the targeted marketing data was lost by a customer who purchased it from them. It contained extensive personal and corporate information including names, email addresses, job titles and general information about the employer.
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses