How To Check If Your Email Address or Passwords Have Been Compromised

Now you don’t have to wonder if your email address or password were stolen — there’s an app for that! Well, a website, anyway. Whether you’re concerned about the latest data breach or any known breach from years past, Leapfrog recommends you use this website.

Have I Been Pwned? (HIBP) is run by web security expert and Microsoft Regional Director Troy Hunt as a way for anyone to see, for free, if they may have been put at risk because their information was “pwned.” Here’s what to do:

How to check your email account(s)

  1. Go onto the ‘;–have i been pwned? website
  2. Enter your email address
  3. The results will either give you good news (no pwnage found!) or not so good news (oh no — pwned!)
  4. If your email address has been pwned, scroll down for information about which of your accounts was breached and when, and what type of data was compromised. Your email address could have been compromised in many different breaches.
  5. If the compromised data includes your password, change your password immediately. Change your security questions as well.
  6. If you’ve used the same password on other accounts or websites, change the passwords and security questions on all of those accounts. Use unique passwords for each account moving forward.
  7. Repeat the process for all of your other email accounts.
  8. To stay in the loop, sign up for HIBP notifications under the Notify Me tab so you’ll be alerted when any new breaches include your email address.

If you have more than one email address at the same domain, you can check them all at one time using the Domain Search tab. This is the fastest way for organizations to check their email addresses.

How to check your passwords

Use HIBP to check your passwords, too — just go to the Passwords tab. You’ll learn if your password been seen in a breach, but, unlike the email results, HIBP doesn’t tell you where the passwords were seen.

If you’re wondering if it’s a bad idea to input your passwords onto a website, you’re thinking smart. In this situation and on this particular website, however, it’s safe to do it. For extra security, change your password and then check the old one to see if it’s been seen and if you need to take further action.

You can also use the HIBP Password checker to search for a new password that you’re about to use. If it’s already been compromised, choose another one password.

What it means if your email address has appeared in a paste

HIBP also tells you if your email address has been “pasted” to a public-facing website that shares content — hackers use these. But it doesn’t mean it was pasted due to a breach. It could’ve ended up there from a legitimate source. Check any found pastes to see if it looks like you need to take action.

Why it matters if your email addresses or passwords have been compromised

Bad actors use stolen email addresses to build profiles for identity theft and to send emails with malware from your address to your contacts. They can also use them to access your accounts and change your settings to automatically forward your emails to them so they can capture additional information about you.

Having been pwned also puts you at greater risk for malware. Hopefully, your anti-malware and anti-virus software is up to date. If you’ve been pwned, double-check that your computer and smartphone are malware-free.

Words to know (some are crazy-sounding)

HIBP was established in December 2013 and has been collecting email, password and breach-related data ever since. There are well over five billion (yes, billion) pwned accounts to date. Here’s some lingo to understand since there WILL be more breaches:

  • Data breachsecurity incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so
  • Hacking — unauthorized intrusion into a computer or network, usually for malicious purposes
  • Social engineering — gaining access by tricking people
  • Pwned — internet slang meaning to appropriate or gain ownership
  • Hashing — converting a password to an unreadable format for secure storage using an algorithm (your accounts should do this at minimum)
  • Salting — adding an extra piece of data to a hashed password to make storage even more secure
  • Peppering — adding extra data at the end of a password, often randomly generated so it’s harder for hacking for software hackers to guess
  • Encryption — converting data into an encoded version that can only be decoded with a decryption key (different from hashing, salting and peppering)

At minimum, your accounts should hash the passwords it stores. Better yet, they should add salt to the hash. And for extra security, they should throw in the pepper. Now that’s a secure password that sounds tasty, too.

How password managers make your life easier

You’ll see that HIBP recommends 1Password, one of many available password managers that helps you organize and improve your online security. With a password manager you don’t have to worry about inventing a new password for each website (the manager does it for you with one click) or storing or remembering your passwords. It’s all in the password manager. Whether you use 1Password ($35.88/year), LastPass ($24/year), Dashlane (free or $59.88/year for a package that includes other services) or another password manager, they all work pretty much the same. Here’s an overview of how to use them:

  • Make a single master login password to access all of your other passwords — this is the only password you’ll need to remember
  • Add sites to your password manager (via the web or a synced phone or tablet)
  • Have the password manager create a new complicated password for each site
  • Choose the autofill option so your passwords are entered automatically when you navigate to each website
  • Create credit card forms so you don’t have to key in credit card information when you make online purchases
  • Use the password manager on all of your devices

Two-factor and multi-factor identification

If you’re offered the option of multi-factor identification, take it. Having an account send a verification code to one of your trusted devices or email addresses is the way to go if the account will be storing any of your personal information. It’s quick — only takes a couple of seconds for you to enter the code you receive during login. Hackers are unlikely to have stolen your cell phone along with your credentials so it makes it a lot harder for them to get into your account. Adding factors like a security code, PIN and security questions are all good ideas.

Will we ever get a break from all these breaches and password issues?

Hackers are here to stay but maybe someday there will be technology to eliminate the need for usernames, passwords, PINs and all the rest (options are in the works). But systemic changes would have to take place first — don’t wait for things to get better anytime soon. Instead, take control of your online life by checking your email addresses and passwords, updating any that have been compromised, and using a password manager to help with your sanity. Most people need a little help developing secure passwords.

If you work for a Leapfrog customer and have questions about any of your online accounts — even personal accounts — we’re here to help. Contact the Leapfrog Help Desk Support with questions. And if you find out you’ve been pwned, we can help you create the best plan to clean things up.

If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.