ZDNet: How to Find Out if Your Personal Info Has Been Leaked in a Security Breach
I love following ZDNet ; great information on current and new technologies as well as practical guidelines on Information technology (IT), privacy and security. There latest article was in relation to a tool allowing you to find out if your email address was stolen in a hacker breach. The online tool is called HackNotifier .
This tool was created by Julian Pulgarin a candidate for Bachelor of Software Engineering at the University of Waterloo in Ontario, Canada.
According to ZDNet:
Julian decided, what with all the lists of personal information being released to the public by the likes of Anonymous, Wikileaks, AntiSec, and LulzSec, individuals might be worried that their information might now be out “in the wild.”
So Julian’s been curating the released data. He’s built a database containing all the email addresses (over 1.4 million addresses, including the Booz Allen Hamiliton breach).
All you have to do is go over to HackNotifier.com. Enter your email address (which he promises me he’s not capturing), and the site will tell you if your email address is in any publicly available leaked database.
Although there is a statement of purpose and use on the HackNotifer website stating that:
HackNotifer is completely safe to use. All emails that are checked are only used to make sure that your accounts are secure. Your email is never stored without your permission.
Several questions come to mind immediately. For instance, how do they know what email is linked to a specific account? How did they get access to the leaked information found in the database? Do they have permission to use such information in light of various class action lawsuits? Am I missing something?
I’m too much of a coward to try, but despite my misgivings, I thought this was a genius undertaking in relation to the numerous data breaches we have been witnessing lately.
Let me know what you think. And if anyone does have the guts to try, give me some feedback.
I tried it using the 3 email accounts I have, and all came back clean; whew! The free search does end up with a pitch for a subscription (1 yr for 1 email address is $9.99). If the service is effective & provides timely notification, the fee seems eminently reasonable given the recent spate of high profile data thefts. Also, considering some of the less probable events we insure against, … .
I’d prefer to see the hacked companies notifying the victims, as they have the clear relationships between the emails and the accounts, but until and unless we can guarantee reliable notifications, a fallback is a good idea.
From the brief description on site, he’s done a hash-table of the email addresses, thus completely anonymizing them, and reports to individual if the address they submit, when hashed, matches an entry in the table.
A “hash table” is a classic way of encrypting information in a way that cannot be reversed. It is heavily used when one must anonymize personal or identifying information in a body of data one is studying. [Bruce Schneier. Applied Cryptography. John Wiley & Sons, 1996. ISBN 0-471-12845-7.]
The advantage of hashing is that renders your email address anonymous: the disadvantage is that he probably can’t tell you which account was compromised. Considering that they’re in the hands of criminals, I suspect if any account of yours is compromised, they all will be in a week or so…
–dave
I tried it – I got one hit for an email account I already knew was hacked (I was notified by the compromised website).
Thanks for mention Yosie! Here are my answers to your questions:
1. There is no matching of “account” done. We have parsed various security leaks, and store all the emails that were in the leak inside our database. When you enter your email on our website we check your email against our database to see if it was contained in any of these leaks.
2. The leaked information is taken from publicly available database dumps, such as the ones hosted on http://lulzsecurity.com/
3. I am fairly certain that we are in the legal clear in regards to solely storing the emails (we do not store passwords or any other info contained in thease leaks).
If you have any more questions don’t hesitate to contact me at jpulgarin@hacknotifier.com
David, currently we do not store the emails as hashes. This is to allow future services where we protect entire domains (impossible to do through hashing).
Thanks Bruce, David and Mike for trying it… after seeing your comments I did try it and my email seems to be ok for now. Julien much appreciation for answering my questions… great endeavour!
Thanks for the correction, Julian!
–dave