ZDNet: How To Find Out If Your Personal Info Has Been Leaked In A Security Breach

Slaw is Canada's online legal magazine

• CanCourts on Twitter

• Canadian blawgs
search

• TOROG

• Tjaden LLM Thesis

• Quick referrers

• CanLII bookmarklets

• Quix

• Canadian journals'
TOCs

July 14, 2011

Yosie Saint-Cyr

ZDNet: How to Find Out if Your Personal Info Has Been Leaked in a Security Breach

I love following ZDNet ; great information on current and new technologies as well as practical guidelines on Information technology (IT), privacy and security. There latest article was in relation to a tool allowing you to find out if your email address was stolen in a hacker breach. The online tool is called HackNotifier .

This tool was created by Julian Pulgarin a candidate for Bachelor of Software Engineering at the University of Waterloo in Ontario, Canada.

According to ZDNet:

Julian decided, what with all the lists of personal information being released to the public by the likes of Anonymous, Wikileaks, AntiSec, and LulzSec, individuals might be worried that their information might now be out “in the wild.”

So Julian’s been curating the released data. He’s built a database containing all the email addresses (over 1.4 million addresses, including the Booz Allen Hamiliton breach).

All you have to do is go over to HackNotifier.com. Enter your email address (which he promises me he’s not capturing), and the site will tell you if your email address is in any publicly available leaked database.

Although there is a statement of purpose and use on the HackNotifer website stating that:

HackNotifer is completely safe to use. All emails that are checked are only used to make sure that your accounts are secure. Your email is never stored without your permission.

Several questions come to mind immediately. For instance, how do they know what email is linked to a specific account? How did they get access to the leaked information found in the database? Do they have permission to use such information in light of various class action lawsuits? Am I missing something?

I’m too much of a coward to try, but despite my misgivings, I thought this was a genius undertaking in relation to the numerous data breaches we have been witnessing lately.

Let me know what you think. And if anyone does have the guts to try, give me some feedback.

Marie-Yosie Saint-Cyr, LL.B., was called to the Quebec bar in 1988 and is still a member in good standing. She practised business, employment and labour law until 1999. For over 12 years, Yosie has been the Managing Editor of the Human Resources and Compliance Collection from First Reference. She is the managing editor of the Human Resources Professional Association (HRPA) of Ontario’s monthly member e-newsletter ELAW. Yosie is one of Canada’s best-known and most-respected HR authors, with an extensive background in employment and labour law across the country.
[click on the author's name for more information]

Respond: make a comment | read the 7 comments

More: in Miscellaneous or Technology | from Yosie Saint-Cyr

7 Comments on “ZDNet: How to Find Out if Your Personal Info Has Been Leaked in a Security Breach”

Bruce says:

July 14, 2011 at 10:34 am

I tried it using the 3 email accounts I have, and all came back clean; whew! The free search does end up with a pitch for a subscription (1 yr for 1 email address is $9.99). If the service is effective & provides timely notification, the fee seems eminently reasonable given the recent spate of high profile data thefts. Also, considering some of the less probable events we insure against, … .
David Collier-Brown says:

July 14, 2011 at 10:39 am

I'd prefer to see the hacked companies notifying the victims, as they have the clear relationships between the emails and the accounts, but until and unless we can guarantee reliable notifications, a fallback is a good idea.

From the brief description on site, he's done a hash-table of the email addresses, thus completely anonymizing them, and reports to individual if the address they submit, when hashed, matches an entry in the table.

A "hash table" is a classic way of encrypting information in a way that cannot be reversed. It is heavily used when one must anonymize personal or identifying information in a body of data one is studying. [Bruce Schneier. Applied Cryptography. John Wiley & Sons, 1996. ISBN 0-471-12845-7.]

The advantage of hashing is that renders your email address anonymous: the disadvantage is that he probably can't tell you which account was compromised. Considering that they're in the hands of criminals, I suspect if any account of yours is compromised, they all will be in a week or so…

–dave
Mike says:

July 14, 2011 at 11:21 am

I tried it – I got one hit for an email account I already knew was hacked (I was notified by the compromised website).
Julian Pulgarin says:

July 14, 2011 at 9:27 pm

Thanks for mention Yosie! Here are my answers to your questions:

1. There is no matching of "account" done. We have parsed various security leaks, and store all the emails that were in the leak inside our database. When you enter your email on our website we check your email against our database to see if it was contained in any of these leaks.

2. The leaked information is taken from publicly available database dumps, such as the ones hosted on http://lulzsecurity.com/

3. I am fairly certain that we are in the legal clear in regards to solely storing the emails (we do not store passwords or any other info contained in thease leaks).

If you have any more questions don't hesitate to contact me at jpulgarin@hacknotifier.com
Julian Pulgarin says:

July 14, 2011 at 9:28 pm

David, currently we do not store the emails as hashes. This is to allow future services where we protect entire domains (impossible to do through hashing).
Yosie Saint-Cyr says:

July 14, 2011 at 9:40 pm

Thanks Bruce, David and Mike for trying it… after seeing your comments I did try it and my email seems to be ok for now. Julien much appreciation for answering my questions… great endeavour!
David Collier-Brown says:

July 15, 2011 at 8:41 am

Thanks for the correction, Julian!

–dave

Make a comment:

Note that some comments may be moderated. If you have not had an approved comment here before, your comment will be held for approval. We are glad to publish comments that address issues raised in the post or other comments on it and that contribute to a fruitful discussion. We do not publish comments that seek to promote commercial products, that make personal attacks, or that seek personal legal advice.

Although we do not require it, we ask that in making a comment you use your full name. You must supply a valid email address, which will not appear with your comment.

searching comments Slawtips case summaries TalkLaw/ParLoi noted on Slaw categories SlawNET

the count:
8642 posts | 11937 comments

[get this search box for your site]

SlawTips

Cash Flow Reports – Part 2
Thursday, May 24

This is the second in a series of ten tips dealing with cash flow reports and cash flow management. Gregory Nunn once said: “Never underestimate the value of cold cash.”… »»

Practice

United Nations Documents
Wednesday, May 23

Today’s Tip: Monitor UN documents with RSS Since I last looked, the United Nations Documents site has a new look and feel. For what the site is trying to deliver, … »»

Research

Updated Version of Great Social Media Guide for Lawyers Released
Wednesday, May 23

Last spring, Meritas’ Leadership Institute released a Social Media Guide for Lawyers. This helpful resource provided lawyers with an overview of the three main social media tools — LinkedIn, Faceb. […] »»

Technology

noted on Slaw

EXCESS COPYRIGHT: Canadian Copyright Kerfuffle – How NOT to Fix Copyright Law? (with apologies to Bill Patry)
Spotlight on Thompson Rivers University Law School « BC Law Watch Blog
Statistics Canada, The Daily, Women in Canada

Available online today are four new chapters of the publication Women in Canada: A Gender-based Statistical Report, which explores the socio-demographic and economic circumstances of Canadian women in general.
Library Boy: Library of Parliament Legislative Summary of Bill on Adding New House of Commons Seats

The bill amends the Constitution Act, 1867 by readjusting the number of members and the representation of the provinces in the House of Commons.
Judges out of touch on privacy issues, says Ontario privacy czar
Ars Technica: Law & Disorder: Startup hopes to hack the immigration system with a floating incubator

Blueseed plans to buy a ship and turn it into a floating incubator anchored in international waters off the coast of California.
An open letter to Canadian journalists - CAJ

Under Prime Minister Stephen Harper, the flow of information out of Ottawa has slowed to a trickle.
EXCESS COPYRIGHT: Fair Dealing Cases in the Supreme Court of Canada - December 6 and 7, 2011 - Links to Factums
Ontario Commissioner Issues Significant Order on Custody or Control of University Records « All About Information

"…the IPC has exclusive jurisdiction to decide whether a record is in the custody or control of a university in the context of an access request…"
Library Boy: Library of Parliament Legislative Summary of Bill To Abolish Firearms Registry

MLB Selected Case Summaries

These summaries of selected recent cases are provided each week to Slaw by Maritime Law Book.
More information.

Harkat, Re 2012 FCA 122

Aliens - Exclusion and expulsion - Power to detain and deport - Minister’s certificate - Review - Evidence

In 2002, Harkat was detained pursuant to a ministerial security certificate issued under the Immigration and Refugee Protection Act (IRPA) as a person inadmissible to Canada on grounds ...
Girouard v. Druet 2012 NBCA 40

Contracts - Formation of contract - Signing - Electronic signature

The plaintiff expressed an interest in purchasing the defendant’s (vendor’s) condo. The parties agreed to carry on their discussions through e-mail. Following an exchange of e-mails, the plaintiff claimed that the defendant was contractually bound to ...
Donell et al. v. GJB Enterprises Inc. et al. 2012 BCCA 135

Barristers and Solicitors - Relationship with client - Confidential communications - General

The petitioner was a Receiver appointed in March 2009 by a California court over the assets of GJB Enterprises Inc. (a “Ponzi scheme”) and its principals, the Berkes (the GJB parties). The court ordered ...
Dish Network L.L.C. et al. v. Rex et al. 2012 BCCA 161

Practice - Costs - Funding before judgment - When interim or advance costs available

The plaintiffs were “direct to home” satellite based subscription program providers. Rex and other defendants offered “grey market” services to Canadian residents to facilitate the unauthorized reception in Canada of the plaintiffs’ ...

TalkLaw/ParLoi

This is a listing of a few upcoming events in Canada of interest to lawyers, law students, legal librarians, and others involved in the practice of law.

Clicking on any event in the list below will give you access to more information and to links allowing you to see the full entry and to add the event to your own calendar.

Click this link for a fuller version of the TalkLaw/ParLoi calendar of events and for instructions as to how to add events and calendars to your own calendar.

SlawNET

These are the great blogs run by our contributors. We recommend them to you.

Avoid A Claim Blog

Clio Blog

Connie Crosby

Connection | A Crosby Group Consulting Blog

eLegal Canton

First Reference Inc.

House of Butter

Law Firm Web Strategy

Law is Cool

Library Boy

Off the Shelf

Quebec Labour Law - Droit du travail au Québec

Thoughtful Legal Management

Vancouver Law Librarian Blog



Slaw is Canada's online legal magazine	• about Slaw • our contributors • our columnists • by date • by category • by author • CanCourts on Twitter • Canadian blawgs search • TOROG • Tjaden LLM Thesis • Quick referrers • CanLII bookmarklets • Quix • Canadian journals' TOCs

L’accès À La Justice: Vraiment?!? / Access to Justice: Really?!? «« older \| newer »» The "Great Encyclopedias" of Legal Research July 14, 2011 Yosie Saint-Cyr ZDNet: How to Find Out if Your Personal Info Has Been Leaked in a Security Breach I love following ZDNet ; great information on current and new technologies as well as practical guidelines on Information technology (IT), privacy and security. There latest article was in relation to a tool allowing you to find out if your email address was stolen in a hacker breach. The online tool is called HackNotifier . This tool was created by Julian Pulgarin a candidate for Bachelor of Software Engineering at the University of Waterloo in Ontario, Canada. According to ZDNet: Julian decided, what with all the lists of personal information being released to the public by the likes of Anonymous, Wikileaks, AntiSec, and LulzSec, individuals might be worried that their information might now be out “in the wild.” So Julian’s been curating the released data. He’s built a database containing all the email addresses (over 1.4 million addresses, including the Booz Allen Hamiliton breach). All you have to do is go over to HackNotifier.com. Enter your email address (which he promises me he’s not capturing), and the site will tell you if your email address is in any publicly available leaked database. Although there is a statement of purpose and use on the HackNotifer website stating that: HackNotifer is completely safe to use. All emails that are checked are only used to make sure that your accounts are secure. Your email is never stored without your permission. Several questions come to mind immediately. For instance, how do they know what email is linked to a specific account? How did they get access to the leaked information found in the database? Do they have permission to use such information in light of various class action lawsuits? Am I missing something? I’m too much of a coward to try, but despite my misgivings, I thought this was a genius undertaking in relation to the numerous data breaches we have been witnessing lately. Let me know what you think. And if anyone does have the guts to try, give me some feedback. Marie-Yosie Saint-Cyr, LL.B., was called to the Quebec bar in 1988 and is still a member in good standing. She practised business, employment and labour law until 1999. For over 12 years, Yosie has been the Managing Editor of the Human Resources and Compliance Collection from First Reference. She is the managing editor of the Human Resources Professional Association (HRPA) of Ontario’s monthly member e-newsletter ELAW. Yosie is one of Canada’s best-known and most-respected HR authors, with an extensive background in employment and labour law across the country. [click on the author's name for more information] Tweet Respond: make a comment \| read the 7 comments Share: Email \| Save as PDF \| Print \| Bookmark & Share \| \| More: in Miscellaneous or Technology \| from Yosie Saint-Cyr 7 Comments on “ZDNet: How to Find Out if Your Personal Info Has Been Leaked in a Security Breach” Bruce says: July 14, 2011 at 10:34 am I tried it using the 3 email accounts I have, and all came back clean; whew! The free search does end up with a pitch for a subscription (1 yr for 1 email address is $9.99). If the service is effective & provides timely notification, the fee seems eminently reasonable given the recent spate of high profile data thefts. Also, considering some of the less probable events we insure against, … . David Collier-Brown says: July 14, 2011 at 10:39 am I'd prefer to see the hacked companies notifying the victims, as they have the clear relationships between the emails and the accounts, but until and unless we can guarantee reliable notifications, a fallback is a good idea. From the brief description on site, he's done a hash-table of the email addresses, thus completely anonymizing them, and reports to individual if the address they submit, when hashed, matches an entry in the table. A "hash table" is a classic way of encrypting information in a way that cannot be reversed. It is heavily used when one must anonymize personal or identifying information in a body of data one is studying. [Bruce Schneier. Applied Cryptography. John Wiley & Sons, 1996. ISBN 0-471-12845-7.] The advantage of hashing is that renders your email address anonymous: the disadvantage is that he probably can't tell you which account was compromised. Considering that they're in the hands of criminals, I suspect if any account of yours is compromised, they all will be in a week or so… –dave Mike says: July 14, 2011 at 11:21 am I tried it – I got one hit for an email account I already knew was hacked (I was notified by the compromised website). Julian Pulgarin says: July 14, 2011 at 9:27 pm Thanks for mention Yosie! Here are my answers to your questions: 1. There is no matching of "account" done. We have parsed various security leaks, and store all the emails that were in the leak inside our database. When you enter your email on our website we check your email against our database to see if it was contained in any of these leaks. 2. The leaked information is taken from publicly available database dumps, such as the ones hosted on http://lulzsecurity.com/ 3. I am fairly certain that we are in the legal clear in regards to solely storing the emails (we do not store passwords or any other info contained in thease leaks). If you have any more questions don't hesitate to contact me at jpulgarin@hacknotifier.com Julian Pulgarin says: July 14, 2011 at 9:28 pm David, currently we do not store the emails as hashes. This is to allow future services where we protect entire domains (impossible to do through hashing). Yosie Saint-Cyr says: July 14, 2011 at 9:40 pm Thanks Bruce, David and Mike for trying it… after seeing your comments I did try it and my email seems to be ok for now. Julien much appreciation for answering my questions… great endeavour! David Collier-Brown says: July 15, 2011 at 8:41 am Thanks for the correction, Julian! –dave Make a comment: Note that some comments may be moderated. If you have not had an approved comment here before, your comment will be held for approval. We are glad to publish comments that address issues raised in the post or other comments on it and that contribute to a fruitful discussion. We do not publish comments that seek to promote commercial products, that make personal attacks, or that seek personal legal advice. Although we do not require it, we ask that in making a comment you use your full name. You must supply a valid email address, which will not appear with your comment. Click here to cancel reply. Name (required) Mail (will not be published) (required)		searching comments Slawtips case summaries TalkLaw/ParLoi noted on Slaw categories SlawNET search Slaw: the count: 8642 posts \| 11937 comments Slaw's canadian law blogs search: [get this search box for your site] recent comments The Wet One on Capital Punishment Enthusiasm Is Misplaced Bonnie Czegledi on Crime and Cultural Property John Gregory on What Part of "No" Don't You Understand, O Gracious Crown? John Gregory on Ontario Bill to Amend the Electronic Commerce Act Erik Magraken on B.C. to Have Official Online Dispute Resolution esign on Ontario Bill to Amend the Electronic Commerce Act Connie Crosby on Twitter Updates Privacy Policy and Terms of Service John Gregory on Victoria Day Holiday Lloyd Duhaime on Victoria Day Holiday John G on Victoria Day Holiday John N. Davis on Victoria Day Holiday Simon Fodden on Images in Judgments Daniel Poulin on Images in Judgments John G on The Friday Fillip: Randomness Kim Nayyer on Shoes and Dominoes SlawTips Cash Flow Reports – Part 2 Thursday, May 24 This is the second in a series of ten tips dealing with cash flow reports and cash flow management. Gregory Nunn once said: “Never underestimate the value of cold cash.”… »» Practice United Nations Documents Wednesday, May 23 Today’s Tip: Monitor UN documents with RSS Since I last looked, the United Nations Documents site has a new look and feel. For what the site is trying to deliver, … »» Research Updated Version of Great Social Media Guide for Lawyers Released Wednesday, May 23 Last spring, Meritas’ Leadership Institute released a Social Media Guide for Lawyers. This helpful resource provided lawyers with an overview of the three main social media tools — LinkedIn, Faceb. […] »» Technology noted on Slaw EXCESS COPYRIGHT: Canadian Copyright Kerfuffle – How NOT to Fix Copyright Law? (with apologies to Bill Patry) Spotlight on Thompson Rivers University Law School « BC Law Watch Blog Statistics Canada, The Daily, Women in Canada Available online today are four new chapters of the publication Women in Canada: A Gender-based Statistical Report, which explores the socio-demographic and economic circumstances of Canadian women in general. Library Boy: Library of Parliament Legislative Summary of Bill on Adding New House of Commons Seats The bill amends the Constitution Act, 1867 by readjusting the number of members and the representation of the provinces in the House of Commons. Judges out of touch on privacy issues, says Ontario privacy czar Ars Technica: Law & Disorder: Startup hopes to hack the immigration system with a floating incubator Blueseed plans to buy a ship and turn it into a floating incubator anchored in international waters off the coast of California. An open letter to Canadian journalists - CAJ Under Prime Minister Stephen Harper, the flow of information out of Ottawa has slowed to a trickle. EXCESS COPYRIGHT: Fair Dealing Cases in the Supreme Court of Canada - December 6 and 7, 2011 - Links to Factums Ontario Commissioner Issues Significant Order on Custody or Control of University Records « All About Information "…the IPC has exclusive jurisdiction to decide whether a record is in the custody or control of a university in the context of an access request…" Library Boy: Library of Parliament Legislative Summary of Bill To Abolish Firearms Registry MLB Selected Case Summaries These summaries of selected recent cases are provided each week to Slaw by Maritime Law Book. More information. Harkat, Re 2012 FCA 122 Aliens - Exclusion and expulsion - Power to detain and deport - Minister’s certificate - Review - Evidence In 2002, Harkat was detained pursuant to a ministerial security certificate issued under the Immigration and Refugee Protection Act (IRPA) as a person inadmissible to Canada on grounds ... Girouard v. Druet 2012 NBCA 40 Contracts - Formation of contract - Signing - Electronic signature The plaintiff expressed an interest in purchasing the defendant’s (vendor’s) condo. The parties agreed to carry on their discussions through e-mail. Following an exchange of e-mails, the plaintiff claimed that the defendant was contractually bound to ... Donell et al. v. GJB Enterprises Inc. et al. 2012 BCCA 135 Barristers and Solicitors - Relationship with client - Confidential communications - General The petitioner was a Receiver appointed in March 2009 by a California court over the assets of GJB Enterprises Inc. (a “Ponzi scheme”) and its principals, the Berkes (the GJB parties). The court ordered ... Dish Network L.L.C. et al. v. Rex et al. 2012 BCCA 161 Practice - Costs - Funding before judgment - When interim or advance costs available The plaintiffs were “direct to home” satellite based subscription program providers. Rex and other defendants offered “grey market” services to Canadian residents to facilitate the unauthorized reception in Canada of the plaintiffs’ ... TalkLaw/ParLoi This is a listing of a few upcoming events in Canada of interest to lawyers, law students, legal librarians, and others involved in the practice of law. Clicking on any event in the list below will give you access to more information and to links allowing you to see the full entry and to add the event to your own calendar. Click this link for a fuller version of the TalkLaw/ParLoi calendar of events and for instructions as to how to add events and calendars to your own calendar. categories Administration of Slaw Announcements Case Comment Columns: Book Review Columns: Dispute Resolution Columns: e-Discovery Columns: Justice Issues Columns: Legal Information Columns: Legal Marketing Columns: Legal Publishing Columns: Legal Technology Columns: Outsourcing Columns: Practice of Law Education & Training Education & Training: CLE/PD Education & Training: Law Schools Firm Guest Blogger Hot on CanLII Law Student Week Legal Information Legal Information: Information Management Legal Information: Libraries & Research Legal Information: Publishing Miscellaneous Practice of Law Practice of Law: Future of Practice Practice of Law: Marketing Practice of Law: Practice Management Reading Reading: Recommended Reading: You might like… Slaw Retweets Slaw RSS Site News Substantive Law Substantive Law: Foreign Law Substantive Law: Judicial Decisions Substantive Law: Legislation Technology Technology: Internet Technology: Office Technology ulc_ecomm_list SlawNET These are the great blogs run by our contributors. We recommend them to you. Avoid A Claim Blog Clio Blog Connie Crosby Connection \| A Crosby Group Consulting Blog eLegal Canton First Reference Inc. House of Butter Law Firm Web Strategy Law is Cool Library Boy Off the Shelf Quebec Labour Law - Droit du travail au Québec Thoughtful Legal Management Vancouver Law Librarian Blog
more columns on: · e-discovery · justice issues · legal information · legal marketing · legal publishing · legal technology · outsourcing · practice of law	· about Slaw · about our contributors · about our columnists · archives by date · archives by category · archives by author · contact us · subscribe with RSS · subscribe by email · subscribe by topic/author · follow us on twitter © copyright information · 15 prior posts · 30 prior posts · 50 prior posts	member login