The data breach archive site HaveIBeenPwned.com just added records from 2,844 data breaches, providing users with one of the most up-to-date resources to check the security of their accounts. The site, operated and updated by Troy Hunt, allows visitors to enter either an email address or a login name check if there information has been compromised in any of the breaches in the site’s database.
As Hunt stated on his personal blog announcing the release, “[t]here are data breaches that we knew of but they just took years to appear publicly (Dropbox, LinkedIn), data breaches we didn’t know of that also took years to discover at all (Disqus, imgur) and indeed, data breaches that were deliberately covered up (Lifeboat, Uber). But I suspect the another [sic] big slice of data breaches are the ones that both the website operators themselves and the general public know nothing about, the ‘unknown unknowns’, as it were.”
Contrary to the assumption that this user information was buried deep in the dark web, hidden from site, Hunt found the bulk of the data on publicly available websites, including 1.4 billion accounts on Reddit.com. In other words, it was “very clear web,” easily discovered stuff.
The site doesn’t supply the passwords from these breaches, but it does provide yet another glaring reminder not to re-use the same passwords across multiple accounts, to enable 2-Factor authentication on every account that contains any personally identifiable information, and at an organizational level to require users to regularly change their passwords.