How to be notified that your password has been stolen

Summary:Now you can be contacted if your email address appears in any new, publicly-released data breaches.

About a month ago I told you about have i been pwned?, a new site at which you could  learn if your email address was included in one of several large data breaches .

The main improvement that needed to be added to the site, as its creator Troy Hunt himself acknowledged, was a notification service to allow users to enter an email address and be notified in the future if their address appeared in any databases added to the service. Troy has now added the notification service.

haveibeenpwned.com allows you to check whether an email address is in one of several publicly-released databases of breached email addresses, with a total of 154 million email addresses. Troy says the site has been wildly popular and that, by far, the number one request for a notification service.

When you click "Notify me if my address gets pwned in the future" you are presented with the screen below. If you have searched on an email address already, it is pre-populated in the field. You must then fill a CAPTCHA (this is unfortunately necessary for several reasons) and click "notify me of pwnage".

have.i.been.pwned.notification

The service then sends a confirmation email to the address entered. Click the verify link in the email and you are registered for notifications. Troy provided this sample notification email:

sample.pwnage.notification

It's still a free service which is good, but note that this not his day job. In fact, it's costing him some money, but not much: "less ... than what I spend on coffee..." So he sees no reason to charge for it, but if there is another major breach and he's busy, you might not be able to expect him to enter the database and notifications to follow immediately. Troy wrote the site, in part, as an exercise in learning to program Windows Azure services, and he says it's a good demonstration of how powerful services can be built and operated inexpensively on Azure.

Next on Troy's roadmap: domain-wide verifications. You can be notified if any address in a domain is in a database. A more stringent verification process of some kind will be necessary, since he needs to know that the person receiving notification for example.com is actually authoritative for that domain.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.