How to be notified that your password has been stolen

How to be notified that your password has been stolen

Summary: Now you can be contacted if your email address appears in any new, publicly-released data breaches.

TOPICS: Security

About a month ago I told you about have i been pwned?, a new site at which you could learn if your email address was included in one of several large data breaches.

The main improvement that needed to be added to the site, as its creator Troy Hunt himself acknowledged, was a notification service to allow users to enter an email address and be notified in the future if their address appeared in any databases added to the service. Troy has now added the notification service. allows you to check whether an email address is in one of several publicly-released databases of breached email addresses, with a total of 154 million email addresses. Troy says the site has been wildly popular and that, by far, the number one request for a notification service.

When you click "Notify me if my address gets pwned in the future" you are presented with the screen below. If you have searched on an email address already, it is pre-populated in the field. You must then fill a CAPTCHA (this is unfortunately necessary for several reasons) and click "notify me of pwnage".


The service then sends a confirmation email to the address entered. Click the verify link in the email and you are registered for notifications. Troy provided this sample notification email:


It's still a free service which is good, but note that this not his day job. In fact, it's costing him some money, but not much: "less ... than what I spend on coffee..." So he sees no reason to charge for it, but if there is another major breach and he's busy, you might not be able to expect him to enter the database and notifications to follow immediately. Troy wrote the site, in part, as an exercise in learning to program Windows Azure services, and he says it's a good demonstration of how powerful services can be built and operated inexpensively on Azure.

Next on Troy's roadmap: domain-wide verifications. You can be notified if any address in a domain is in a database. A more stringent verification process of some kind will be necessary, since he needs to know that the person receiving notification for is actually authoritative for that domain.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Some of the companies affected should give this guy some money ...

    at least a little bit out of petty cash to aid him in his efforts. This is a major public service !
  • Sure wish it could seek out SUB-ADDRESSED addresses

    Like the one I've registered with Tech Republic ;-)
    In other words actuallocaladdress+somearbitrarystring@domain which is exactly the same as for EMAIL purposes, but because of the arbitrary nature of the sub-address (between the "+" and "@" symbols) could be literally HUNDREDS or THOUSANDS of different, distinct IDs as far as individual websites are concerned.
  • What is the security of this site?

    It IS a terrific idea. And I am amazed that he offers it for free and does it in his spare time.

    However... I would like to know his expertise with security and how this site is protected. I can see some malefactor hacking this site to find out what addresses people are wondering about and then attacking THOSE addresses.
    • My first thought too..

      Immediately I an *exercise* in learning Windows Azure.. hmm.. Seems to me that BOTH comments together are valid. M$ should definitely contribute out of petty cash to allow extra programming time, to keep this from being a gold mine for those crooks.
      I do love this in principle though, and of course I immediately tried it myself ;-)
      Nick Ettema
      • I don't think he has to retain email addresses

        All he has to do is to retain hashes of email addresses. He does the same hashes of addresses in the databases, and if they match he sends a warning to the address from the database.
        Larry Seltzer
    • Experience

      Good question! I'm a Microsoft MVP for Developer Security:

      Only breached addresses are stored, not the ones being searched for (more info on the FAQs page).
      • So I was right

        This sounds like what I explained a couple comments up
        Larry Seltzer
    • Check his credentials online

      Have a read through to get a feel for his security credentials. He's been covering web security for a long time and someone who I'd trust to get it right.
  • Don't get stupid about complex programming for domains

    At that level require the interested party to send in a search from an email in the domain asking if domain is compromised in some date range. Put a price (small) on getting the details.
    Remember kids - Avoid Complex Programming when you can work miracles by substituting polling for pushing.