Haveibeenpwned.com is a service that allows people to find out if their information has been exposed in a data breach. They can see if their personal data has been “pwned” or not.
Troy Hunt^, a fellow Australian, created a website to help users discover if their email address, passwords, or other personally identifiable information have been exposed in a data breach. The website also provides details about historical data breaches and offers advice on how to better secure online accounts.
^Troy has purchased from one of our ecommerce stores, but has no idea we’re writing this post.
What does it mean when a customer’s email address appears on HaveIBeenPwned.com?
69.8% of our customers have had their data appear in a breach!
Haveibeenpwned.com can reveal the relative age of an email address (by virtue of appearing in their database), which can be helpful in reducing the risk of fraudulent orders by establishing that the age of an email address. I.e. it is not a newly created email address for the purposes of scamming your business. This can be useful in protecting against fraud by showing that the email address is not newly created. Don’t worry if a customer’s data appears in a breach - our measurements have shown that 69.8% of our customers have had their data appear in a breach.
How do we use the information?
In our ecommerce platform https://koi.app (which we’re making available to other ecommerce merchants), we indicate to our staff whether an email account has appeared in a data breach. If it has appeared, we show a little check mark next to their email address.
How can I use the data in HaveIBeenPwned.com ?
HaveIBeenPwned have an API that allows the list of pwned accounts (email addresses and usernames) to be quickly searched via a RESTful service.
Using the API is pretty easy. We use a Rails Job to check our customers, and it looks something like this:
# Our customer model has the attributes
# pwned (boolean) [default false] - has the customer been pwned?
# pwned_check (boolean) [default false] - have we checked the customer?
# haveibeenpwned (jsonb) - a field to save data from haveibeenpwned.com about the breaches
# The URL of the API
url = "https://haveibeenpwned.com/api/v3/breachedaccount/#{customer.email}"
# HTTP Headers required for the HaveIBeenPwned Service
headers = {
'hibp-api-key': MY_API_KEY_HERE,
'user-agent': 'my-script-name'
}
# Fetch the data from HaveIBeenPwned
response = HTTParty.get url, headers: headers
# If the body is blank, the email address hasn't appeared in a databreach known to HaveIBeenPwned
if response.body.present?
# If there is a JSON response, convert it into a Ruby object
pwnage = JSON.parse response.body
# Save the data back to the customer model
customer.haveibeenpwned = pwnage
# Mark the customer as having been in a breach
customer.pwned = true
end
# Mark the customer as having been checked.
customer.pwned_check = true
# Save the customer details back to the database
customer.save
Conclusion
HaveIBeenPwned.com is a great service that allows users to quickly search for their personal data in a data breach. It can indicate the relative age of an email address, which can be beneficial in reducing the risk of fraud, and it also has an API that allows the list of pwned accounts to be quickly searched. Knowing if your data has been exposed can help you better secure your online accounts and protect yourself from identity theft.
Let us know what you think in the comments below!