HIBP (haveibeenpwned.com) is a well-known website which allows people to check if any of their online accounts have been compromised in previous data breaches. You provide an email address and it will tell you in which data breaches this email address has been found (Figure 1).
Nice and easy, right? There are two major issues with this service.
HIBP Does Not Tell You Which Password Was Pwned
To be safe, HIBP only stores the meta data of breached databases at its server side, but not the content of them. As a result, it cannot tell details of the breached data even if users need them. The most important piece of such details is the specific password found in the data breaches. This is because people often have several passwords and 80% of them reuse passwords across different services. Knowledge of the specific password can help a user recognize which piece of his/her passwords has been leaked so that he/she can reset passwords for those accounts that are still using it. The need for this information is huge. As an evidence, Figure 2 shows several comments in blog articles of Troy Hunt (HIBP developer) to ask for such access.
HIBP exposes account registration list of a victim website to attackers
HIBP has a security weakness in its core service. Specifically, any visitors of HIBP can see whether an email address has been used to register an account in a breached source. This is because the source of a breach often tells whether a registered account exists in that source or not. For example, from Figure 1 we can tell that the test email address has a registered account on LinkedIn because HIBP tells it appeared in LinkedIn data breach.
This information can be leveraged by attackers to launch account takeover attacks against the victim website and its users. For example, a bad guy who possessed 10 million credentials (email and password combo) from other sites can use the email addresses to check HIBP and find that 10k of such emails have an account on LinkedIn. Then the bad guy can get the passwords for the 10k emails and launch account takeovers against LinkedIn. HIBP makes the attacker’s job easier because without HIBP the attacker will have to interact with LinkedIn website with 10 million credentials instead of 10k.
This information is so valuable for attackers that it has been sold on the dark web. Figure 3 shows a few examples of such items available on dark web markets. For example, the first one is a list of 71,243 email addresses which have registered accounts on a government website and the fourth one is a list of over 8 million email addresses with registered accounts at a movie website.
Why MyVC is a better choice
MyVC (my.vericlouds.com) is a FREE service which also allows checking for data breaches with an email address. The major difference is that instead of telling the data sources, it provides the leaked passwords through private email for verification. Specifically, in a public search, MyVC tells how many leaked passwords have been found from data breaches. Then you simply click on the Email button to receive the leaked passwords from email (Figure 4).
Figure 5 shows a sample email from MyVC. You can see the privacy of the passwords is protected with masking: all characters of each password are replaced with * except the first and last one. This privacy design helps the owner of a leaked password easily recognize it while preventing bad guys from knowing it.
In addition, because MyVC does not tell the sources of data breaches, the security weakness that HIBP has does not exist anymore, i.e., bad guys will not be able to obtain an account list for a victim website from MyVC.
HIBP has been a good service which has helped people and organizations understand the risk of data breaches associated with them with a simple search. However, its value has been limited due to its inability to correlate compromised credentials with identity context. In addition, its exposure of breached sources results in the unwanted side effect of leaking account registration information of victim websites. MyVC delivers leaked passwords in masked format through private emails with no source information.