Check if your data has been leaked
Data leaks and identity theft
Though the data breach issue is related to identity theft, to be precise, data leak is part of identity theft. However, these two aren’t identical. If hackers broke the forum you had an account with, this is considered a data breach, not identity theft since your account isn’t directly linked to your identity.
But if those hackers accessed your account on a dating website with your photos or copies of your passport and used your data for illegal purposes, for instance, to get an online loan or registered an account to your data – you’ve become a victim of identity theft.
To find out if your data has been leaked, use the tips for checking if your personal data have been stolen. We have a separate chapter that focuses on this issue in detail.
The methods of checking your data for security breaches
Using data breach aggregation services
There are websites that collect the information whether your data has been made public in known data breaches and allow users to check if their emails are found on these lists.
I recommend you use the largest and most popular data breach aggregation service - Have I Been Pwned. First, it has the biggest database, second, it doesn’t expose your passwords or sell your data. As you progress through this chapter, you will learn that not all services are as respectful to your data as Have I Been Pwned.
These websites work on the same principle: you enter your email or login, and the breach notification website checks if its data leak database contains it. You need to remember all your emails if the current email you are using for registrations on websites differs from the one you used a year or two ago.
If you want to see how the information about publicized data breaches looks like, enter email@example.com in the search bar of the service.
Remember and check your emails using a data leak aggregation service.
Checking known data breaches
Even the largest data leak aggregation services have a downside to them. Unfortunately, not all hacked data is made public and therefore added in hacked account databases. We know that between 2013 and 2015 Yahoo had a data breach of all accounts that belonged to its users, but most likely, when checking a Yahoo account, the service won’t find a data breach since the data wasn’t made public and didn’t get enlisted in the databases of aggregation services.
The advantage of similar lists of compromised accounts is their convenience, but a quality check requires you to go through the list of resources that have had a security breach and remember if you had an account with them. This may take a lengthy amount of time, but this is important if you want to check your data for data breaches.
Go through the list of major data leaks and website hacks over the recent years and remember if you had an account with these websites.
Checking your data through search
Write down all the websites you have been using over the last years, then check them using a search engine by adding the words like “hack” and “leak” to your query. This is the most boring but also the most effective way to check your data. It works both for mass checking your information and a targeted check of some website for a data breach.
Enter the name of a website in your search engine and add the words like “hack” and “leak” to your query to check if your personal data has been compromised.
What to do if your personal data is leaked
You won’t find any magic cure here, you will need to change the password to your account, switch on two-factor authentication, or better completely delete it if you are not interested in it any longer. If you had an identity theft, there are a range of protective measures that can mitigate the negative effects.
If your account got leaked, you should delete it.
Not all data breach aggregation services are equally safe
In this course I’ve suggested you use the largest and most popular data breach aggregation service, but if you use search, you will discover a much bigger number of aggregation services. Not all such services are safe.
Part of them are created for fishing attacks by asking a user for data to perform a check, when in reality, the intruders behind the service will use it for stealing your account or sell it off. In some cases such services will directly ask a user to share their login and password that allegedly makes a security breach check impossible.
While other services would deceptively inform a user about a data breach when he or she provides their personal information. Sometimes they verify the received data against the database that belongs to another aggregation service, but more rarely they just lead a user to mistakenly believe his data has been compromised even without checking their data (this works as fake free antiviruses that discover non-existent threats and demand money for their removal.
After running a check, the service will offer paid-for options to delete the data that leaked online. I haven’t checked the efficiency of such services, but they look like scammers. I haven’t heard about an effective way of removing leaked data, especially the data that leaked to the darknet, sold or uploaded to at least a dozen resources.
But there’s a far more dangerous type of data breach notification websites. A service of this kind doesn’t only offer you to check your data but also to buy the leaked data if you wish to. Sometimes the access to these databases is available by subscription, sometimes you can buy a concrete account found in the database.
In recent years a special data collection service or the so-called digital intelligence has been on the rise on the Internet. There are people who are trained in searching for intelligence about a victim. They are interested in digging messages, interests, acquaintances, any activities or information that might interest a customer.
Sometimes they represent law enforcement or private companies specialized in cybercrime investigations who search for information about hackers. Or these people may be private detectives that actively propagate intelligence and cyber spying services on the Internet.
So one of the ways to collect intelligence about a victim is to check the victim’s accounts in the list of data breaches and then buy access to the leaked accounts. In this way they access the victim’s emails, social networks, messages on dating websites and forums. That is why I’ve repeatedly recommended you delete all the accounts you don’t use any more, social network pages and emails.
Today you’ve used an account with a dating website, tomorrow you will forget about it. Suppose this website gets hacked and a personal data seller gets ahold of it. In a dozen years when you become a successful politician or businessman, your enemies order a data collection service to blackmail you. This is where you may get into trouble because of an account that holds all the correspondence where you recklessly let out something silly under the influence of alcohol or simply out of ignorance or lack of experience.
Remember and delete all your accounts of dating websites, social networks, forums, emails you don’t use any more.
Fortunately, the law enforcement of different countries fights such services. For instance, a popular website LeakedSource that sold access to over 3 billion leaked accounts has been pulled offline, the news of the raid being broken through a note posted on a virtual markets forum.
Leakedsource is down forever and won't be coming back. Owner raided early this morning. Wasn't arrested, but all SSD's got taken, and Leakedsource servers got subpoena'd and placed under federal investigation. If somehow he recovers from this and launches LS again, then I'll be wrong. But I am not wrong. Also, this is not a troll thread.
The alleged owner of LeakedSource, an Ontario man Jordan Evan Bloom, got arrested by the Canadian authorities on charges of trafficking in identity information, unauthorized use of a computer, mischief to data, possession of property obtained by crime. According to the police, the notorious breach notification website earned him about $247,000 from selling stolen credentials.
Let me point it out, a legal breach notification website, unlike an illegal one, allows you to check your data for data breaches, but under no circumstances will it allow you to buy a password or password hash or any other information found in leaked data.