This topic is closely related to checking data for identity theft, more precisely, data leakage is part of identity theft. However, you should not put an equals sign here. If hackers have breached a forum where you had an account, that is a data breach, but not identity theft, since your account is not directly tied to your real identity.
But if the hackers end up with your account on a dating site with your photos or a copy of your passport, and they begin to use this information for illegal purposes — for example, obtain an online loan or register an account in your name — that is identity theft.
Therefore, to find out whether a data breach has occurred, it is worth following the advice for checking personal data for identity theft. We have a separate chapter of the course dedicated to this topic.
Methods to Check Data for Leaks
Checking via Leak Aggregators
There are websites that collect information about public leaks, databases of leaked accounts, and allow users to check whether their email address appears in these databases.
I recommend using the largest and most popular leak information aggregator — Have I Been Pwned. First, it has the biggest database; second, it does not expose passwords and does not sell data — as you will understand from reading the chapter, not all services treat personal data with such respect.
The principle of leak aggregators is simple: you enter your email or login, and the site checks whether it appears in leak databases. You should remember all your email addresses in case the email you currently use for site registrations is different from the one you used a year or two ago.
Tip
Recall your email addresses and check them on a leak aggregator.
Note: according to its privacy policy, the Have I Been Pwned service collects all the data you enter into the search form, information about your browser and IP address. All this information is stored indefinitely on servers rented from Microsoft in the USA.
Checking Past Leaks
Even the largest leak aggregators have disadvantages. Unfortunately, not all hacked data becomes publicly available, and therefore does not enter the databases of compromised accounts. We know that Yahoo suffered a leak of almost all user accounts between 2013 and 2015, but most likely when checking a Yahoo account the service will not detect the leak because the data were not posted publicly and did not get into the aggregator's databases.
The advantage of such compromised account databases is their convenience, but for a more thorough check it is recommended to go through the list of sites where known leaks occurred and recall whether you had accounts there. This may take a long time, but it is important for checking data for leaks.
Tip
Go through the list of major leaks and site breaches of recent years and remember whether you had an account there.
Checking Data via Search
List all the sites you've used over the years, then check them via search by adding words like 'hacked' and 'leak' to the query. This is the most tedious but also the most effective method of checking. It is suitable for both mass checks and targeted checks of a particular site for leaks.
Tip
Enter the site's name in a search engine and add words like 'hack' or 'leak' to the query to check for information about a possible personal data breach.
What to Do If Your Data Has Leaked
You won't find any magic advice here. You need to change the account password, enable two-factor authentication, and preferably delete the account entirely if you no longer need it. If your identity has been stolen and the data published, there are a number of specific measures that will help minimize the negative consequences.
Tip
If your account was involved in a leak, it's best to delete it.
Not All Leak Aggregators Are Equally Safe
In this article I suggested the largest and most popular service, but if you search you'll find many more leak aggregators. Not all such services are safe to use.
Some of them are designed for phishing: they ask users for data supposedly for verification, but actually use it to steal accounts or sell them. Some such services even directly ask users for their login and password, without which the check is allegedly impossible.
There is another category of services that, after you enter your data, report that it has leaked. Sometimes they cross-check with a public database of another service; more often they simply mislead the user without actually checking the data (this works like fake free antivirus programs that find non-existent threats on the victim and demand money to remove them).
After the check, victims are offered a range of paid services to remove data that leaked online. I haven't checked the effectiveness of such services, but it looks like a scam. I don't know of effective methods to remove leaked data, especially when it has spread across the dark web, sold or posted on dozens of resources.
But there is another type of such services, in my opinion much more dangerous for users. These services not only allow you to check, but also, if desired, to purchase leaked data. Sometimes access to the databases of such services is available by subscription; sometimes you can buy a specific account found in the databases.
In recent years the service of collecting information, or so-called digital reconnaissance, has actively developed online, where specially trained people search for data about a target. They look for posts, interests, relationships, any activity and other information requested by the client.
Sometimes these are law enforcement officers or representatives of private companies investigating cybercrimes, searching for information about hackers. Sometimes they are private detectives who in recent years have been actively introducing intelligence and espionage services into cyberspace.
And one way to collect data about a target is to check the target's accounts in leak lists and then purchase access to them. This way one can gain access to email correspondence, social networks, communications on dating sites and forums. That is why I have repeatedly recommended and continue to recommend deleting all unused accounts, social media pages, and email inboxes.
Today you used an account on a dating site, tomorrow you forget about it. The site was hacked — and the account ends up in the hands of personal data sellers. Ten years later you become a successful politician or businessman, and your enemies commission the collection of compromising material on you. Then that ill-fated account and all the correspondence where you, in your youth or under the influence of alcohol, may have said too much, may surface.
Tip
Recall and delete all unused accounts on dating sites, social networks, forums, and email.
Fortunately, law enforcement agencies in various countries fight these kinds of services. For example, the popular service LeakedSource, which sold access to more than three billion leaked accounts, once went offline, and on one forum there appeared a message from a user who was informed about the situation.
LeakedSource is down for good; it won't come back. The owner was searched today; he wasn't arrested, but all SSDs were confiscated, and the courts seized LeakedSource's servers — they are under federal investigation. If he somehow recovers from this and launches LS again, then I'm mistaken. But I'm not mistaken.
Anonymous author
Later it was reported that the alleged owner of LeakedSource, Jordan Bloom from Ontario, was arrested by Canadian police and is charged with trafficking identification information, unauthorized use of a computer, as well as data theft and possession of property obtained by criminal means. As the media reported, the shadow leak aggregator brought him about a quarter of a million US dollars.
I want to note again that legal services differ from illegal ones in that you can check an account for leaks, but you cannot obtain or buy passwords or password hashes or other information contained in leaked data.
