Everything You Need to Know




What is a "breach" and where has the data come from?

A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. BreachDirectory aggregates breaches and enables people to assess where their personal data has been exposed.



Can I send users their exposed passwords?

No.


Is a list of everyone's email address or username available?

The public search facility cannot return anything other than the results for a single user-provided email address or username at a time. Multiple breached accounts can be retrieved by the domain search feature but only after successfully verifying that the person performing the search is authorised to access assets on the domain.


What about breaches where passwords aren't leaked?

Occasionally, a breach will be added to the system which doesn't include credentials for an online service. This may occur when data about individuals is leaked and it may not include a username and password. However this data still has a privacy impact; it is data that those impacted would not reasonably expect to be publicly released and as such they have a vested interest in having the ability to be notified of this.


How is a breach verified as legitimate?

There are often "breaches" announced by attackers which in turn are exposed as hoaxes. There is a balance between making data searchable early and performing sufficient due diligence to establish the legitimacy of the breach. The following activities are usually performed in order to validate breach legitimacy:

  1. Has the impacted service publicly acknowledged the breach?
  2. Does the data in the breach turn up in a Google search (i.e. it's just copied from another source)?
  3. Is the structure of the data consistent with what you'd expect to see in a breach?
  4. Have the attackers provided sufficient evidence to demonstrate the attack vector?
  5. Do the attackers have a track record of either reliably releasing breaches or falsifying them?

What is a "paste" and why include it on this site?

A "paste" is information that has been "pasted" to a publicly facing website designed to share content such as Pastebin. These services are favoured by hackers due to the ease of anonymously sharing information and they're frequently the first place a breach appears.

We use a neural network to constantly scan thousands of paste sites and determine whether or not they contain leaked data. If a breach is detected, our engine automatically parses it and uploads it to our database.

For additional paste data, or if our engine is down, we supplement the data using the paste archive hosted on PasteBeen


My email was not found — does that mean I haven't been pwned?

Whilst BreachDirectory is kept up to date with as much data as possible, it contains but a small subset of all the records that have been breached over the years. Many breaches never result in the public release of data and indeed many breaches even go entirely undetected. "Absence of evidence is not evidence of absence" or in other words, just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach.


Is anything logged when people search for an account?

Nothing is explicitly logged by the website. The only logging of any kind is via Google Analytics, Application Insights performance monitoring and any diagnostic data implicitly collected if an exception occurs in the system.


Why do I see my username as breached on a service I never signed up to?

When you search for a username that is not an email address, you may see that name appear against breaches of sites you never signed up to. Usually this is simply due to someone else electing to use the same username as you usually do. Even when your username appears very unique, the simple fact that there are several billion internet users worldwide means there's a strong probability that most usernames have been used by other individuals at one time or another.


Why do I see my email address as breached on a service I never signed up to?

When you search for an email address, you may see that address appear against breaches of sites you don't recall ever signing up to. There are many possible reasons for this including your data having been acquired by another service, the service rebranding itself as something else or someone else signing you up. For a more comprehensive overview, see Why am I in a data breach for a site I never signed up to?


Can I receive notifications for an email address I don't have access to?

No. For privacy reasons, all notifications are sent to the address being monitored so you can't monitor someone else's address nor can you monitor an address you no longer have access to. You can always perform an on-demand search of an address, but sensitive breaches will not be returned.


Does the notification service store email addresses?

Yes, it has to in order to track who to contact should they be caught up in a subsequent data breach. Only the email address, the date they subscribed on and a random token for verification is stored.


Can a breach be removed against my email address after I've changed the password?

BreachDirectory provides a record of which breaches an email address has appeared in regardless of whether the password has consequently been changed or not. The fact the email address was in the breach is an immutable historic fact; it cannot later be changed. If you don't want any breach to publicly appear against the address, use the opt-out feature.


What email address are notifications sent from?

All emails sent by BreachDirectory come from [email protected] If you're expecting an email (for example, the verification email sent when signing up for notifications) and it doesn't arrive, try white-listing that address. 99.x% of the time email doesn't arrive in someone's inbox, it's due to the destination mail server bouncing it.


How do I know the site isn't just harvesting searched email addresses?

You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.


How can I submit a data breach?

If you've come across a data breach which you'd like to submit, get in touch with me. Check out what's currently loaded into BreachDirectory on the breached websites page first if you're not sure whether the breach is already in the system.