A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. BreachDirectory aggregates breaches and enables people to assess where their personal data has been exposed.
The public search facility cannot return anything other than the results for a single user-provided email address or username at a time. Multiple breached accounts can be retrieved by the domain search feature but only after successfully verifying that the person performing the search is authorised to access assets on the domain.
Occasionally, a breach will be added to the system which doesn't include credentials for an online service. This may occur when data about individuals is leaked and it may not include a username and password. However this data still has a privacy impact; it is data that those impacted would not reasonably expect to be publicly released and as such they have a vested interest in having the ability to be notified of this.
There are often "breaches" announced by attackers which in turn are exposed as hoaxes. There is a balance between making data searchable early and performing sufficient due diligence to establish the legitimacy of the breach. The following activities are usually performed in order to validate breach legitimacy:
A "paste" is information that has been "pasted" to a publicly facing website designed to share content such as Pastebin. These services are favoured by hackers due to the ease of anonymously sharing information and they're frequently the first place a breach appears.
We use a neural network to constantly scan thousands of paste sites and determine whether or not they contain leaked data. If a breach is detected, our engine automatically parses it and uploads it to our database.
For additional paste data, or if our engine is down, we supplement the data using the paste archive hosted on PasteBeen
Whilst BreachDirectory is kept up to date with as much data as possible, it contains but a small subset of all the records that have been breached over the years. Many breaches never result in the public release of data and indeed many breaches even go entirely undetected. "Absence of evidence is not evidence of absence" or in other words, just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach.
Nothing is explicitly logged by the website. The only logging of any kind is via Google Analytics, Application Insights performance monitoring and any diagnostic data implicitly collected if an exception occurs in the system.
When you search for a username that is not an email address, you may see that name appear against breaches of sites you never signed up to. Usually this is simply due to someone else electing to use the same username as you usually do. Even when your username appears very unique, the simple fact that there are several billion internet users worldwide means there's a strong probability that most usernames have been used by other individuals at one time or another.
When you search for an email address, you may see that address appear against breaches of sites you don't recall ever signing up to. There are many possible reasons for this including your data having been acquired by another service, the service rebranding itself as something else or someone else signing you up. For a more comprehensive overview, see Why am I in a data breach for a site I never signed up to?
No. For privacy reasons, all notifications are sent to the address being monitored so you can't monitor someone else's address nor can you monitor an address you no longer have access to. You can always perform an on-demand search of an address, but sensitive breaches will not be returned.
Yes, it has to in order to track who to contact should they be caught up in a subsequent data breach. Only the email address, the date they subscribed on and a random token for verification is stored.
BreachDirectory provides a record of which breaches an email address has appeared in regardless of whether the password has consequently been changed or not. The fact the email address was in the breach is an immutable historic fact; it cannot later be changed. If you don't want any breach to publicly appear against the address, use the opt-out feature.
All emails sent by BreachDirectory come from [email protected] If you're expecting an email (for example, the verification email sent when signing up for notifications) and it doesn't arrive, try white-listing that address. 99.x% of the time email doesn't arrive in someone's inbox, it's due to the destination mail server bouncing it.
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
If you've come across a data breach which you'd like to submit, get in touch with me. Check out what's currently loaded into BreachDirectory on the breached websites page first if you're not sure whether the breach is already in the system.