A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. BreachDirectory aggregates breaches and enables people to assess where their personal data has been exposed.
When email addresses from a data breach are loaded into the site, no corresponding passwords are loaded with them. Separately to the leaked address search feature, the Leaked Passwords service allows you to check if an individual password has previously been seen in a data breach. No password is stored next to any personally identifiable data (such as an email address) and every password is MD5 hashed.
No. Any ability to send passwords to people puts both them and myself at greater risk.
The public search facility cannot return anything other than the results for a single user-provided email address or username at a time. Multiple breached accounts can be retrieved by the domain search feature but only after successfully verifying that the person performing the search is authorised to access assets on the domain.
Occasionally, a breach will be added to the system which doesn't include credentials for an online service. This may occur when data about individuals is leaked and it may not include a username and password. However this data still has a privacy impact; it is data that those impacted would not reasonably expect to be publicly released and as such they have a vested interest in having the ability to be notified of this.
There are often "breaches" announced by attackers which in turn are exposed as hoaxes. There is a balance between making data searchable early and performing sufficient due diligence to establish the legitimacy of the breach. The following activities are usually performed in order to validate breach legitimacy:
A "paste" is information that has been "pasted" to a publicly facing website designed to share content such as Pastebin. These services are favoured by hackers due to the ease of anonymously sharing information and they're frequently the first place a breach appears.
BreachDirectory searches through pastes that are broadcast by the @dumpmon Twitter account and reported as having emails that are a potential indicator of a breach. Finding an email address in a paste does not immediately mean it has been disclosed as the result of a breach. Review the paste and determine if your account has been compromised then take appropriate action such as changing passwords.
Pastes are often transient; they appear briefly and are then removed. BreachDirectory usually indexes a new paste within 40 seconds of it appearing and stores the email addresses that appeared in the paste along with some meta data such as the date, title and author (if they exist). The paste itself is not stored and cannot be displayed if it no longer exists at the source.
Whilst BreachDirectory is kept up to date with as much data as possible, it contains but a small subset of all the records that have been breached over the years. Many breaches never result in the public release of data and indeed many breaches even go entirely undetected. "Absence of evidence is not evidence of absence" or in other words, just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach.
Some people choose to create accounts using a pattern known as "plus aliasing" in their email addresses. This allows them to express their email address with an additional piece of data in the alias, usually reflecting the site they've signed up to such as [email protected] or [email protected]
The breached accounts sit in Windows Azure table storage which contains nothing more than the email address or username and a list of sites it appeared in breaches on.
Nothing is explicitly logged by the website. The only logging of any kind is via Google Analytics, Application Insights performance monitoring and any diagnostic data implicitly collected if an exception occurs in the system.
When you search for a username that is not an email address, you may see that name appear against breaches of sites you never signed up to. Usually this is simply due to someone else electing to use the same username as you usually do. Even when your username appears very unique, the simple fact that there are several billion internet users worldwide means there's a strong probability that most usernames have been used by other individuals at one time or another.
When you search for an email address, you may see that address appear against breaches of sites you don't recall ever signing up to. There are many possible reasons for this including your data having been acquired by another service, the service rebranding itself as something else or someone else signing you up.
No. For privacy reasons, all notifications are sent to the address being monitored so you can't monitor someone else's address nor can you monitor an address you no longer have access to. You can always perform an on-demand search of an address, but sensitive breaches will not be returned.
Yes, it has to in order to track who to contact should they be caught up in a subsequent data breach. Only the email address, the date they subscribed on and a random token for verification is stored.
BreachDirectory provides a record of which breaches an email address has appeared in regardless of whether the password has consequently been changed or not. The fact the email address was in the breach is an immutable historic fact; it cannot later be changed. If you don't want any breach to publicly appear against the address, use the opt-out feature.
All emails sent by BreachDirectory come from [email protected] If you're expecting an email (for example, the verification email sent when signing up for notifications) and it doesn't arrive, try white-listing that address. 99.x% of the time email doesn't arrive in someone's inbox, it's due to the destination mail server bouncing it.
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
BreachDirectory enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone's presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as "sensitive" and may not be publicly searched.
A sensitive data breach can only be searched by the verified owner of the email address being searched for. This is done via the notification system which involves sending a verification email to the address with a unique link. When that link is followed, the owner of the address will see all data breaches and pastes they appear in, including the sensitive ones.
There are presently 29 sensitive breaches in the system including Adult FriendFinder (2015), Adult FriendFinder (2016), Adult-FanFiction.Org, Ashley Madison, Beautiful People, Bestialitysextaboo, Brazzers, CrimeAgency vBulletin Hacks, Fling, Florida Virtual School, Freedom Hosting II, Fridae, Fur Affinity, hemmelig.com, HongFire, Hookers.nl, HTH Studios, Mate1.com, Muslim Match, NapsGear and 9 more.
After a security incident which results in the disclosure of account data, the breach may be loaded into BreachDirectory where it then sends notifications to impacted subscribers and becomes searchable. In very rare circumstances, that breach may later be permanently remove from BreachDirectory where it is then classed as a "retired breach".
A retired breach is typically one where the data does not appear in other locations on the web, that is it's not being traded or redistributed. Deleting it from BreachDirectory provides those impacted with assurance that their data can no longer be found in any remaining locations.
There is presently 1 retired breach in the system which is VTech.
Some breaches may be flagged as "unverified". In these cases, whilst there is legitimate data within the alleged breach, it may not have been possible to establish legitimacy beyond reasonable doubt. Unverified breaches are still included in the system because regardless of their legitimacy, they still contain personal information about individuals who want to understand their exposure on the web.
Some breaches may be flagged as "fabricated". In these cases, it is highly unlikely that the breach contains legitimate data sourced from the alleged site but it may still be sold or traded under the auspices of legitimacy. Often these incidents are comprised of data aggregated from other locations (or may be entirely fabricated), yet still contain actual email addresses unbeknownst to the account holder. Fabricated breaches are still included in the system because regardless of their legitimacy, they still contain personal information about individuals who want to understand their exposure on the web.
Occasionally, large volumes of personal data are found being utilised for the purposes of sending targeted spam. This often includes many of the same attributes frequently found in data breaches such as names, addresses, phones numbers and dates of birth. Whilst the data may not have been sourced from a breached system, the personal nature of the information and the fact that it's redistributed in this fashion unbeknownst to the owners warrants inclusion here.
If a password is found in the Pwned Passwords service, it means it has previously appeared in a data breach. BreachDirectory does not store any information about who the password belonged to, only that it has previously been exposed publicly and how many times it has been seen. A Pwned Password should no longer be used as its exposure puts it at higher risk of being used to login to accounts using the now-exposed secret.