I Have Been Pwned Seven Times! Have You?

Just after reading about the great LinkedIn hack of 2021, I decided to check whether my information was out there, floating in the internet ether, waiting to be netted by an avaricious hacker. I stumbled across this one article that instructed me to head to www.haveibeenpwned.com. Once there, I was to type in either my email address/es, phone number, and even passwords to see if I have been pwned.

Pwned “implies domination or humiliation of a rival, used primarily in the Internet gaming culture to taunt an opponent who has just been soundly defeated (e.g., “You just got pwned!”)” Also, this. “If a company you have an account with has suffered a data breach, it’s possible your email may have been pwned, which means your email and password for that site’s account has been exposed to cybercriminals.”

It turns out I have been. Seven times. Some dating back to apps I no longer use.

Here is my list. Find yours and embrace what Dr Bright Mawudor mentioned to me during the 2021 CIO Cloud & Security Summit – “Use 1password.” he said. It is the same thing www.haveibeenpwned.com now tells me I need to do.

A brief history of my seven compromised apps

Canva: At the time, I was either working as a consultant Creative Director at Vivo Woman where Canva was the go-to app for the creative department – or, it could have been around that time I fancied myself a graphic designer. I downloaded Canva because there was so much praise and talk around it, there had to be something wrong with me for not trying it. I played around with Canva, even thought briefly that I could wow colleagues with my eye for design. I didn’t. Now I wonder if they got hacked too. I must make it a point to ask.

Breach: In May 2019, the graphic design tool website Canva suffered a data breach that impacted 137 million subscribers. The exposed data included email addresses, usernames, names, cities of residence and passwords stored as bcrypt hashes for users not using social logins. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.

Compromised data: Email addresses, Geographic locations, Names, Passwords, Usernames.

Covve: At first, I cannot for the life of me remember why I had this app, so, naturally, I Googled. I then trace back this thread to my Canva days. When I had just discovered customer relationship software (CRMs). I was curiously also tap-tap-tapping away at Canva. Covve is software that helps businesses leverage artificial intelligence (AI) technology to scan and store contacts in a centralised database.

Breach: In February 2020, a massive trove of personal information referred to as “db8151dd” was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server. Later identified as originating from the Covve contacts app, the exposed data included extensive personal information and interactions between Covve users and their contacts. The data was provided to HIBP by dehashed.com. While this February one was my particular breach, there was yet another. 18 May 2020, that compromised some 23 million users.

Compromised data: Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles.

Data Enrichment Exposure From PDL Customer: I have no idea how I ended up here. I don’t recall being particularly active on social media in 2019. So much so I had started to lose followers. But, this is the scary part. It is said that “It’s unclear who owned the server, how the data got there, who had access to it, and how long it sat in the open, free for anyone to access.”

Breach: In October 2019, security researchers Vinny Troia and Bob Diachenko identified an unprotected Elasticsearch server holding 1.2 billion records of personal data. The exposed data included an index indicating it was sourced from data enrichment company PDL and contained 622 million unique email addresses. The server was not owned by PDL and it’s believed a customer failed to properly secure the database. Exposed information included email addresses, phone numbers, social media profiles and job history data. What is a PDL, you ask? People Data Labs.

Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Social media profiles.

Glofox: It was the best of times. It was the worst of times. COVID-19 lockdowns were still exciting, a novelty globally. And I stumbled across gyms offering free classes online. So I browsed mightily, and that’s how I got caught in this one. I suspect that I inadvertently clicked on a “Powered By” segment of an online gym.

Breach: In March 2020, the Irish gym management software company Glofox suffered a data breach which exposed 2.3M membership records. The data included email addresses, names, phone numbers, genders, dates of birth and passwords stored as unsalted MD5 hashes.

Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers.

Houzz: I wanted a striking apartment so sue me. I had also personally collected enough data for 27 separate homes. It was, for about two years, my favourite toy – I mean app – on my tablet and my phone.

Breach: In mid-2018, the housing design website Houzz suffered a data breach. The company learned of the incident later that year then disclosed it to impacted members in February 2019. Almost 49 million unique email addresses were in the breach alongside names, IP addresses, geographic locations and either salted hashes of passwords or links to social media profiles used to authenticate to the service. The data was provided to HIBP by dehashed.com. and now I need to dig through my Gmail to find that Houzz 2019 notification.

Compromised data: Email addresses, Geographic locations, IP addresses, Names, Passwords, Social media profiles, Usernames.

Lumin PDF: I was still very new to this platform when this data breach occurred. Clearly, that offered no security whatsoever since I was maybe, possibly, likely, caught in this dragnet.

Breach: In April 2019, the PDF management service Lumin PDF suffered a data breach. The breach wasn’t publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum. The data had been left publicly exposed in a MongoDB instance after which Lumin PDF was allegedly been “contacted multiple times, but ignored all the queries.” The exposed data included names, email addresses, genders, spoken language and either a bcrypt password hash or Google auth token. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com.”

Compromised data: Auth tokens, Email addresses, Genders, Names, Passwords, Spoken languages, Usernames.

Swvl: Figuring out alternative routes to work got me into a lot of trouble as I have just learnt. At the time, SWVL was well and truly grounded thanks to politicking. Shortly thereafter, my quest became redundant as we started working from home.

Breach: In June 2020, the Egyptian bus operator Swvl suffered a data breach that impacted over 4 million members of the service. The exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities. The data was provided to HIBP by breachbase.pw.

Compromised data: Email addresses, Names, Partial credit card data, Passwords, Phone numbers, Profile photos

First of all, I don’t know whether I should be relieved or offended that no one has considered my data valuable enough to ransom me. Secondly, if you have been pwned, here are the steps you need to take.

Use 1password. Apparently, this cannot be stressed enough.
Enable two-factor authentication, then store your codes in 1password.
If you subscribe to haveibeenpwned.com, they will notify you if you have been a victim of pwnage. Unless, of course, they are the victims of pwnage…
After you’re done reading this, go change all your passwords.