How to check if you've been hacked

Find out how to check if your account has been hacked

Another week, another major hack. It seems like cybercriminals are dumping our account details faster than we can keep up this week's victim is Yahoo, but there's few online services that haven't been hit.

That's worrisome for those of us using these online services, especially those of us with a bad habit of reusing passwords (we'll get to that).

Advertisement - Article continues below

Here, we'll reveal how to find out if your account logins are up for sale online and what to do about it if they are.

Why is it worth checking?

In the past year alone, hundreds of millions of account details have been leaked online.

Back in May, MySpace remember them? admitted as many as 360 million accounts were at risk after a breach of emails, passwords and usernames, with LinkedIn losing details of 117 million accounts to the same hacker. Peace, as he or she or they charmingly goes by, is also thought to be behind the dump of hundreds of millions of Yahoo credentials. Busy little bee, is Peace.

Tumblr also took a tumble, leaking 65.5 million account details, and though Twitter claimed in June it wasn't hacked, it still managed to expose 32 million passwords. And another hacker sold nearly 300 million logins from Gmail, Hotmail, Yahoo and, though many were out of date.

Advertisement - Article continues below
Advertisement - Article continues below

The list goes on and on. Hackers are paying attention to your login credentials, and that means so should you.

How to check if you've been hit

There's several websites that let you enter in your username or email address to see if there's any leaked login details matching them.

A warning, though: these sites check data that's been dumped online or been bought by clever researchers. If a hacker has your credentials and intends to use them, they won't immediately be revealed online, so such sites can only help so much.

That said, it's a start and often quite the wake-up call.

One to try is Have I Been Pwned, from security researcher Troy Hunt. Simply drop your email address or login name into the box and hit enter to see if your details are listed from breaches of 142 websites.

If your details are found in the data dumps, you'll get a terrifying red message detailing exactly what was taken in each hack. You'll want to change your password if you haven't already, and change any where you used the same password across multiple accounts.

Advertisement - Article continues below

If you're not listed, you'll get a green message with the good news. That doesn't mean your account hasn't been hacked, however it only means you weren't hit by the hacks that Hunt lists.

There's also an option to subscribe to get a warning if your details turn up in future breaches and in "sensitive" data dumps. To search those, Hunt requires verification that you're the owner of the email, otherwise you could enter your partner's email address and find out that they were hit by the Ashley Madison or YouPorn attacks. That could be awkward for some.

That means signing up for notifications not only gives you a warning system in case your accounts are hacked in the future, but also means your details are also run through the "sensitive" data dumps so it's worth taking the extra step.

Advertisement - Article continues below

There are other sites that do a similar job. Hacked Emails is similar to Have I Been Pwned, though it isn't quite as thorough as Hunt's site (it missed one of the leaked lots one of my emails is in). Handily, it has a Chrome Extension that alerts you if anyone sending you email has been hacked, and may be compromised.

Advertisement - Article continues below

BreachAlarm is similar to Have I Been Pwned, but doesn't tell you the specific account that's been hacked, which isn't very useful. That means you need to change any account associated with that email address, which may well be a lot.

Pay attention

There's another way to spot if your accounts have been hacked: pay attention. If a web service or site sends you an email begging you to change your password or nags you with a pop up to do the same, then listen and obey.

Others will warn you of odd behaviour, with Gmail and Chrome showing a notification of a new login. If that wasn't you, assume you've been hacked.

Of course, not all companies are keen to let you know when they've been hacked. Sony, eBay, we're looking at you. Sometimes that leaves the rest of us out of the loop, but other times such breaches make the headlines before the company is willing to own up or can even confirm the attack themselves -- that appears to be what's happened with Yahoo. In that case, the hacker leaked 200 million credentials in August, but Yahoo is only expected to confirm the incident this week, a month later.

Advertisement - Article continues below

In short, if you read about the Yahoo leak in August, you should have refreshed your password in August. Don't wait for official confirmation first.

How to stay secure

Whenever there's a big security breach, researchers and experts pipe up with their advice for staying secure online, and it normally runs the same.

Every now and then, change your passwords. Much of the leaked data is years' old more often than not, a twice-annual refresh means you'd be secure even if you password was on the list.

Have different passwords for different sites, so hackers can't try one leaked credential against another site and get access.

Turn on two-step (or two-factor) authentication. Good web services offer this extra layer of security for a reason, so use it.

None of this guarantees your credentials won't be swiped or that access to your account won't be gained by criminals, but it does help make it less likely. And that's really the best we can hope for.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020

Hackers target Three customers with "sophisticated" phishing scam

26 Mar 2020