I’ve been pwned. You’ve been pwned. We’ve all been pwned. Somewhere, somehow, some digital bit of our persona has appeared in one of countless data breaches that happen across the internet with alarming regularity.
The most recent breach—an exploitation of what may be an old and now closed Facebook vulnerability—means that records from more than 500 million users are free-floating out in the wild.
I tend to be blasé about such hacks. These companies are bad at protecting our data, and to be fair, we’ve also freely shared insane amounts of our personal information on public and only semiprivate platforms. I’m somewhat numb to it at this point.
“You’ve been pwned” is a gamer term for being “owned” or thoroughly beaten. In the case of data, it’s another way of saying you’ve been compromised.
After reading multiple articles about the Facebook breach, though, I started to get a little itch of concern. Facebook hasn’t been particularly transparent about the breach—until today, at least—and something about the scale of this data dump made me more uncomfortable about the breach than normal. Maybe it was the availability of phone numbers that could be used, for instance, in two-factor authentication attacks. Or perhaps it was the triangulation abilities that phone numbers provided to spammers, robocallers, hackers, and other bad actors.
How to know if you need to worry
Against my better judgment and ability to weather bad news—honestly, haven’t we had enough already?—I visited HaveIBeenPwned, an online clearinghouse for unpleasant news about your personal information. “You’ve been pwned” is a gamer term for being “owned” or thoroughly beaten. In the case of data, it’s another way of saying you’ve been compromised.
To use the site, you enter one of your data points—email, phone number, home address, etc.—and the site instantly tells you if you’ve been pwned and how that bit of data was scooped up in one of many data breaches.
A bit of good news
Since most people seemed to agree that the worst part of the Facebook data breach was its inclusion of users’ phone numbers (the vulnerability involved Facebook’s contact import system), I started by entering my mobile number.
I was shocked and pleased to find that, as the site put it, there was “no pwnage found!” for my digits.
Considering that I’ve been on Facebook since the mid-aughts, this was a pleasant surprise. Obviously, HaveIBeenPwned looks far beyond Facebook to the myriad breaches that have occurred on countless social media, commerce, and service sites.
That my cellphone number, the one I’ve for almost 20 years, isn’t compromised is a nice surprise, but then it’s only in recent years I’ve started to use my phone as an authentication device.
Still, I felt momentarily blessed.
The bad news
Next, I put in my primary email address. Even as I entered it, I had a premonition: This will not be good.
My email was pwned in 19 data breaches. Below this bad news was an accounting of all the ways my email was abused. The breaches ran from a sales engagement company I’d never heard of but has exposed billions of data points (no passwords) to one of my favorite clothing retailers and, almost comically, LinkedIn, where I guess it doesn't always pay to connect.
The site also noted, though, that my email wasn’t involved in any “pastes.” Good news, I guess, if I knew what that meant. I followed a link that explained a paste is when your data’s been added to a publicly facing website, a place like Pastebin, which is a favorite of hackers and where the term “paste” originates.
This points to a truism for many data breaches. Despite all the stolen and exposed data, not all of it ends up on publicly browsable sites. Sometimes it’s sold; often it’s kept hidden and quietly used to power phishing, spam, and other nefarious activities.
What it means
At some level, I knew that my data had been hacked. The breaches of the past decade or so are so large that they’re essentially inescapable. Knowing in my heart that I’d already been pwned and that there was little I could do about it, I’ve slowly worked on mitigating activities that could head off successful personal data-driven attacks.
Moving to LastPass (yes, I know it’s had its own data issues) some years ago helped me stamp out duplicate and derivative passwords. Turning on two-factor authentication added another layer of protection. (Even if a hacker has your phone number, it’s unlikely that they also have your physical device that uses that number.)
The awful truth
These mitigating factors offer me some comfort, but not enough to shake the uneasy feeling that I am fundamentally exposed.
When you play a video game and someone is repeatedly killing you and taking your stash, you feel not just owned but shamed. Being pwned is no less shaming. Somewhere out there, a hacker is pwning me, killing my privacy, and getting ready to take my stash. He’s probably doing the same thing to you, too.
Want more me in your life? More of my tech insights and musings to brighten your day? Sign up for my newsletter and I’ll send you a weekly update on the tech (and other stuff) that matters to me (and maybe you, too).