Troy Hunt is turning Have I Been Pwned into an essential pwning monitoring service. The service monitors security breaches and password leaks so that you and your users remain secure. And now, the U.K. and Australian governments are monitoring their own domain names using the service.
Most people are familiar with the consumer-facing version of Have I Been Pwned. You go on Have I Been Pwned’s website and enter your email address. It shows you a list of services that you use and that have been hacked.
Many of those password databases leak in the wild, so the service checks your email addresses against those databases to show you how you’ve been exposed. And if you’ve been using Dropbox, LinkedIn, Tumblr or Adobe services, chances are you’ve been pwned.
That’s why you should be using a different password on each online service. This way, if your password leaks, nobody can connect to another service. Everything is sandboxed, you can just change the password on the hacked service.
And because nothing is secure anymore, you should activate two-factor authentication wherever you can. A password simply doesn’t cut it anymore.
Have I Been Pwned also lets you monitor all email addresses ending with the same domain name. For instance, if you run a company, you can monitor all the email addresses that end with @myawesomecompany.com to see if any of your employee has been affected by a security breach.
This information is particularly important if you have a sensitive job for the government for instance. If you work for the British Home Office and use your @homeoffice.gsi.gov.uk email address to back something on Kickstarter, your Kickstarter password is now out there.
A hacker could try and re-use this password on your email address, send emails to other government members to ask for classify documents, etc.
Anyone can monitor a domain name by proving that you actually own the domain name (otherwise it would be a potential security breach). Hunt is now working with governments to make it easier to monitor all government domain names for free.
So the National Cyber Security Centre (NCSC) can now query all .gov.uk domain names, and the Australian Cyber Security Centre (ACSC) can query all .gov.au domain names. Pretty neat.