How to check your identity hasn’t been sold to the hackers

Database breaches, in which giant corporates such as Adobe, eBay, or Sony lose track of copies of their user and billing databases, are becoming almost weekly news items in late 2014.

Sometimes this is given a hacker spin, other times it’s just a dull case of not knowing where all those USB keys or backup tapes have gone.

Consumers are meant to respond to the news – which manages to be simultaneously both worrying and vague – by meekly changing their passwords, even if they don’t think they’re included in the database that’s been stolen. eBay’s alleged database theft triggered a mandatory password change for everyone, right across the system.

I have some problems with this approach, because, to be honest, I have a whole lot of different web identities. Once you’ve signed up to enough services for review, this becomes inevitable: I have a slew of login names and emails, and figuring out which one goes with which service becomes a daily trial.


This is partly down to disorganisation on my part, but it’s also a matter of personal security: just because the entire IT service business has declared that a single email address ought to be the arbitrator of identity, doesn’t mean that this approach is in my best interest. You’d be hard-pressed to deduce my username for my principal online banking account from the one I use to divert the inevitable marketing spam that follows a trial software download these days.

This approach puts me in a very rarefied group. Most people are encouraged by both daily advice from lazy e-commerce operators, and their own memory limitations, to have only one username/email combination and maybe a few different passwords, reused over and over again on various services.

As this count rises (and industry studies show a straightforward trend –  one service 3 years ago, between four and six now, and nine or more in 3 years’ time), so does the insecurity. The nasty black-hat hackers know this very well, and this increases the value of a stolen list of usernames: not because the hackers want to sign in to your Adobe account (to cite the largest recent breach as of the time of writing), but because they want to hit your Mastercard login, on the assumption you’ve reused the same credentials.

So it really does become essential to know whether your name(s) feature on those stolen lists. But how to check?

Enter Troy Hunt – he’s the operator of Type your email or user ID into his site and it looks through his cached copies of the stolen lists to see if you’re at risk. As is becoming habitual for me with this type of investigation, none of my identities trip the alarm, but I made a wild guess and put in a former client’s email address to produce the screengrab you see here.


I know what you’re thinking: why should you trust a site that a) has no www, and b) uses hacker-speak as part of its domain name? Aren’t all these people in it together? Who is this guy? Mr Hunt, however, has an easily traceable identity on the net and a very useful blog where he discusses the curiosities and vicissitudes of running such a thing as a public service. He is, in the jargon of this field, a “white hat”.

This is a vital role, given how e-commerce and customer relations have developed – certainly none of the affected businesses have taken steps of this nature to help you figure out whether your personal security plan has actually ended up working against your interests.

In an ideal world, the likes of Adobe and eBay would be paying Troy Hunt’s hosting charges on Azure (which is where lives), because most breaches appear to be failures of duty of care, and most of the cleanup processes seem to be left to a loose alliance of commentators, rumour-spreaders, paranoids and white-hatted hackers.

In fact, has been around for a few years already, but Troy has been adding further lists to the resource as the thefts and breaches continue, which makes it a progressively more useful and relevant utility – although I suspect that the way the man in the street reacts to technology and the mixture of risks from hacking won’t change very much, even if you do the public-spirited thing and let them know if their name comes up as being in the at-risk group.

This is one of those classic “you know you’re a nerd if…” moments, where the most you can hope for is that some of the people you put through the checks might go so far as to change their passwords, a little bit more often.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos