Last week saw a fairly typical mini-cycle of bad reporting: an anonymous internet account posted a claim that Steam had been hacked and over 89 million passwords were compromised. The data breach was widely reported, and outlets advised users to do the usual: password changes, enable 2FA, etcetera. Except… it turned out the breach never happened.
It could have, of course (it didn't). Large-scale hacks are just a part of contemporary living, and there's no shortage of high-profile examples in any given month. Here in the UK, two of our major high street retailers have recently been the victims of organised hacking, with the Co-Operative's stores having empty shelves for weeks afterwards.
Ever since its launch in 2015 the website Have I Been Pwned has offered the invaluable service of letting you check if any of your email addresses have turned up in a data breach, and today sees the official launch of Have I Been Pwned 2.0. There are some backend changes but, mainly, this overhaul just makes it all look very nice… and has a lot of confetti.
Confetti? "Well, not for everyone, only about half the people who use it will see a celebratory response," says site creator and admin Troy Hunt. Yes, you get confetti when you have not been pwned.
"There's a reason why this response is intentionally jovial," says Hunt. "HIBP is a bit playful. It's not a scary place emblazoned with hoodies, padlock icons, and fearmongering about 'the dark web.' Instead, we aim to be more consumable to the masses and provide factual, actionable information without the hyperbole. Confetti guns (yes, there are several, and they're animated) lighten the mood a bit. The alternative is that you get the red response."
The red response is what you get with your 20 year-old personal accounts that have been in 50 data breaches, but HIBP 2.0 does a much better job of how it now displays the information about how accounts have been compromised ("we considered a more light-hearted treatment on this page as well," adds Hunt, "but somehow a bit of sad trombone really didn't seem appropriate").
HIBP had a lot of this same information before, but now it's laid-out in a much more user-friendly timeline showing when data breaches occurred, and you can click through on each one for more information on a given breach, and tailored advice on what you should do about this particular instance.
There's way more new functionality, including a dashboard that integrates a lot of the site's existing features, and the debut of reasonably priced Have I Been Pwned merchandise. I would make a snarky comment here except I'm the type of guy who owns a Windows 95 T-shirt. The full notes on the changes in the site's 2.0 version can be read here.
Have I Been Pwned is just a very useful website, for peace of mind if nothing else, and now it's easier to use and nicer to look at, with all of the information laid-out much more clearly. I have it in my bookmarks for when bad things happen: like 300 million accounts being leaked on Telegram in February.
I will not end by telling you to two-factor your accounts and practice good infosec. We all get enough of that from the work IT department. But why not try creating a password through an unhinged browser game that, per PCG's Mollie Taylor, is "one of the most messed-up things I've ever played."
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
