How often do you check Troy Hunt’s site haveibeenpwned.com?
I’ll admit that I don’t check it often but once in a while I would get a weird phone call or email that makes me check the site to see if I have been pwned. So when Apple calls my phone without warning, I had to check.
If you are unfamiliar with the site haveibeenpwned, it is a site where you can enter your email address and see if it has been involved in any data breaches. If your email is found, it tells you which breach your email was discovered and some of the information that may have been exposed as a result of the breach. It is important to know that exposed data points does not mean that it is true for you. For example, a data breach could have exposed where people work but it may not have where you work. It depends what was associated with the email address and where the breach took place.
Checking the site for myself, I entered one of my email addresses and as expected, it came out red. No surprise. This email address was part of two breaches back in 2014 and 2018. On top of this, it isn’t really used for my professional life. Time to check another email address I use frequently. It too came out red! I was a little surprised since I actually take extra care with email address.
Scrolling down, I saw how my email address was pwned.
The PDL (People Data Labs) breach is one of the largest recorded breaches and was made possible thanks to an unsecured ElasticSearch server. Another way to think of this is if you stored all of your tax documents under your bedroom mattress and left the door to your house unlocked!
I suppose it is important to note that PDL were not the ones to leave the server unsecured. That responsibility fell on the customer PDL gave the information too. That still feels icky to see not only how careless this entity is securing an important server but also that our data is being passed around third-parties.
So what about me was exposed? Hard to say though according to a Wired article, sensitive data was not exposed. Nevertheless, if someone is trying to impersonate, they could potentially have enough information to get started.
It seems likely that whatever data was exposed on me surrounding my email address came from my LinkedIn profile. It is one of the few social media accounts directly tied to the address. So one would be correct in assuming that someone out there got my number from information taken from my LinkedIn account. Except, my phone number is not visible on my profile. My number is tied to my account though which really makes me wonder what data is associated with my email address from this PDL breach.
There are ways to find out. According to Troy Hunt’s article, you can go to PDL’s site, sign up for a free API key, and query their database. I tried to sign up using an alias (because why give them more info on me) but the site requires a work email. So, I used an email that I know no longer exists just to see if I could get a little further. And I did…sorta.
I find this pretty annoying.
The next best thing would be to send them a contact form requesting my data which of course means I need to use my actual name and email though I refuse to give them my current work email.
I gave this a try…again to no avail!
I don’t know if this simple contact form failed because I used “NA” for my place of work (a required field), used my personal email instead of work email, or PDL doesn’t want to be contacted. I’ll keep trying to see what information I can get and post in the future.
Some good news. I couldn’t query the server that was exposed so it looks like that had been patched up at least.
The 4C54 Blog 