Pwned, or Have I Been Pwned (HIBP), is a website that allows internet users to check whether their personal data has been compromised by data breaches. It collects and analyzes hundreds of database dumps and pastes that contain information about billions of leaked accounts. Users can search for their own information by entering their username or email address and sign up to be notified if their email address appears in future dumps.
The term pwned originates from a script kiddie term and is a derivation of the word owned, accounted for by the proximity of the p and o keys on a computer keyboard. Pwned is used to imply that someone has been compromised or controlled in some way.
Have I Been Pwned was created by Troy Hunt, a web security expert who spent his time analyzing data breaches for trends and patterns. He created HIBP after an Adobe Systems security breach in October 2013 when 153 million accounts were affected. In December 2013, HIBP was launched with five data breaches indexed: Adobe Systems, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures. Since then, some of the biggest breaches in the internet’s history have been added, including Myspace, Zynga, Adult Friend Finder and Ashley Madison.
In August 2017, Hunt made 306 million passwords public and accessible via web search. Now, over 500 million passwords that have been previously exposed in data breaches are available to be downloaded in bulk. This exposure allows users to check if their passwords have been compromised in the past and makes them unsuitable for ongoing use because they’re at a much greater risk. Making passwords public discourages users to reuse passwords, an act that may seem convenient, but is risky and could lead to cyberattacks such as credential stuffing.