Being Pwned doesn’t matter
Let’s do a quick one-liner for those who aren’t aware. What does being pwned actually mean? Your accounts were exposed in a data breach. That’s really it. Often times being exposed in a data breach is something a lot of users are unaware of. Why? The average user is not security conscious.
But it begs the question, does being pwned really matter? Let’s try to answer that question by checking that you were pwned. Let’s use the popular pwning site in this case: Have I been Pwned:
After typing in an e-mail address it shows us the resulting site in which it was associated with a breach. What next? Rush to change your passwords associated with that e-mail? Delete certain accounts associated with that e-mail? Yes, this is good and all but let’s take a look again, we are in the year 2022 and the breach is dated 2018. Think about it, roughly three years have gone by since you have been exposed. What does that do for you? Not much. Keep in mind sites like this one operate in a manner where they analyze data from various dumps, e-mails, etc. in order to populate their own database systems. In Lehmann's terms, the site technically only knows you were breached when everyone already knows. It’s safe to assume the worst, maybe the damage has already been done by hackers and you could have already lost access or data to those respective accounts already.
Be Proactive
If you have already realized you have been a victim of a breach then all you can do now is be proactive. How? I touch on a few below:
Use a password manager
I see where you’re coming from but you’re wrong. Typically password managers tend to operate off a zero-knowledge security model. To put it simply, the respective teams that secure your password manager do not have the means to access your master password or the data within your vault of sensitive data. Two popular password managers LastPass and 1Password expound on this in more detail. Let’s take a look at another scenario. Let’s look back to when you were pwned and back then on average you log into 3–9 accounts for the day, are you confident that you did not reuse that password that was exposed in the breach? How do you know if your e-mail is not currently being scraped by attackers and that same password is being used to access your data? This is where the password manager comes in. They will save you the hassle of simplistic passwords. They will generate unique and complex passwords and this will protect you in future breaches. If one password is accessed then you can be confident that only one account is compromised and therefore attackers cannot pivot off it. An added plus with this is that password managers typically have some form of mechanism that monitors your e-mail and or passwords for breaches. For eg., LastPass uses Dark Web Monitoring, and 1Password uses Watchtower.
MFA is your best friend
Why aren’t you using Multi-factor authentication(MFA) or two-factor authentication(2FA)? That should be your biggest concern. MFA or 2FA are one and the same. 2FA can be looked at as a subset of MFA, so interchanging the two terms is fine. 2FA speaks on using two different modes of authentication whereas MFA refers to more than just one type of authentication. I remember a user said to me a while back that MFA is too inconvenient and I need to find a way to make accessing systems easier. It was laughable as if it is inconvenient for you, then what do you think hackers have to go through to circumvent it? You can never compromise on security, that is not up for discussion. Where SMS is one of the popular methods of MFA, it should be noted that if available, then an authenticator app should be used instead. Why? This is to combat SIM-jacking. SIM-jacking is essentially taking control of someone’s phone number, and tricking a carrier into transferring it to a new phone. You can read more about it in detail here.
Conclusion
Checking if you have been pwned can be seen as a good approach but having preventative measures in place is more practical and important. Always be paranoid when it comes on to your data and the security mechanisms that you are in control of to protect it. It’s better to be paranoid than to be the person asking yourself the “what-if” questions when it is too late.
