Our data is out there! Have I Been Pwned. Yes, and so have you (most likely) because of all the data breaches taking place every day. 12 Billion accounts have been compromised. This is a security nightmare! Check if your data was found in a data breach: E-mail address: haveibeenpwned.com/ Password: haveibeenpwned.com/Passwords Pwned Websites: haveibeenpwned.com/PwnedWebsites // Troy’s SOCIAL // KZread: kzread.info Website: www.troyhunt.com/ Website: haveibeenpwned.com/ Twitter: twitter.com/troyhunt Facebook: facebook.com/troyahunt LinkedIn: www.linkedin.com/in/troyhunt // David's SOCIAL // Discord: discord.gg/davidbombal Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal // MY STUFF // www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com // MENU // 00:00 - Coming up 00:39 - Troy Hunt // Creator of haveibeenpwned.com 01:08 - Origin of PWNED 02:38 - Troy Hunt's KZread Channel 03:48 - Origin of haveibeenpwned.com 05:27 - How to protect ourselves from data breaches 10:52 - Going to the US Congress // The "Congress socks" 16:21 - What are the solutions? 17:51 - Passwords are the biggest threat 21:01 - Recommended ways to keep passwords and personal details // "Lying is good" 31:56 - How your email is connected to everything 33:52 - Using VPNs // The Gumtree Fridge story 40:14 - How to report possible vulnerabilities 44:41 - Crazy experiences // Be careful what you put online 51:30 - New features on haveibeenpwned.com 55:06 - "Data breaches are 100% from human error" // Vulnerable softwares 56:36 - Bug Bounty 59:22 - Advice for the youth 01:02:52 - Conclusion Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only.

@pd1jdw630

11 ай бұрын

@59:22. That answer should be clipped. 👌🏻

@blaxbrian6877

11 ай бұрын

I have been pwned🤣

@cofinify

11 ай бұрын

I hope you know that by giving "haveibeenpwned" email addresses, you are basically showing them that they are still active. Scammers call phones more when people pick up, so why would this company not be selling my data for the sake of ensuring that threat actors have active email addresses to exploit to begin with? (as opposed to the geometric s*** ton of fake and unused emails)

Having to provide a mobile number to companies who never use it nor need it but cannot progress without providing it is so annoying.

@Arachnoid_of_the_underverse

11 ай бұрын

A made up number will get by that i.e. + ( coountry code) 0000000000

@Ekte_Sjakie-tr2qb

11 ай бұрын

Unless they need to sent a confirmation code, I'd just put some random numbers.

@nevarius9010

11 ай бұрын

Thanks for the suggestions all, I've used to old fake number trick a few times, sometimes it works, sometimes it doesn't.

@tipusultan9616

11 ай бұрын

So OpenAI has my email and phone number, great

@lowwastehighmelanin

11 ай бұрын

Should be illegal, frankly.

❤ what a beautiful man, thanks for posting Mr.B.

I got pawned as well, 2 of my emails. Although I already changed my password :)

The "First of January" part got me. That's hilarious.

The 2016 data breach got my cringe named email exposed 😭

@davidbombal

11 ай бұрын

This is a nightmare ☹️ Our details are out there

@AndrewTSq

11 ай бұрын

I was in the Sony Playstation breach when they stole all the credit card info etc. I did not know that it happened first, it was when I got a new card from my bank, telling me that my old card had been involved in a scam I got to know. Later Sony offered 2 free games as "sorry".. edit: found an old article from 2011, that said around 70 million users was in this breach.

Great video as always, but your guest making light of the implications of mandatory digital ID is short - sighted in my opinion. I really think you ought to explore this subject more from *both* sides. It seems to me that conditional access for the Internet is right around the corner, and we ought to start having these conversations now.

Great conversation. One minor criticism through; it would be appreciated if you write a short description about your guest and their background in the description above their social links. It helps a lot with source follow up, especially when there are multiple episodes as well as with finding the video when searching for it and not remembering the title. I know some guests are anonymous but it helps with the known guests. Thank you for the interview.

@journeythroughus

11 ай бұрын

He doesn't want to be pwned 😂

Thanks Dave for introducing me to Troy with this video! Much apporeciated.

Great conversation! I have been trying to reach out to contacts that are part of business email compromise through phishing campaigns and have felt a small portion of that pain in finding security contacts.

amazing interview with Troy!! 😮 thank you!

thank you @David, I always learn something new here.

Enjoyed the interview, verry informative. Loving the Australian mentality and dialect :D

David, I really like you videos, I find them rather relaxing. After playing around with leetcode problems I go to your channel to both learn something new about cyber-security and chill out a little.

there’s an idea… “have i been socked”. database of socks and if someone has been identified wearing them. best practice is to change your socks regularly and have burner socks. 😂

Very much know what he meant: I've tried to get in contact with my own bank many years ago about a security issue on their website. Even being at the physical local bank office/building did not get me any contacts inside the company to talk to. I never got anywhere with them, not from the contact form on the website either. So I never used online banking for many, many years.

one the best discussions in a long time by two awesome guys in the sector

Don't agree about digital DL. What that person was concerned with is that government will see exactly where drivers licence info was used at

Great content.

Yayyyy aussieland 👏, great interview David. I use the Yubikey 5 series and still old fashion with my long passwords 📒 I am a cyber student still on a learning curve.

"Don´t put it on the internet if you don´t need to" But we *DO* need to. You wanna use basic services from your government? You wanna communicate via anything not letter? You want to have a website or, let alone an online shop? Well, then hand over your credentials, including real life address and full name. Ofcourse, if you are rich enough, you could just make a shell company or use a manager aswell, but I guess that´s out of the option for most small and middle class businesses.

Staffers are amazingly bright, at state level, too.

Seriously awesome video, you need to do more videos with remie. More practical videos like this. Great stuff

Love from India ❤❤

@davidbombal

11 ай бұрын

Thank you! Welcome India!

yeah troy is one of my teachers in pluralsight, nice to have it here too.

I handle security for a small financial insititution. Anonymizer VPN's will be getting blocked from all services by the end of this year. They won't even be able to navigate to the website, let alone access any banking or applications.

Eye-opening discussion on haveibeenpwned

🔥

28:36 Simple: When fudging don't "fudge" the fudge and nothing will be fudged!

Oh wow! Troy Hunt!

Think we could get a vid on Amesit which is documented in the NTC Vulkan report from Mandiant? With all our personal data out there along with what we know of the Cambridge Analytica incident, how could that framework as documented be weaponized?

Troy! The legend - awesome, gg

I always thought pwn would stand for "Personally Owned" or "Professionally Owned"

I have worked and trained as a cybersecurity professional 'dude' long before it was called 'cybersecurity'. Cybersecurity is, was, and shall always be a forever cat-and-mouse game with hackers and bad actors. No matter the level and depth of cybersecurity, the bad actors will forever view it as a challenge they must work hard to defeat and break.

@BubstechDOTcom

11 ай бұрын

Intelligence agencies why doing syops on me said A.I will do it all so was a dead end job basically this was 2017 2018 boy they either did it to put me off or were wrong big time said in 5 years that has now expired they did not take into account the WEF and gates nano routers under the skin and linked to bluetooth MAC addresses that im dieing for an app that spoof millions of mac addresses so put yours in the app and 100 other apps broadcast your mac for anonymous travelling and so they dont know were you are lamppost are now beacons i can't see them arrest you for spoofing mac when it fact checked as false who would pay to have 100 or 1000 drvices spoofing your covid 19 A.i chip😂

@sensimilja

11 ай бұрын

@@BubstechDOTcom Get back on the meds dude.

@BubstechDOTcom

11 ай бұрын

@@gwarf343 The internet of bodys not iot iob mabe you should put your phone into admin to bluetooth snoop click then use an app to scan bluetooth devices you will see the jabed or vaxed mac addresses this is 100 percent fact just because google top results say fact check false is b.s. you know the saying do your own research. my idea for an app that adds the vaxed mac addresses to an app so the system does not not what one is you is a good idea. no one has done maybe an app dev op could do this and earn alot of money and think if i got all pen testers and criminals mac addresses my security and a place could flag warning to security that a new mac ADRESS or bad actor is close and were they are and been it would make your job obsolete i think of things put them down but i also am dyslexic and autism i can not code but i did run a server and have some knowledge on how things work even used yasaga etc of fon router back in day and mac addresses to get cabe internet docsis 3.0 so i know how to do things and do mitm as loved wifi etc and never did it for money or gain but my nagbour for wifi when i got my dads old 98 pc the app i said would be well good. criminals will know if you are home or not because of proximity of your bluetooth chip this is bad so home security that scan save time stamp and proximity will catch burglars and if in proximity turn on audio vedro recording. I am full of hydrogel and bio sensors one in right middle finger bleep ecg machine but im unvaxed so no bluetooth chip just near field so i could go out with a random mac spoofing and they would think it was that person i thought it was a good idea to make people anonymous of were they are a pentester could keep there own mac in a room far away so it thinks you did not go anywhere while pen testing this idea i have gave away for free ask how many would want their MAC address in 100 or 1000 places any one could be you or spoofing another maybe a app maker will see this and add some ideas or more could tell me it hard to read then don't read i i believe in PRIVACY and it god given and what they did to me and vaxed is criminal they harvesting data of the body mind thoughts creativity and that is theft and those who claim the jabed are not bluetooth chipped are shills and have not even bothered to look or part of the system because cyber security are also involved in it ans api real time servalemce and geo political cern the Pentagon fusions gps and shiva air force and targeting people like me getting me locked up for exposing what they did to me and exposing the fraud of covid mabe a flipper zero could do bluetooth snooping and spoofing as well like it do hotspot on wifi

@BubstechDOTcom

11 ай бұрын

@@gwarf343 It was not me who invented or patented such things ask gates with his patent or ask the DOD Pentagon under bio metrics or use your language skills and look yourself to why DARPA hydrogel start there

I always give 1st January as my DOB 🤣

Nice video

I've struggled a lot with trying to get in contact with security teams before. its very annoying. Plus getting a response from said PR and marketing departments is a huge problem. Never utilized asking on twitter or linkedin if someone can has a contact in "XYZ" company's security department, but that makes since. It really sucks checking back 8 months later and still seeing the same mistake exploitable. Like at a certain point we just give up when you see nothing change. seen this happen in Star Citizen(the overpriced space game), like an airline in India(I think, was a while ago. And the in a credit card promotion. And like. how tf am I supposed to put this on my resume that I've reported these, but they haven't been dealt with yet. like, I'm not going to make an exploit known to some recruiter at reliaquest no matter how much it'll make my interview better, cause they arent known to represent said company's security(at least publicly, but it'd be unlikely since there's like a list of 500 managed SOCs just in the US). like Star Citizen was a bit different cause back then I was a kid back then and actively exploiting(with pulovers macro creator back then cause i didn't know how to do javascript bots yet), but even then, I tried reaching out to them to fix the issue with how the REDACTED. nevermind kinda just treated this as a vent. FR, Please hire someone to represent your company for security related emails so we can get in contact. Is an awful trend to not have a point of contact.

Joke's on them - I've got NO dosh!

Hi David. Is there a good email address for you that you monitor regularly ? Cheers. NOSS

I was pwned on all accounts a while back, including passwords. I had to redo all my accounts and am much more selective now. Have I been pwned helped me see the accounts in breaches.

It may be helpful to have an email provider that would change the email address every 3 months or so, update with added apps, websites. This way we could easily manage our log ins, 2fa for important websites. Could be alot of add ons but the logistics...would be intensive.

@SwervingLemon

11 ай бұрын

Think hard about that... How would you receive e-mail at an address that changes every three months? Better would be if sites just abandon using your e-mail address as a login altogether. Sure, allow people to use an e-mail address for password recovery, but don't use it as the login because that makes it immutable and static, and because everyone does it anymore, it compromises the security of everyone who doesn't have multiple e-mail addresses.

@zsweetkill

11 ай бұрын

@@SwervingLemon There can be a forwarding system with a main email. This could also help manage spam. Like I mentioned there's alot when it comes to logistics.

@SwervingLemon

11 ай бұрын

@@zsweetkill So your registration e-mail address would have to stay the same anyway?

@zsweetkill

11 ай бұрын

@@SwervingLemon ive already spent too much time on this.

I got pwned a long time ago. I changed my passwords but ever since bots would keep trying to bruteforce the email and send forgotten password requests to it, so i deleted everything and moved my stuff over to gmail. Microsoft/hotmail sucks.

12:38 Chuck is that you? 😂

The worst part is when I hear people use a online password manager.. yeah.. so if I can get the login details to that account, I have every of your password now.

@aliencatmeow

11 ай бұрын

And what do you suggest? A paper notebook?

@aliencatmeow

11 ай бұрын

Cant that be stolen too?

@AndrewTSq

11 ай бұрын

@@aliencatmeow But then someone physically have to enter your house / work and find that notebook to get your password. While getting your online password manager is just getting you to open the wrong email, or clicking the wrong link.

@chriscook7049

11 ай бұрын

@@AndrewTSq Protecting a password manager is definitely required, especially using 2fa. But I'd trust a good password manager more than I would a random website with a commonly used or short + memorable password. Password managers can also include checks to see if passwords are weak or re-used, and its a useful tool to see where you have accounts with websites etc. They can also be useful when working with teams of staff if you have one aimed at that sort of usage.. If you are talking about the work place, then where do you have to store a password list securely? Locks on filing cabs and desk draws are often very weak - either from picking or a big flat screwdriver. Most employees aren't going to have a personal safe that would stand up to much attack.

@SuperM00b

11 ай бұрын

@Ann An offline one.

The bigger concern to me is more, a lack of transparency in regards to what companies do with your data, how they store it, and what they are willing to do to make money from it. An example is F&P want to embed wifi in all their devices, the belief is that even if you don’t use it, they can sell your data, so there was a push to have this added to all their appliances. It was also interesting how this seemed to be a higher priority now they are owned by a Chinese company. Also if companies aren’t storing details securely all you steps to have protect yourself may not be enough. If I just want to try something and haven’t decided if I want to sign up or not, I just use a disposable email account and fake details, in the event I like it I can then rejoin as me if I want to.

@ithinkthereforeitalk935

11 ай бұрын

The simple answer is everyone who can is making money off of your personal data without your explicit permission and there's nothing you can do about it. So you just have to ride along or get off the grid

@dave24-73

11 ай бұрын

@@ithinkthereforeitalk935 that’s the issue, there is no protection, no governance, law enforcement, and many companies are happy to risk a fine if they can make money off your data.

I have a question... Did you remove the meta data from the screen shot before sending it?

The only way companies can be made responsible for data leaks is massive fines. If companies were at risk of bankruptcy, I can tell you this problem would be minimized. You can have the best password manager in the world, if the data leaks from the company's server, there's nothing you can do about that.

38:28 ajajajja genius. Hey you should make a video with Pierogi

interesting, i just read that toyota had data breach

That last email reply to scammer is really hilarious. The part where you give static data really annoys me like a name of your high school, sure I know where it is but I don't remember in which way I give it an acronym? a short name? full name? or joke name? Thank you for the interview.

❤

@davidbombal

11 ай бұрын

Thank you!

@ 05:00 regarding others having your details, similarly there is a well-used mobile caller protection app i.e. Truecaller that uses your phone book as part of its database. So whilst you may not have supplied your name and number to the database, someone with your number may have.

@lightyagami1752

11 ай бұрын

How is this GDPR compliant? Doesn't the individual need to give consent for said individual's data to be shared? Getting it from someone else's phone book should be an absolute no-go.

@Arachnoid_of_the_underverse

11 ай бұрын

@@lightyagami1752 Consent is given as part of the T&Cs

@Arachnoid_of_the_underverse

11 ай бұрын

@@lightyagami1752 You data collected in someone elses mobile is not covered by GDPR hence why the FBI is reputed to use external data sources and foriegn companies who collect this sort of information to sell on.

@lightyagami1752

11 ай бұрын

@@Arachnoid_of_the_underverse Wow, if that's so it's a massive, massive loophole. With regard to consent, an individual should only be able to provide consent with regard to his or her own data. But what you're saying is pretty alarming (if true).

I just love show

Interesting side note, if you immigrate to the US and don't know your birthday, they set it to Jan/01

Sir i am from Nepal suppose i verified my kyc document with passport /mobile no/email address in some app if that data get leaked and hacker got access to my document can hacker take loan on my name in foreign countries if yes how can i get informed that somebody used my information to take loan in foreign countries and what to do to cancel the loan? Please Help 🙏

@monkeyseemonkeydo432

11 ай бұрын

KZread: Liron segev……he has videos on his channel… he mentions websites that help identify if there was a security breach And also gives steps to take after

@caxinoedits7831

11 ай бұрын

@@monkeyseemonkeydo432 can you please send me the Title of the video because i didn't found that video.

@monkeyseemonkeydo432

11 ай бұрын

@@caxinoedits7831 KZread: all things secured: identify theft above is another channel that has some steps you could take

Guys, i have a s23, i installed nethunter on my phone, it uses 20gb of space on my phone, and i want to uninstall it, but i dont know how to do it, someone pls help me!!😢

I heard pawn started because someone developing the game Halo made a mistake by tapping the p instead of the o when they were trying to add owned to the dialogue and it got replicated so far into the game that they didn't want to go back and fix it because it was going to set the game back so far and cost them too much money , if I'm remembering correctly it originated with Halo and that's kind of how it started because they actually put it into the game( I have been informed that I am actually incorrect on this one, but I am just remembering an interview that I saw with one of the Halo developers a long time ago so someone did correct me and say that it went back as far as the quake days ) now I could be wrong but I'm in my forties and I'm pretty sure I'm remembering it correctly or at least that was the story that was circulated at the time So thank you to Swerving Lemon for the correction

@SwervingLemon

11 ай бұрын

pwnage predates Halo, my friend. It's almost as old as the internet itself. We were saying it all the way back in the early days of Quake.

@jamesbassham2273

11 ай бұрын

@@SwervingLemon a one-time saw a interview with one of the Halo developers that claimed that was why I made that statement but thanks for correcting because that's what I was going off of so and that was back in the early Xbox DayZ I believe . But it's possible that I misheard the guy in the interview but I'm almost positive he claimed it was during the time they were developing Halo . But thanks for the correction .

Wow

👍🏻

I am more concerned that the license app will be used to digitally sign identity verification for websites. Email, VPN, various services.. anything that requires trust will likely end up demanding proof of ID and maybe even a facial scan. I am aware that it's the slippery slope fallacy but this is where we are heading. In Australia the govt is making a "digital ID" and demanding that adult services stop kids from using them. I don't care about such services but I know that once the infrastructure is in it will be rolled out elsewhere. Anonymity is the only thing that can protect you from data breaches/leaks.

keepass?

Glad I'm not

DANG! COOL!😎🥶

lastpass was joke was from day #1

leetspeak ack

Love your videos. If only some of them were shorter. I need a break from studying and 1 hour doesn't help... ❤

50:04 and here lies the root of all evil. People should never have their lives ruined just because some idiots decided to shame those who are different from them.

why are you not on mastodon?? I do NOT have Twitter...

07:30 In Canada the question used to be ~"Are you a man who has had sex with a man since 1975?"

@syrrysaver2775

11 ай бұрын

Also something about needle use... Iirc

1st comment good video

@davidbombal

11 ай бұрын

Thank you!

There is a big difference between a plastic card with your basic identity on it in your wallet and some mandatory government application on your phone...

always the first

@davidbombal

11 ай бұрын

Thank you for your support!

I can''t understand most what your friend is saying sorry, someone turn the subtitles on

If you check if your password has been "pwned", in fact you are adding your password to their dictionary... so don't be stupid

@monkeyseemonkeydo432

11 ай бұрын

It just means you have identified the breach…doesn’t mean you can’t change your password beforehand

@paleopteryx

11 ай бұрын

@@monkeyseemonkeydo432 ...and then, just in case, you'll need to check if the "new password" has been "pwned", just to be sure! and so on... :-)))))

No, password managers are garbage lol. Don't reuse the passwords and just press the "change password button"

@IIlIlIlIlIlIlIII

11 ай бұрын

​@@RocketRenton what if they get your master password?

@impostorsyndrome1350

11 ай бұрын

@@IIlIlIlIlIlIlIII yeah "don't give your info to other ppl", yet the same ppl who say that use password managers made by other people. It's ironic. If they stole your master password, it wouldn't be 1 site that you'd have to changr your password, it would be many and many

It’s not uncommon to get your data breached, if you use the internet and you have not been breached that would be a Miracle. Not to sure why everyone is so shocked about it, the key thing here is what was breached ? Is it extremely sensitive like your social then it’s time to worry….

First

@davidbombal

11 ай бұрын

Very close!

Are you kidding me? You don't know that pwn comes from online chess?

fyi, its been proven multiple times over that using sms 2fs is much weaker than just a password.. you all need to address this,, SS7 has zero security, and you all need to quit pretending it does. seriously, its bad, and it really hurts your position. STOP . ADMIT FAULT

@chriscook7049

11 ай бұрын

How is it weaker? Surely that makes it the same weakness?

@_SR375_

11 ай бұрын

@@chriscook7049 if your are asking this, clearly you have missed the point

@chriscook7049

11 ай бұрын

@@_SR375_ that's why I've asked the question. I guess you are assuming that if the attacker has my password from a breach, then they have my mobile number as well, and can then snoop my messages somehow. But that's still adding a level of difficulty. No one's saying it's perfect - no 2fa is - but for many users who aren't tech savvy it's quite a good way to introduce the concept. It's also good for those without smartphones (just basic ones) or 2fa keys. It's using 2 ideas that most adults have now got their heads round - messaging and typing codes in when you log in. What is it I'm missing?

@colto2312

11 ай бұрын

so what's the fault? You're the one with the claim. substantiate it

@_SR375_

11 ай бұрын

@@colto2312 i am not your google, thanks!

I often say "a lie is only a lie if it can be proven to be false". I apply this in EVERY area of my life. I make up whatever compelling story I need to get what I want.

ALL blood is tested it is none of their business what you do in life you have fallen for phishing from the blood collection service!

No way the bank card you show still works thanks man i tried it for a joke but order went through off shopping now thanks

Guys, i have a s23, i installed nethunter on my phone, it uses 20gb of space on my phone, and i want to uninstall it, but i dont know how to do it, someone pls help me!!😢