Posted on September 11th, 2018
Websites that allow you to search your email address to discover any presence within public data breaches are nothing new. Have I Been Pwned (haveibeenpwned.com) has been a staple in this community for several years. However, there are many limitations. First, you can only search an entire email address in Have I Been Pwned. It will disclose any known breaches that contain the address, informing you to change your passwords immediately. That is the limit of the possibilities. With a newer option, Dehashed (dehashed.com), you can perform practically any wild card search. Here are some examples.
Email: Always include the email address in quotes. Otherwise, you will receive false positives based on wildcard searching. As an example, searching an old GOV email account WITHOUT quotes, I receive 1,164 results:
Conducting the same search WITH quotes, I receive the actual 6 results:
Domain: Search your domain, such as inteltechniques.com, and discover that at least one email from my domain is present within three data breaches.
Username: Maybe you only know the user name of your target, such as mbazzell. This identifies several breaches that possess that exact string.
Password: Search your own password to see if it is present within a breach. If you have a very unique password, this can identify vulnerabilities before there is an actual compromise. Below we see that 203 people that use thisisnotmypassword have been compromised in public breaches.
Name: If you have a very unique name, you may identify breaches that include this detail. These could be voter database leaks, marketing data, or other general breaches. I highly recommend using quotation marks. Searching Michael Bazzell identified 42,000 results, searching “Michael Bazzell” identified 8. In the example below, I now know that my exact name appears in the ModBSolutions breach.
Address: Insert any physical address to identify breaches that could compromise your home location. This can identify potential addresses of a target that are not present within people search engines. Note that the wording must be exactly the same as present in the breach, so you may need to play with this option a bit. As an example, the following yielded no results.
“101 e. 3rd st, Alton”
“101 e. 3rd st., Alton”
“101 e. 3rd street,Alton”
“101 east 3rd street, Alton”
However, “101 e. 3rd street, Alton” identified one breach containing this address.
How does this help investigations? For me, it is a great indicator of a valid email address. If I receive any hit, I know the address is likely good. I also know at least one service where the address was used to create an account. This can lead to more discovery.
How does this help my privacy? This can identify weak areas where you have a public presence. Change any passwords associated with an exposed account. It also reminds us to never use valuable personal or business email addresses for online accounts.
You may have noticed the pricing feature. For a few bucks, you can see ALL of the data associated with a target, often including passwords. I found multiple former (weak) passwords on many of my accounts:
This can be a great defensive tool in order to identify potential vulnerabilities. Overall, I am very impressed. This is definitely a staple in my OSINT investigations.