If you’re of a certain age, you’ll recall the pamphlets the doctors would hand you at the end of your visit, so you could read about your ailment. They all started with, “So, You’ve Got…”. I think we need a pamphlet called So, You’ve Been Pwned. (And if you’ve never heard the term pwned you can read about it here and go play with the cool kids.)
The website Have I Been Pwned will scan hundreds of sites containing breached account datasets to tell you if it finds a match with the email address you entered. You can check it out here. Now that you’ve visited the site and entered your email address, and found out that you’ve been pwned, what do you do?
If You’ve Been Pwned, Take a Deep Breath
If you have been pwned, you need to understand what that means. Somehow, some way, your email address ended up on one of these sites that list breached email addresses. It very likely doesn’t mean that your network or email service was hacked. Put another way, if your network was hacked, you’d already know that.
So, how does your email address end up in a breached account dataset? There are a few different reasons.
- You might use your work email to complete an ecommerce transaction, such as ordering lunch from a catering service.
- A web application might “screen scrape” email addresses (such as email@example.com) that are found on your organization’s public website.
- You might provide a work email address to comment on a web post.
- You might provide a work email address in order to download a report.
I can relate to this last item. I often download content from websites; things like analyst reports, white papers, survey results. I see it as a fair exchange: you get to see if I’m a qualified sales lead. I get to read some useful stuff. What I have noticed is that, over time, I get email from companies I did not provide with my email address. Companies are sharing my email address, either with “affiliate” companies or (seemingly) anyone will to pay for the information.
Treat Your Email Address with Care
Email addresses are routinely bought and sold for marketing purposes. Companies requesting email addresses (e.g., for future marketing campaigns) are themselves breached, releasing email addresses to breached account sites. If you’ve been pwned, this is likely how it happened.
We know this by looking at some of the companies that have been hacked. They include data brokers and sales automation firms like Apollo, B2B USA Businesses, Factual and Exactis.
Further, it’s pretty easy to guess a person’s email address. If I know your name–say, “Gary Johnson”—I can bet your email address is firstname.lastname@example.org, email@example.com or firstname.lastname@example.org. It doesn’t take long to enumerate the possibilities.
So, realize that you can’t rely on keeping your email address secret as the only thing needed to maintain your account security. You’re probably better off presuming that you’ve been pwned. Focus on your password instead. And use multi-factor authentication if you can.
Having said that, I still think it’s a good idea to avoid giving up your organizational email. If you don’t discourage use of an organizational email for personal business, you face two consequences.
- Users will get more spam. It’s not the end of the world, but it is annoying. Trust me on this. I’ve come across emails while cleaning up a customer’s network that are being sent to a person who left the organization five years ago.
- Users will be more likely to give up their email information to a phishing site. This is closer to the end of the world. The user’s account is likely compromised, and Bad Actors now have an entrée to your network.
Shut the Front Door
Your email address is like the front door to your organization. How much you want to share it is partly a matter of personal preference. Just remember that in sharing it there is some risk you’ll find you’ve been pwned. And remember as well that it’s the lock that makes the door secure.
Bonus: if you want to see a funny take on the old MD pamphlets, check out The Simpsons “So, You’re Going to Die” episode. Here’s a short clip.