See your identity pieced together from stolen data
Raw Text
Story Lab
/
By Julian Fell , Ben Spraggon , and Matt Liddy
Posted
updated
Share this article
Link copied
Copy link
Have you ever wondered how much of your personal information is available online? Here's your chance to find out.
We've all heard about high-profile data breaches at places like Optus and Medibank, but there are thousands more of them that we don't hear about .
That's why Australian online security expert Troy Hunt created Have I Been Pwned? — a service that tracks stolen data across the internet, and is used by numerous national governments, security services and law enforcement.
Now, we’ve used Hunt's database to help you:
Find out what data breaches you’ve been caught up in
See a visual summary of the potential scale of the leaked information out there about you
Understand how something known as "the mosaic effect" can increase the risks we all face online
Enter your email address below to see exactly how breached data can be used to piece together a detailed picture of your identity.
Note: You're reading the generic version of the story. This interactive element is available only on the ABC News website .
The portrait of this person's identity starts with an email address.
This visualisation will reflect the worst possible case for the breaches they've been caught up in, according to Have I Been Pwned .
The first breach they showed up in was at Lastfm back in 2012.
In this breach, email addresses, passwords, usernames and website activity were exposed.
But this is only the start of their history of exposed data.
Later that same year, they were caught up in a breach at LinkedIn , which included email addresses and passwords.
Another at Apollo followed in 2018.
With each successive breach, more pieces of their identity are falling into place.
Their email also shows up in a breach at YouveBeenScraped , which exposed email addresses, employers, geographic locations, job titles, names and social media profiles.
By 2019, with another at Canva , this portrait is starting to take shape. But we're not done yet.
All told, they've been caught up in seven breaches.
Between them, 11 distinct pieces of their identity have been potentially exposed, many of them multiple times over.
The types of information they've had breached most often are email addresses (7), names (5), geographic locations (4), passwords (3), and usernames (3)
For more detailed information about your personal history of breaches, check out Have I Been Pwned .
In a moment, we'll take a closer look at exactly where all that data came from, but first it's worth considering what this portrait tells us.
Digital rights advocate Samantha Floreani says that with each successive breach, more aspects of your identity are able to be "pieced back together".
And with more information out there about you, the risk of fraud, cybercrime and identity theft increases as well.
"Maybe you were part of the Optus breach and X, Y and Z details were leaked," she says.
"Maybe you were also part of another breach that you have no idea about."
This is called the "mosaic effect", and it means that your risk compounds with every breach. This is because all of that information can be tied back together using one piece of information that links it all together — in this case, your email address.
Floreani herself has been caught up in seven separate data breaches.
Supplied: Samantha Floreani
One of our ABC colleagues who tested the tool showed up in a massive 41 breaches — though plenty of others managed to escape with only a handful of exposures.
Where did your data come from?
Even the Australian cybersecurity expert who runs Have I Been Pwned isn't immune.
Troy Hunt has been caught up in 28 breaches himself, and he'd never even heard of several companies that exposed his personal information until they were breached.
One of these situations has stuck in his mind.
"I once caught up with someone in an infosec (information-security) capacity and they added me to their address book," he recalls.
ABC News: Tim Leslie
This person used Covve, a contacts app that stores data in the cloud — though Troy had no idea about this yet. When Covve's server was later breached, Troy's name, phone number and email address all ended up in the data.
"I didn't know why I was there when I found myself in the breach," he says.
"They sure as hell didn't notify me."
It took an extensive investigation to finally discover Covve as the source.
But Troy is not the only one surprised at where his data has ended up.
Many of us won't recognise some of those entities that have exposed our data — it's an indication of how little we know about what happens to our data once we give it away.
But wait, there's more …
Samantha Floreani was surprised to find she'd only been caught up in seven data breaches, but she isn't getting ahead of herself.
And that's because this tool can't tell the full story.
"This only reflects breaches that are known to Have I Been Pwned," Floreani says.
"What it doesn't show is all of the other data about me that is floating around."
And data breaches only make up part of a bigger picture, as personal data is regularly bought, sold and traded in wideranging data markets.
"These companies — the data-enrichment industry, data brokers, data intermediaries, and aggregators — turn a profit by compiling data about us from a variety of sources," she says.
"If we were able to see the full extent of all the pieces of information available about me, you'd probably end up with a high-definition mosaic portrait."
Data enrichment services sell access to large databases of personal information about education levels, religious beliefs and personal interests .
Katharine Kemp, a data privacy law expert at The University of New South Wales, believes this "enrichment" of customer data for profiling and targeting is actually unlawful in Australia.
Her research paper , released in late 2022, points to Australia's "forgotten privacy principle".
It states: "Data must be collected directly from an individual unless it is unreasonable or impracticable to do so."
Supplied: Katharine Kemp
Only, in her view, this law isn't being enforced by Australia's privacy regulator, the Office of the Australian Information Commissioner (OAIC), in respect to data enrichment for profiling or targeting.
And when she asked her colleagues why this might be, no-one seemed to know.
"It's had a lot of privacy scholars and practitioners in Australia scratching their heads," Dr Kemp says.
The ABC reached out to the OAIC and a spokesperson said they were "not able to comment on whether a specific company is complying with the Australian privacy principles".
The OAIC did not directly comment on whether data enrichment was legal in Australia or why it had not pursued enforcement action against data-enrichment practices.
Dr Kemp believes this law rightfully poses "an existential threat to businesses that are entirely disrespecting the dignity and autonomy of individuals".
And this has some major industry players concerned. Data broker Experian has argued for removing this principle in its submission to the Privacy Act Review.
An Experian spokesperson told the ABC: "We and others in the industry believe it is outdated and does not fit well with modern data uses. We believe third-party data is vital to a healthy data ecosystem."
Experian claims that critical services and education around the pandemic and the Black Summer bushfires were enabled by "modern data uses". But it failed to specify how these uses were threatened by this privacy law.
Dr Kemp, for one, is not convinced by this argument.
"Those kind of examples are irrelevant and can't be used to justify data enrichment for profiling or targeting," she says.
"Companies are trying to use the sheer scale and profitability of their shady data practices to shield them from the law."
And with Experian disclosing a breach in 2015 and then another in 2020 , it's clear these firms are attractive targets for cybercrime.
In fact, one of the largest breaches collated by Have I Been Pwned has also been traced back to a "likely" customer of data-enrichment company People Data Labs.
According to its website , People Data Labs holds "information about over 3 billion individuals and companies, including their contact information, social media profiles, and other key attributes".
The ABC approached People Data Labs for this story, but it did not respond.
The glue that binds the pieces together
Whether it's for criminal activity or for targeted advertising, this kind of data is being used to create detailed portraits of our identities.
At the start of this story, all it took was a single detail – your email address – to find you in the masses of exposed data that have been collated by Have I Been Pwned.
This includes data from breaches at large companies, like Twitter and Facebook, as well as repackaged data that has been scraped from data-enrichment companies.
For privacy reasons, Have I Been Pwned doesn't include the full data exposed in these breaches, it only lets you know if your email address appears in them. But many of them can be found online in full — if you know where to look.
There are terabytes of personal data being traded openly on marketplaces where anyone can buy it.
And your contact details are the glue that binds together your mosaic from all that exposed data.
What can we do about it?
There are plenty of privacy tools out there that anyone can use, ranging from browser extensions to digital-hygiene overhauls.
Some can reduce the mosaic effect by limiting the ability of criminals to link breaches together.
Email-masking services, such as Apple's HideMyEmail and Firefox Relay, provide random "burner" email addresses for signing up to websites and services, which essentially dilutes the glue used to construct the mosaic.
Only, your email address is one of many possible details that can be used to identify you across multiple breaches.
Sure, there are similar services to mask your credit card details, phone number and other personally identifying pieces of information.
But using all of them at once would be clunky.
Samantha Floreani says "placing all the responsibility onto individuals to protect their own privacy in this landscape is totally unreasonable".
"We need robust regulation to protect our privacy, challenge the data-extractive business models of digital platforms," she says.
However, as with Dr Kemp's "forgotten privacy principle", strong privacy laws aren't a panacea. They also have to be enforced.
About this story
The visualisation shown in this story displays the worst-case scenario for each data breach your email has been caught up in. The Have I Been Pwned database only identifies whether a given email address has been caught up in a breach and the other types of data in each breach. For privacy reasons, it doesn't record which types of data were linked to an individual email address in each breach
If you enter your email address to use the personalised functionality of this story, the ABC and Have I Been Pwned won't store your personal information. More details are available on the Have I Been Pwned privacy page
Have I Been Pwned has provided the ABC with free access to its API to enable a personalised experience in this story. It regularly provides this service for government and educational purposes
Credits
Reporter and developer: Julian Fell
Designer: Ben Spraggon
Editor: Matt Liddy
Posted
updated
Share
Copy link
Australia
Data Protection Policy
Information and Communication
Internet Technology
Personal Data Collection Policy
Privacy
Top Stories
'I thought it was just a game': Horrific abuse at the hands of matron at Aboriginal girls home
analysis A woman was found dead in Sydney after a delayed response to triple-0 call, but she's not the only one
Greens offer compromise to break housing stalemate
analysis The 'short run' of Australia's economic crisis has begun. How many years before we reach the 'long run'?
'It is as much as one could hope to squeeze into a single life': The remarkable story of Edith Emery
Parramatta Eels star charged with sexual touching after incident at Sydney hotel
How spies used a shard of an exploded Nokia phone to expose the Bali bombers
Treacy had 16 rounds of IVF with no success. It was an acupuncturist's words that led her to a breakthrough
Leyland Brothers star Mal plans 'last hurrah' travel documentary adventure across Australia
Former Hawthorn official Jason Burt denies allegations in Indigenous families' open letter
'It's not Disneyland': Is Chinatown worth reviving? Or is it just a facade for tourists?
Harold Holt's secretary remembers what it was like to work for the prime minister who disappeared
What is involved in capping a landfill the size of 20 football fields?
analysis Tasmania is getting an AFL team and a new stadium. Or maybe not
Why Winnie the Pooh is teaching Texas children how to navigate school shootings
Popular Now
1.
analysis
analysis : A woman was found dead in Sydney after a delayed response to triple-0 call, but she's not the only one
2.
'I thought it was just a game': Horrific abuse at the hands of matron at Aboriginal girls home
3.
Treacy had 16 rounds of IVF with no success. It was an acupuncturist's words that led her to a breakthrough
4.
analysis
analysis : The 'short run' of Australia's economic crisis has begun. How many years before we reach the 'long run'?
5.
Leyland Brothers star Mal plans 'last hurrah' travel documentary adventure across Australia
6.
Greens offer compromise to break housing stalemate
Top Stories
'I thought it was just a game': Horrific abuse at the hands of matron at Aboriginal girls home
analysis A woman was found dead in Sydney after a delayed response to triple-0 call, but she's not the only one
Greens offer compromise to break housing stalemate
analysis The 'short run' of Australia's economic crisis has begun. How many years before we reach the 'long run'?
'It is as much as one could hope to squeeze into a single life': The remarkable story of Edith Emery
Parramatta Eels star charged with sexual touching after incident at Sydney hotel
How spies used a shard of an exploded Nokia phone to expose the Bali bombers
Treacy had 16 rounds of IVF with no success. It was an acupuncturist's words that led her to a breakthrough
Leyland Brothers star Mal plans 'last hurrah' travel documentary adventure across Australia
Just In
How First Nations song, dance could help next generation better care for country 13m ago 13 minutes ago Sun 4 Jun 2023 at 3:20am
Parramatta Eels star charged with sexual touching after incident at Sydney hotel 23m ago 23 minutes ago Sun 4 Jun 2023 at 3:10am
analysis The 'short run' of Australia's economic crisis has begun. How many years before we reach the 'long run'? 27m ago 27 minutes ago Sun 4 Jun 2023 at 3:07am
What it takes to be The Snail Whisperer, spreading the Australian snail gospel 28m ago 28 minutes ago Sun 4 Jun 2023 at 3:06am
'One more to go': Guardiola urges Manchester City to complete treble after FA Cup victory 36m ago 36 minutes ago Sun 4 Jun 2023 at 2:57am
AFL live: Tigers travel to western Sydney to face Giants 37m ago 37 minutes ago Sun 4 Jun 2023 at 2:57am
More Just In
Back to top
Single Line Text
Story Lab. / By Julian Fell , Ben Spraggon , and Matt Liddy. Posted. updated. Share this article. Link copied. Copy link. Have you ever wondered how much of your personal information is available online? Here's your chance to find out. We've all heard about high-profile data breaches at places like Optus and Medibank, but there are thousands more of them that we don't hear about . That's why Australian online security expert Troy Hunt created Have I Been Pwned? — a service that tracks stolen data across the internet, and is used by numerous national governments, security services and law enforcement. Now, we’ve used Hunt's database to help you: Find out what data breaches you’ve been caught up in. See a visual summary of the potential scale of the leaked information out there about you. Understand how something known as "the mosaic effect" can increase the risks we all face online. Enter your email address below to see exactly how breached data can be used to piece together a detailed picture of your identity. Note: You're reading the generic version of the story. This interactive element is available only on the ABC News website . The portrait of this person's identity starts with an email address. This visualisation will reflect the worst possible case for the breaches they've been caught up in, according to Have I Been Pwned . The first breach they showed up in was at Lastfm back in 2012. In this breach, email addresses, passwords, usernames and website activity were exposed. But this is only the start of their history of exposed data. Later that same year, they were caught up in a breach at LinkedIn , which included email addresses and passwords. Another at Apollo followed in 2018. With each successive breach, more pieces of their identity are falling into place. Their email also shows up in a breach at YouveBeenScraped , which exposed email addresses, employers, geographic locations, job titles, names and social media profiles. By 2019, with another at Canva , this portrait is starting to take shape. But we're not done yet. All told, they've been caught up in seven breaches. Between them, 11 distinct pieces of their identity have been potentially exposed, many of them multiple times over. The types of information they've had breached most often are email addresses (7), names (5), geographic locations (4), passwords (3), and usernames (3) For more detailed information about your personal history of breaches, check out Have I Been Pwned . In a moment, we'll take a closer look at exactly where all that data came from, but first it's worth considering what this portrait tells us. Digital rights advocate Samantha Floreani says that with each successive breach, more aspects of your identity are able to be "pieced back together". And with more information out there about you, the risk of fraud, cybercrime and identity theft increases as well. "Maybe you were part of the Optus breach and X, Y and Z details were leaked," she says. "Maybe you were also part of another breach that you have no idea about." This is called the "mosaic effect", and it means that your risk compounds with every breach. This is because all of that information can be tied back together using one piece of information that links it all together — in this case, your email address. Floreani herself has been caught up in seven separate data breaches. Supplied: Samantha Floreani. One of our ABC colleagues who tested the tool showed up in a massive 41 breaches — though plenty of others managed to escape with only a handful of exposures. Where did your data come from? Even the Australian cybersecurity expert who runs Have I Been Pwned isn't immune. Troy Hunt has been caught up in 28 breaches himself, and he'd never even heard of several companies that exposed his personal information until they were breached. One of these situations has stuck in his mind. "I once caught up with someone in an infosec (information-security) capacity and they added me to their address book," he recalls. ABC News: Tim Leslie. This person used Covve, a contacts app that stores data in the cloud — though Troy had no idea about this yet. When Covve's server was later breached, Troy's name, phone number and email address all ended up in the data. "I didn't know why I was there when I found myself in the breach," he says. "They sure as hell didn't notify me." It took an extensive investigation to finally discover Covve as the source. But Troy is not the only one surprised at where his data has ended up. Many of us won't recognise some of those entities that have exposed our data — it's an indication of how little we know about what happens to our data once we give it away. But wait, there's more … Samantha Floreani was surprised to find she'd only been caught up in seven data breaches, but she isn't getting ahead of herself. And that's because this tool can't tell the full story. "This only reflects breaches that are known to Have I Been Pwned," Floreani says. "What it doesn't show is all of the other data about me that is floating around." And data breaches only make up part of a bigger picture, as personal data is regularly bought, sold and traded in wideranging data markets. "These companies — the data-enrichment industry, data brokers, data intermediaries, and aggregators — turn a profit by compiling data about us from a variety of sources," she says. "If we were able to see the full extent of all the pieces of information available about me, you'd probably end up with a high-definition mosaic portrait." Data enrichment services sell access to large databases of personal information about education levels, religious beliefs and personal interests . Katharine Kemp, a data privacy law expert at The University of New South Wales, believes this "enrichment" of customer data for profiling and targeting is actually unlawful in Australia. Her research paper , released in late 2022, points to Australia's "forgotten privacy principle". It states: "Data must be collected directly from an individual unless it is unreasonable or impracticable to do so." Supplied: Katharine Kemp. Only, in her view, this law isn't being enforced by Australia's privacy regulator, the Office of the Australian Information Commissioner (OAIC), in respect to data enrichment for profiling or targeting. And when she asked her colleagues why this might be, no-one seemed to know. "It's had a lot of privacy scholars and practitioners in Australia scratching their heads," Dr Kemp says. The ABC reached out to the OAIC and a spokesperson said they were "not able to comment on whether a specific company is complying with the Australian privacy principles". The OAIC did not directly comment on whether data enrichment was legal in Australia or why it had not pursued enforcement action against data-enrichment practices. Dr Kemp believes this law rightfully poses "an existential threat to businesses that are entirely disrespecting the dignity and autonomy of individuals". And this has some major industry players concerned. Data broker Experian has argued for removing this principle in its submission to the Privacy Act Review. An Experian spokesperson told the ABC: "We and others in the industry believe it is outdated and does not fit well with modern data uses. We believe third-party data is vital to a healthy data ecosystem." Experian claims that critical services and education around the pandemic and the Black Summer bushfires were enabled by "modern data uses". But it failed to specify how these uses were threatened by this privacy law. Dr Kemp, for one, is not convinced by this argument. "Those kind of examples are irrelevant and can't be used to justify data enrichment for profiling or targeting," she says. "Companies are trying to use the sheer scale and profitability of their shady data practices to shield them from the law." And with Experian disclosing a breach in 2015 and then another in 2020 , it's clear these firms are attractive targets for cybercrime. In fact, one of the largest breaches collated by Have I Been Pwned has also been traced back to a "likely" customer of data-enrichment company People Data Labs. According to its website , People Data Labs holds "information about over 3 billion individuals and companies, including their contact information, social media profiles, and other key attributes". The ABC approached People Data Labs for this story, but it did not respond. The glue that binds the pieces together. Whether it's for criminal activity or for targeted advertising, this kind of data is being used to create detailed portraits of our identities. At the start of this story, all it took was a single detail – your email address – to find you in the masses of exposed data that have been collated by Have I Been Pwned. This includes data from breaches at large companies, like Twitter and Facebook, as well as repackaged data that has been scraped from data-enrichment companies. For privacy reasons, Have I Been Pwned doesn't include the full data exposed in these breaches, it only lets you know if your email address appears in them. But many of them can be found online in full — if you know where to look. There are terabytes of personal data being traded openly on marketplaces where anyone can buy it. And your contact details are the glue that binds together your mosaic from all that exposed data. What can we do about it? There are plenty of privacy tools out there that anyone can use, ranging from browser extensions to digital-hygiene overhauls. Some can reduce the mosaic effect by limiting the ability of criminals to link breaches together. Email-masking services, such as Apple's HideMyEmail and Firefox Relay, provide random "burner" email addresses for signing up to websites and services, which essentially dilutes the glue used to construct the mosaic. Only, your email address is one of many possible details that can be used to identify you across multiple breaches. Sure, there are similar services to mask your credit card details, phone number and other personally identifying pieces of information. But using all of them at once would be clunky. Samantha Floreani says "placing all the responsibility onto individuals to protect their own privacy in this landscape is totally unreasonable". "We need robust regulation to protect our privacy, challenge the data-extractive business models of digital platforms," she says. However, as with Dr Kemp's "forgotten privacy principle", strong privacy laws aren't a panacea. They also have to be enforced. About this story. The visualisation shown in this story displays the worst-case scenario for each data breach your email has been caught up in. The Have I Been Pwned database only identifies whether a given email address has been caught up in a breach and the other types of data in each breach. For privacy reasons, it doesn't record which types of data were linked to an individual email address in each breach. If you enter your email address to use the personalised functionality of this story, the ABC and Have I Been Pwned won't store your personal information. More details are available on the Have I Been Pwned privacy page. Have I Been Pwned has provided the ABC with free access to its API to enable a personalised experience in this story. It regularly provides this service for government and educational purposes. Credits. Reporter and developer: Julian Fell. Designer: Ben Spraggon. Editor: Matt Liddy. Posted. updated. Share. Copy link. Facebook. Twitter. Australia. Data Protection Policy. Information and Communication. Internet Technology. Personal Data Collection Policy. Privacy. Top Stories. 'I thought it was just a game': Horrific abuse at the hands of matron at Aboriginal girls home. analysis A woman was found dead in Sydney after a delayed response to triple-0 call, but she's not the only one. Greens offer compromise to break housing stalemate. analysis The 'short run' of Australia's economic crisis has begun. How many years before we reach the 'long run'? 'It is as much as one could hope to squeeze into a single life': The remarkable story of Edith Emery. Parramatta Eels star charged with sexual touching after incident at Sydney hotel. How spies used a shard of an exploded Nokia phone to expose the Bali bombers. Treacy had 16 rounds of IVF with no success. It was an acupuncturist's words that led her to a breakthrough. Leyland Brothers star Mal plans 'last hurrah' travel documentary adventure across Australia. Former Hawthorn official Jason Burt denies allegations in Indigenous families' open letter. 'It's not Disneyland': Is Chinatown worth reviving? Or is it just a facade for tourists? Harold Holt's secretary remembers what it was like to work for the prime minister who disappeared. What is involved in capping a landfill the size of 20 football fields? analysis Tasmania is getting an AFL team and a new stadium. Or maybe not. Why Winnie the Pooh is teaching Texas children how to navigate school shootings. Popular Now. 1. analysis. analysis : A woman was found dead in Sydney after a delayed response to triple-0 call, but she's not the only one. 2. 'I thought it was just a game': Horrific abuse at the hands of matron at Aboriginal girls home. 3. Treacy had 16 rounds of IVF with no success. It was an acupuncturist's words that led her to a breakthrough. 4. analysis. analysis : The 'short run' of Australia's economic crisis has begun. How many years before we reach the 'long run'? 5. Leyland Brothers star Mal plans 'last hurrah' travel documentary adventure across Australia. 6. Greens offer compromise to break housing stalemate. Top Stories. 'I thought it was just a game': Horrific abuse at the hands of matron at Aboriginal girls home. analysis A woman was found dead in Sydney after a delayed response to triple-0 call, but she's not the only one. Greens offer compromise to break housing stalemate. analysis The 'short run' of Australia's economic crisis has begun. How many years before we reach the 'long run'? 'It is as much as one could hope to squeeze into a single life': The remarkable story of Edith Emery. Parramatta Eels star charged with sexual touching after incident at Sydney hotel. How spies used a shard of an exploded Nokia phone to expose the Bali bombers. Treacy had 16 rounds of IVF with no success. It was an acupuncturist's words that led her to a breakthrough. Leyland Brothers star Mal plans 'last hurrah' travel documentary adventure across Australia. Just In. How First Nations song, dance could help next generation better care for country 13m ago 13 minutes ago Sun 4 Jun 2023 at 3:20am. Parramatta Eels star charged with sexual touching after incident at Sydney hotel 23m ago 23 minutes ago Sun 4 Jun 2023 at 3:10am. analysis The 'short run' of Australia's economic crisis has begun. How many years before we reach the 'long run'? 27m ago 27 minutes ago Sun 4 Jun 2023 at 3:07am. What it takes to be The Snail Whisperer, spreading the Australian snail gospel 28m ago 28 minutes ago Sun 4 Jun 2023 at 3:06am. 'One more to go': Guardiola urges Manchester City to complete treble after FA Cup victory 36m ago 36 minutes ago Sun 4 Jun 2023 at 2:57am. AFL live: Tigers travel to western Sydney to face Giants 37m ago 37 minutes ago Sun 4 Jun 2023 at 2:57am. More Just In. Back to top.