I got Pwned ... and so did you! (you're likely in the 12 Billion)

Our data is out there! Have I Been Pwned. Yes, and so have you (most likely) because of all the data breaches taking place every day. 12 Billion accounts have been compromised. This is a security nightmare!
Check if your data was found in a data breach:
E-mail address: haveibeenpwned.com/
Password: haveibeenpwned.com/Passwords
Pwned Websites: haveibeenpwned.com/PwnedWebsites
// Troy’s SOCIAL //
UA-cam: ua-cam.com/users/troyhuntdotcom
Website: www.troyhunt.com/
Website: haveibeenpwned.com/
Twitter: twitter.com/troyhunt
Facebook: facebook.com/troyahunt
LinkedIn: www.linkedin.com/in/troyhunt
// David's SOCIAL //
Discord: discord.gg/davidbombal
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
// MY STUFF //
www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// MENU //
00:00 - Coming up
00:39 - Troy Hunt // Creator of haveibeenpwned.com
01:08 - Origin of PWNED
02:38 - Troy Hunt's UA-cam Channel
03:48 - Origin of haveibeenpwned.com
05:27 - How to protect ourselves from data breaches
10:52 - Going to the US Congress // The "Congress socks"
16:21 - What are the solutions?
17:51 - Passwords are the biggest threat
21:01 - Recommended ways to keep passwords and personal details // "Lying is good"
31:56 - How your email is connected to everything
33:52 - Using VPNs // The Gumtree Fridge story
40:14 - How to report possible vulnerabilities
44:41 - Crazy experiences // Be careful what you put online
51:30 - New features on haveibeenpwned.com
55:06 - "Data breaches are 100% from human error" // Vulnerable softwares
56:36 - Bug Bounty
59:22 - Advice for the youth
01:02:52 - Conclusion
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.

Having to provide a mobile number to companies who never use it nor need it but cannot progress without providing it is so annoying.

❤ what a beautiful man, thanks for posting Mr.B.

The 2016 data breach got my cringe named email exposed 😭

I got pawned as well, 2 of my emails. Although I already changed my password :)

The "First of January" part got me. That's hilarious.

To my younger self: don’t report children at risk.
This is one of the absolutely great podcasts of all time, just how many people are not harmed by being pawn’d.

Great conversation. One minor criticism through; it would be appreciated if you write a short description about your guest and their background in the description above their social links. It helps a lot with source follow up, especially when there are multiple episodes as well as with finding the video when searching for it and not remembering the title. I know some guests are anonymous but it helps with the known guests.
Thank you for the interview.

Great video as always, but your guest making light of the implications of mandatory digital ID is short - sighted in my opinion. I really think you ought to explore this subject more from *both* sides.
It seems to me that conditional access for the Internet is right around the corner, and we ought to start having these conversations now.

Thanks Dave for introducing me to Troy with this video! Much apporeciated.

Great conversation! I have been trying to reach out to contacts that are part of business email compromise through phishing campaigns and have felt a small portion of that pain in finding security contacts.

amazing interview with Troy!! 😮 thank you!

Don't agree about digital DL. What that person was concerned with is that government will see exactly where drivers licence info was used at

ive played in fps games for years, in multiple games. the trolls used to say "owned" everytime they killed someone and used so much to be annoying, servers started adding "owned" to the list of banned words, peeps just started texting "pwned" to keep from getting banned.

thank you @David, I always learn something new here.

David, I really like you videos, I find them rather relaxing. After playing around with leetcode problems I go to your channel to both learn something new about cyber-security and chill out a little.

"Don´t put it on the internet if you don´t need to" But we *DO* need to. You wanna use basic services from your government? You wanna communicate via anything not letter? You want to have a website or, let alone an online shop? Well, then hand over your credentials, including real life address and full name.
Ofcourse, if you are rich enough, you could just make a shell company or use a manager aswell, but I guess that´s out of the option for most small and middle class businesses.

Enjoyed the interview, verry informative. Loving the Australian mentality and dialect :D

🔥

Love from India ❤❤

there’s an idea… “have i been socked”. database of socks and if someone has been identified wearing them. best practice is to change your socks regularly and have burner socks. 😂

one the best discussions in a long time by two awesome guys in the sector

Great content.

Very much know what he meant: I've tried to get in contact with my own bank many years ago about a security issue on their website. Even being at the physical local bank office/building did not get me any contacts inside the company to talk to. I never got anywhere with them, not from the contact form on the website either. So I never used online banking for many, many years.

Joke's on them - I've got NO dosh!

Oh wow! Troy Hunt!

Staffers are amazingly bright, at state level, too.

I have worked and trained as a cybersecurity professional 'dude' long before it was called 'cybersecurity'. Cybersecurity is, was, and shall always be a forever cat-and-mouse game with hackers and bad actors. No matter the level and depth of cybersecurity, the bad actors will forever view it as a challenge they must work hard to defeat and break.

yeah troy is one of my teachers in pluralsight, nice to have it here too.

Troy! The legend - awesome, gg

28:36 Simple: When fudging don't "fudge" the fudge and nothing will be fudged!

I handle security for a small financial insititution. Anonymizer VPN's will be getting blocked from all services by the end of this year. They won't even be able to navigate to the website, let alone access any banking or applications.

Eye-opening discussion on haveibeenpwned

Yayyyy aussieland 👏, great interview David. I use the Yubikey 5 series and still old fashion with my long passwords 📒 I am a cyber student still on a learning curve.

I always give 1st January as my DOB 🤣

Seriously awesome video, you need to do more videos with remie. More practical videos like this. Great stuff

Think we could get a vid on Amesit which is documented in the NTC Vulkan report from Mandiant?
With all our personal data out there along with what we know of the Cambridge Analytica incident, how could that framework as documented be weaponized?

I always thought pwn would stand for "Personally Owned" or "Professionally Owned"

Nice video

Hi David. Is there a good email address for you that you monitor regularly ? Cheers. NOSS

I've struggled a lot with trying to get in contact with security teams before. its very annoying. Plus getting a response from said PR and marketing departments is a huge problem. Never utilized asking on twitter or linkedin if someone can has a contact in "XYZ" company's security department, but that makes since. It really sucks checking back 8 months later and still seeing the same mistake exploitable. Like at a certain point we just give up when you see nothing change. seen this happen in Star Citizen(the overpriced space game), like an airline in India(I think, was a while ago. And the in a credit card promotion. And like. how tf am I supposed to put this on my resume that I've reported these, but they haven't been dealt with yet. like, I'm not going to make an exploit known to some recruiter at reliaquest no matter how much it'll make my interview better, cause they arent known to represent said company's security(at least publicly, but it'd be unlikely since there's like a list of 500 managed SOCs just in the US). like Star Citizen was a bit different cause back then I was a kid back then and actively exploiting(with pulovers macro creator back then cause i didn't know how to do javascript bots yet), but even then, I tried reaching out to them to fix the issue with how the REDACTED. nevermind
kinda just treated this as a vent. FR, Please hire someone to represent your company for security related emails so we can get in contact. Is an awful trend to not have a point of contact.

I have a question... Did you remove the meta data from the screen shot before sending it?

The worst part is when I hear people use a online password manager.. yeah.. so if I can get the login details to that account, I have every of your password now.

12:38 Chuck is that you? 😂

I was pwned on all accounts a while back, including passwords. I had to redo all my accounts and am much more selective now. Have I been pwned helped me see the accounts in breaches.

interesting, i just read that toyota had data breach

❤

The only way companies can be made responsible for data leaks is massive fines. If companies were at risk of bankruptcy, I can tell you this problem would be minimized.
You can have the best password manager in the world, if the data leaks from the company's server, there's nothing you can do about that.

I got pwned a long time ago. I changed my passwords but ever since bots would keep trying to bruteforce the email and send forgotten password requests to it, so i deleted everything and moved my stuff over to gmail.
Microsoft/hotmail sucks.

It may be helpful to have an email provider that would change the email address every 3 months or so, update with added apps, websites. This way we could easily manage our log ins, 2fa for important websites. Could be alot of add ons but the logistics...would be intensive.

38:28 ajajajja genius. Hey you should make a video with Pierogi

The bigger concern to me is more, a lack of transparency in regards to what companies do with your data, how they store it, and what they are willing to do to make money from it. An example is F&P want to embed wifi in all their devices, the belief is that even if you don’t use it, they can sell your data, so there was a push to have this added to all their appliances. It was also interesting how this seemed to be a higher priority now they are owned by a Chinese company. Also if companies aren’t storing details securely all you steps to have protect yourself may not be enough. If I just want to try something and haven’t decided if I want to sign up or not, I just use a disposable email account and fake details, in the event I like it I can then rejoin as me if I want to.

I just love show

That last email reply to scammer is really hilarious. The part where you give static data really annoys me like a name of your high school, sure I know where it is but I don't remember in which way I give it an acronym? a short name? full name? or joke name?
Thank you for the interview.

Interesting side note, if you immigrate to the US and don't know your birthday, they set it to Jan/01

DANG! COOL!😎🥶

I heard pawn started because someone developing the game Halo made a mistake by tapping the p instead of the o when they were trying to add owned to the dialogue and it got replicated so far into the game that they didn't want to go back and fix it because it was going to set the game back so far and cost them too much money , if I'm remembering correctly it originated with Halo and that's kind of how it started because they actually put it into the game( I have been informed that I am actually incorrect on this one, but I am just remembering an interview that I saw with one of the Halo developers a long time ago so someone did correct me and say that it went back as far as the quake days ) now I could be wrong but I'm in my forties and I'm pretty sure I'm remembering it correctly or at least that was the story that was circulated at the time
So thank you to Swerving Lemon for the correction

Glad I'm not

07:30 In Canada the question used to be ~"Are you a man who has had sex with a man since 1975?"

I am more concerned that the license app will be used to digitally sign identity verification for websites. Email, VPN, various services.. anything that requires trust will likely end up demanding proof of ID and maybe even a facial scan.
I am aware that it's the slippery slope fallacy but this is where we are heading. In Australia the govt is making a "digital ID" and demanding that adult services stop kids from using them. I don't care about such services but I know that once the infrastructure is in it will be rolled out elsewhere.
Anonymity is the only thing that can protect you from data breaches/leaks.

👍🏻

Could you make a video utilizing the flipper zero for 2FA on Kali? Thx again for all your great content.

50:04 and here lies the root of all evil. People should never have their lives ruined just because some idiots decided to shame those who are different from them.

Wow

lastpass was joke was from day #1

@ 05:00 regarding others having your details, similarly there is a well-used mobile caller protection app i.e. Truecaller that uses your phone book as part of its database. So whilst you may not have supplied your name and number to the database, someone with your number may have.

leetspeak ack

Guys, i have a s23, i installed nethunter on my phone, it uses 20gb of space on my phone, and i want to uninstall it, but i dont know how to do it, someone pls help me!!😢

Love your videos. If only some of them were shorter. I need a break from studying and 1 hour doesn't help... ❤

1st comment good video

always the first

keepass?

why are you not on mastodon?? I do NOT have Twitter...

Sir i am from Nepal suppose i verified my kyc document with passport /mobile no/email address in some app if that data get leaked and hacker got access to my document can hacker take loan on my name in foreign countries if yes how can i get informed that somebody used my information to take loan in foreign countries and what to do to cancel the loan? Please Help 🙏

I can''t understand most what your friend is saying sorry, someone turn the subtitles on

It’s not uncommon to get your data breached, if you use the internet and you have not been breached that would be a Miracle. Not to sure why everyone is so shocked about it, the key thing here is what was breached ? Is it extremely sensitive like your social then it’s time to worry….

If you check if your password has been "pwned", in fact you are adding your password to their dictionary... so don't be stupid

There is a big difference between a plastic card with your basic identity on it in your wallet and some mandatory government application on your phone...

No, password managers are garbage lol. Don't reuse the passwords and just press the "change password button"

First

Are you kidding me? You don't know that pwn comes from online chess?

fyi, its been proven multiple times over that using sms 2fs is much weaker than just a password.. you all need to address this,, SS7 has zero security, and you all need to quit pretending it does. seriously, its bad, and it really hurts your position. STOP . ADMIT FAULT

I often say "a lie is only a lie if it can be proven to be false". I apply this in EVERY area of my life. I make up whatever compelling story I need to get what I want.

ALL blood is tested it is none of their business what you do in life you have fallen for phishing from the blood collection service!

No way the bank card you show still works thanks man i tried it for a joke but order went through off shopping now thanks

Guys, i have a s23, i installed nethunter on my phone, it uses 20gb of space on my phone, and i want to uninstall it, but i dont know how to do it, someone pls help me!!😢