Have you ever wondered how much of your personal information is available online? Here's your chance to find out.
We've all heard about high-profile data breaches at places like Optus and Medibank, but there are thousands more of them that we don't hear about.
That's why Australian online security expert Troy Hunt created Have I Been Pwned? — a service that tracks stolen data across the internet, and is used by numerous national governments, security services and law enforcement.
Now, we’ve used Hunt's database to help you:
- Find out what data breaches you’ve been caught up in
- See a visual summary of the potential scale of the leaked information out there about you
- Understand how something known as "the mosaic effect" can increase the risks we all face online
Enter your email address below to see exactly how breached data can be used to piece together a detailed picture of your identity.
Note: You're reading the generic version of the story. This interactive element is available only on the ABC News website.
The portrait of this person's identity starts with an email address.
This visualisation will reflect the worst possible case for the breaches they've been caught up in, according to Have I Been Pwned.
The first breach they showed up in was at Lastfm back in 2012.
In this breach, email addresses, passwords, usernames and website activity were exposed.
But this is only the start of their history of exposed data.
Later that same year, they were caught up in a breach at LinkedIn, which included email addresses and passwords.
Another at Apollo followed in 2018.
With each successive breach, more pieces of their identity are falling into place.
Their email also shows up in a breach at YouveBeenScraped, which exposed email addresses, employers, geographic locations, job titles, names and social media profiles.
By 2019, with another at Canva, this portrait is starting to take shape. But we're not done yet.
All told, they've been caught up in seven breaches.
Between them, 11 distinct pieces of their identity have been potentially exposed, many of them multiple times over.
The types of information they've had breached most often are email addresses (7), names (5), geographic locations (4), passwords (3), and usernames (3)
For more detailed information about your personal history of breaches, check out Have I Been Pwned.
In a moment, we'll take a closer look at exactly where all that data came from, but first it's worth considering what this portrait tells us.
Digital rights advocate Samantha Floreani says that with each successive breach, more aspects of your identity are able to be "pieced back together".
And with more information out there about you, the risk of fraud, cybercrime and identity theft increases as well.
"Maybe you were part of the Optus breach and X, Y and Z details were leaked," she says.
"Maybe you were also part of another breach that you have no idea about."
This is called the "mosaic effect", and it means that your risk compounds with every breach. This is because all of that information can be tied back together using one piece of information that links it all together — in this case, your email address.
Floreani herself has been caught up in seven separate data breaches.
One of our ABC colleagues who tested the tool showed up in a massive 41 breaches — though plenty of others managed to escape with only a handful of exposures.
Where did your data come from?
Even the Australian cybersecurity expert who runs Have I Been Pwned isn't immune.
Troy Hunt has been caught up in 28 breaches himself, and he'd never even heard of several companies that exposed his personal information until they were breached.
One of these situations has stuck in his mind.
"I once caught up with someone in an infosec (information-security) capacity and they added me to their address book," he recalls.
This person used Covve, a contacts app that stores data in the cloud — though Troy had no idea about this yet. When Covve's server was later breached, Troy's name, phone number and email address all ended up in the data.
"I didn't know why I was there when I found myself in the breach," he says.
"They sure as hell didn't notify me."
It took an extensive investigation to finally discover Covve as the source.
But Troy is not the only one surprised at where his data has ended up.
Many of us won't recognise some of those entities that have exposed our data — it's an indication of how little we know about what happens to our data once we give it away.
But wait, there's more …
Samantha Floreani was surprised to find she'd only been caught up in seven data breaches, but she isn't getting ahead of herself.
And that's because this tool can't tell the full story.
"This only reflects breaches that are known to Have I Been Pwned," Floreani says.
"What it doesn't show is all of the other data about me that is floating around."
And data breaches only make up part of a bigger picture, as personal data is regularly bought, sold and traded in wideranging data markets.
"These companies — the data-enrichment industry, data brokers, data intermediaries, and aggregators — turn a profit by compiling data about us from a variety of sources," she says.
"If we were able to see the full extent of all the pieces of information available about me, you'd probably end up with a high-definition mosaic portrait."
Data enrichment services sell access to large databases of personal information about education levels, religious beliefs and personal interests.
Katharine Kemp, a data privacy law expert at The University of New South Wales, believes this "enrichment" of customer data for profiling and targeting is actually unlawful in Australia.
Her research paper, released in late 2022, points to Australia's "forgotten privacy principle".
It states: "Data must be collected directly from an individual unless it is unreasonable or impracticable to do so."
Only, in her view, this law isn't being enforced by Australia's privacy regulator, the Office of the Australian Information Commissioner (OAIC), in respect to data enrichment for profiling or targeting.
And when she asked her colleagues why this might be, no-one seemed to know.
"It's had a lot of privacy scholars and practitioners in Australia scratching their heads," Dr Kemp says.
The ABC reached out to the OAIC and a spokesperson said they were "not able to comment on whether a specific company is complying with the Australian privacy principles".
The OAIC did not directly comment on whether data enrichment was legal in Australia or why it had not pursued enforcement action against data-enrichment practices.
Dr Kemp believes this law rightfully poses "an existential threat to businesses that are entirely disrespecting the dignity and autonomy of individuals".
And this has some major industry players concerned. Data broker Experian has argued for removing this principle in its submission to the Privacy Act Review.
An Experian spokesperson told the ABC: "We and others in the industry believe it is outdated and does not fit well with modern data uses. We believe third-party data is vital to a healthy data ecosystem."
Experian claims that critical services and education around the pandemic and the Black Summer bushfires were enabled by "modern data uses". But it failed to specify how these uses were threatened by this privacy law.
Dr Kemp, for one, is not convinced by this argument.
"Those kind of examples are irrelevant and can't be used to justify data enrichment for profiling or targeting," she says.
"Companies are trying to use the sheer scale and profitability of their shady data practices to shield them from the law."
And with Experian disclosing a breach in 2015 and then another in 2020, it's clear these firms are attractive targets for cybercrime.
In fact, one of the largest breaches collated by Have I Been Pwned has also been traced back to a "likely" customer of data-enrichment company People Data Labs.
According to its website, People Data Labs holds "information about over 3 billion individuals and companies, including their contact information, social media profiles, and other key attributes".
The ABC approached People Data Labs for this story, but it did not respond.
The glue that binds the pieces together
Whether it's for criminal activity or for targeted advertising, this kind of data is being used to create detailed portraits of our identities.
At the start of this story, all it took was a single detail – your email address – to find you in the masses of exposed data that have been collated by Have I Been Pwned.
This includes data from breaches at large companies, like Twitter and Facebook, as well as repackaged data that has been scraped from data-enrichment companies.
For privacy reasons, Have I Been Pwned doesn't include the full data exposed in these breaches, it only lets you know if your email address appears in them. But many of them can be found online in full — if you know where to look.
There are terabytes of personal data being traded openly on marketplaces where anyone can buy it.
And your contact details are the glue that binds together your mosaic from all that exposed data.
What can we do about it?
There are plenty of privacy tools out there that anyone can use, ranging from browser extensions to digital-hygiene overhauls.
Some can reduce the mosaic effect by limiting the ability of criminals to link breaches together.
Email-masking services, such as Apple's HideMyEmail and Firefox Relay, provide random "burner" email addresses for signing up to websites and services, which essentially dilutes the glue used to construct the mosaic.
Only, your email address is one of many possible details that can be used to identify you across multiple breaches.
Sure, there are similar services to mask your credit card details, phone number and other personally identifying pieces of information.
But using all of them at once would be clunky.
Samantha Floreani says "placing all the responsibility onto individuals to protect their own privacy in this landscape is totally unreasonable".
"We need robust regulation to protect our privacy, challenge the data-extractive business models of digital platforms," she says.
However, as with Dr Kemp's "forgotten privacy principle", strong privacy laws aren't a panacea. They also have to be enforced.
About this story
- The visualisation shown in this story displays the worst-case scenario for each data breach your email has been caught up in. The Have I Been Pwned database only identifies whether a given email address has been caught up in a breach and the other types of data in each breach. For privacy reasons, it doesn't record which types of data were linked to an individual email address in each breach
- If you enter your email address to use the personalised functionality of this story, the ABC and Have I Been Pwned won't store your personal information. More details are available on the Have I Been Pwned privacy page
- Have I Been Pwned has provided the ABC with free access to its API to enable a personalised experience in this story. It regularly provides this service for government and educational purposes
Credits
- Reporter and developer: Julian Fell
- Designer: Ben Spraggon
- Editor: Matt Liddy
