Database of breached websites



  • I run a website with a user database. I have an account with my email and I put it on a website like Have I Been Pwned, which does not reveal a breach. I also check the website's list of breaches to see if my website is included, which is not. I imagine that browsers like Chrome and Microsoft Edge use multiple databases to advise users on breaches.

    What other resources could I be checking to be the first to know about a breach of my website?



  • You could add a dummy user in your database, with a non-predictable E-mail address, that serves as a canary. The E-mail address should be random enough that even a spammer using brute-force SMTP sending is unlikely to stumble on it.

    If you start receiving spam or phishing on that address, it is a sign that the DB has likely been compromised.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2