If one of your online accounts has been hacked - often called being 'pwned' - then it's important not to panic. Follow a few simple steps and you can check the scale of the damage and get your account security under control.
Data leaks happen - it's one of the unfortunate side effects of the modern, internet connected world. And often, these have nothing to do with you, the user, being irresponsible. Companies can suffer embarrassing data breaches - either through having their servers hacked, human error, or staff misconduct.
There are strict obligations on companies to report data breaches in a timely manner. These reports, plus analysis of hacked data that's been made available online, and the work of so called 'white hat' (good guy) hackers, means there are resources to help you find out if any of your own accounts have been compromised in a data hack.
What is Have I Been Pwned?
The best known site for checking if your email address, or any account associated with it, has been hacked, is called Have I Been Pwned.
Here, you can enter your email address (safely) and the site will check it against multiple data breach records. If your account details were included in one of those breaches, you'll be told the bad news that you've been 'pwned'.
To find out if your own email address has been affected by a data breach, head to the Have I Been Pwned website. You’ll need to enter your email address here – don’t worry, there’s no security threat to doing so, and you’ll never be asked to enter a password or other personal data.
What does 'pwned' mean?
Pwned, in this context, simply means that your account has been the victim of a data breach.
The word itself takes its name from player-to-player messaging in online computer gaming. When one player is defeated, another might type out a message to say ‘You’ve been owned’.
This was so frequently misspelt as ‘pwned’, the word itself took off.
What should I do if my account has been pwned?
If your email address has been compromised in a data breach, it’s a smart move to change your login password for your email address, and for the service which was affected by the breach. Even if your email account itself hasn’t been victim of a data breach, there’s a security risk if another account that you log into with the same password has been affected.
Ideally, you should never use the same passwords across multiple websites. It can, admittedly, be a pain to remember multiple logins. If nothing else, you should always have a completely unique password for logging into your email account – don’t use this same password on any other service.
When creating a strong password, use a mix of upper and lower case letters, numbers and symbols.
Learn more in our guide to creating secure online passwords
Watch out for spam
It’s more important than ever to watch out for spam and junk messages - especially if your account details have been included in a data hack.
Clicking on links within spam, or responding to messages, is a risk – you may expose your address to a data breach, or inadvertently install a virus on your computer. Keep an up-to-date antivirus program running on your PC at all times.
Keep an eye out, too, for signs that your own email address may be sending out spam. The most likely symptom of this is a deluge of ‘bounceback’ emails. You may see automatic responses or ‘address not recognised’ messages in response to emails that you didn’t intentionally send.
If you believe your own address has been used to send spam, don’t panic, there are steps you can follow to secure your account and let your contacts know what has happened.
See our guide on what to do if you are sending spam messages