Updated 20:13 4/16/2024 to correct Gender type things
How exposed is your information? Have you looked at haveibeenpwned before? It only does emails, passwords and domains, but while I do like haveibeenpwned, I think we found something that is quite cool. I know Have I Been Pwned is good, and it does get updated with verified info which is in a table on the home page, and our new service also gets verified, so both have their place.
I believe both can be used in different ways, so both will be on our resources page of EMHS.
By the looks of it, haveibeenpwned’s domain validation sends an email to a valid email address. While the process was simple and told me what I needed to do if I were to do this, putting the file up and verifying it seems to darken the page with a notice but it isn’t voiced. This is why I’m excited about a service I’ve been eyeing and decided to give it a look.
Devanand Premkumar is someone who is on Mastodon. This is his Mastodon page go follow it.
He has an open source project I’d like to talk about and we’ll be talking about this as part of an open segment for things to ponder We also will be talking about the exposed breaches section of the web site and how you can search it like I did for AT&T and found it was put in July 2021.
The Service is called Exposed or Not. You drop the E for the domain, so it is xposedornot.com.
From EMHS
| xposedornot (Exposed Or Not) | From their web site: XposedOrNot (XON) is a practical and resourceful tool designed to enable you to verify ? if your personal data has been implicated in a data breach. Originally, this initiative was born out of my deep interest in forensics and the analysis of data breaches. The realization of the sheer volume of sensitive information exposed and the potential harm it could cause quickly led me to transform this interest into a public service. I was motivated to offer this service to everyone for free, making it accessible to all who want to protect their personal data and privacy. Learn more through their FAQ and check out what they have to offer. Tested slightly for accessibility under usage, and it works. |
About the service
As indicated within the table, I’ve actually tested it and it seems pretty accessible. I did have some trouble with getting the domain verified, but I put the file both in the root and in the public_html sections which seem to work.
In MENVI’s case it did find 6 breaches, 5 which were belonging to addresses that MENVI does not have as an active address. Who knew!
While Exposed did find all my breaches using my personal address at jaredrimer.net, it found absolutely nothing when doing a domain lookup.
In their FAQ, they explain the exposure level scores you will see if you do an email or password check. What was interesting to me was the fact my score was so low. But there are many factors that play in to a score, and I have a low risk score.
While Have I been Pwned and xposedornot are similar, xposed has a lot more going for it.
As I said, I validated two of my domains and ran checks on them. They have passwordless authentication, which was quite nice. It sends you a link which is good for 24 hours.
Furthermore, have I Been Pwned has a notification service but it pops up a dialogue in which we can not navigate. This has been confirmed with both of the major screen readers Jaws and NVDA. The alert me service, once confirmed to be in a breach or not, clearly has a button for notification, asks for an email address, and you must confirm this.
Who is behind Xposedornot?
Under “Who am I” the site says:
Hello, I’m Devanand Premkumar, and I bring over two decades of experience in IT and information security. My career has been dedicated to helping organizations fortify their online defenses and ensure they comply with industry standards. I’m skilled at crafting and implementing security strategies that work across the globe, whether it’s technical or not.
Outside of work, I have a strong interest in forensic investigations and enjoy tackling challenges in Capture The Flag (CTF) competitions. In 2017, I started a side project called XposedOrNot. It began as a way to collect and share exposed passwords for free. Over time, I’ve been getting data from public breaches, and now, with a wealth of information at hand, I want to offer this resource to those who can benefit from it the most.
My journey in IT and information security has been immensely fulfilling, and I’m committed to sharing my knowledge and expertise to create a safer digital world for all.
The site does not collect personal information although verifying a domain does need some information like an email address to send you email, or an email address to have you notified of breaches and the like.
They will never share sources of info with anyone but it is all searchable.
Here is their FAQ page for reference.
This web site can be found on EMHS’s resources page and this post will be linked to the blog section of the same page as well.
Welcome aboard Exposed, thanks for a very accessible web site to use. Now go! Share this, and learn what’s out there. Devanand can be contacted and encourages the contact to improve the service.
Thanks for reading, make it a great day!
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.