By Stan Shaw, Founder, CTS
“Pwned accounts”, you might be interested to know, is a term that went viral across the Internet thanks to a simple typo. Someone reporting that a hacker had ‘owned’, i.e., illegally ‘took ownership’ of a web account, typed the word “owned” a bit too quickly and hit the juxtaposed keyboard letter “p” instead of “o”. Voila, a brand new geeky word was born.
Today, tens of millions of accounts have been “pwned”, i.e., “owned” by hackers from companies around the world. And you can find them being actively distributed as part of a lucrative underground business on “the dark Net”, places on the Internet where most law-abiding folks don’t ever want to visit.
Pwned accounts are important for clinicians to be aware of because if they are not carefully handled, they can become an ‘Achilles heel’, allowing attackers to gain access to even more confidential data.
So, other than the affected company emailing you directly with a warning, how can you find out if one of your accounts might have been compromised?
The website ‘;–have i been pwned? , created by Troy Hunt, a well-known web security analyst, keeps track of over 3.7 billion accounts that have been hacked, exposing userIDs, passwords, and frequently other personal information. The site will look up any email address you enter to see if accounts associated with it have been reported to be “pwned”.
Keep in mind though, that the information on this database exists only because website breaches listed there are now widely available on the Internet. If your email address is not listed in the database, this doesn’t necessarily mean that all of your accounts associated with it are safe. Sometimes it can take years before a company knows it has been breached.
So here are five steps to help protect yourself before you find yourself on the list, and especially if you find your account has been pwned:
What password manager should you use? It’s best to check the latest reviews, and carefully select it based on your clinic security policies. There are free applications out there that can generate and store passwords, but because we value our accounts, we have elected to purchase yearly subscriptions to a robust commercial product that supports smartphones, 2-step verified master passwords, etc.
For more information on protecting your clinic’s accounts, see our Best Practices post entitled How can I protect access to my confidential accounts? Lessons learned from the PharmaNet breach.