User Guide

Synapse-HaveIBeenPwned User Guide

Synapse-HaveIBeenPwned adds new Storm commands to allow you to query the HaveIBeenPwned API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> haveibeenpwned.setup.apikey --self myapikey
Setting haveibeenpwned API key for the current user.

Use Synapse-HaveIBeenPwned to sync known breaches

Sync known breaches from HaveIBeenPwned:

> haveibeenpwned.breaches | limit 3
risk:compromise=7ce0c40a76be69436e536b625eecbd5a
        .created = 2024/05/08 16:18:47.015
        :desc = In approximately March 2015, the free web hosting provider 000webhost suffered a major data breach that exposed almost 15 million customer records. The data was sold and traded before 000webhost was alerted in October. The breach included names, email addresses and plain text passwords.
        :name = 000webhost (2015-03-01)
        :reporter = 4f8219203705461880a6bb8cd1185005
        :reporter:name = have i been pwned
        :target = 7ce0c40a76be69436e536b625eecbd5a
        :time = 2015/03/01 00:00:00.000
risk:compromise=9c3ac44940102bc45e01fe94672b6118
        .created = 2024/05/08 16:18:47.267
        :desc = In March 2020, the stock photo site 123RF suffered a data breach which impacted over 8 million subscribers and was subsequently sold online. The breach included email, IP and physical addresses, names, phone numbers and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com .
        :name = 123rf (2020-03-22)
        :reporter = 4f8219203705461880a6bb8cd1185005
        :reporter:name = have i been pwned
        :target = 9c3ac44940102bc45e01fe94672b6118
        :time = 2020/03/22 00:00:00.000
risk:compromise=eceab60e0a07ed701949d55bdefd1376
        .created = 2024/05/08 16:18:47.337
        :desc = In approximately 2012, it's alleged that the Chinese email service known as 126 suffered a data breach that impacted 6.4 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email addresses and plain text passwords. Read more about Chinese data breaches in Have I Been Pwned.
        :name = 126 (2012-01-01)
        :reporter = 4f8219203705461880a6bb8cd1185005
        :reporter:name = have i been pwned
        :target = eceab60e0a07ed701949d55bdefd1376
        :time = 2012/01/01 00:00:00.000

Query for breaches associated with the specified inet:email

Check email for breaches:

> [ inet:[email protected] ] | haveibeenpwned.breaches.byemail --yield
risk:compromise=38c1fce297eeed21a8d1c8e04e16cc53
        .created = 2024/05/08 16:18:47.554
        :desc = In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.
        :name = adobe (2013-10-04)
        :reporter = 4f8219203705461880a6bb8cd1185005
        :reporter:name = have i been pwned
        :target = 38c1fce297eeed21a8d1c8e04e16cc53
        :time = 2013/10/04 00:00:00.000
risk:compromise=a309429c3759fb2e5e31a1a63227c35a
        .created = 2024/05/08 16:18:47.731
        :desc = In December 2010, Gawker was attacked by the hacker collective "Gnosis" in retaliation for what was reported to be a feud between Gawker and 4Chan. Information about Gawkers 1.3M users was published along with the data from Gawker's other web presences including Gizmodo and Lifehacker. Due to the prevalence of password reuse, many victims of the breach then had their Twitter accounts compromised to send Acai berry spam .
        :name = gawker (2010-12-11)
        :reporter = 4f8219203705461880a6bb8cd1185005
        :reporter:name = have i been pwned
        :target = a309429c3759fb2e5e31a1a63227c35a
        :time = 2010/12/11 00:00:00.000
risk:compromise=4c621ea2001a78ff58bea51a0af067ec
        .created = 2024/05/08 16:18:47.856
        :desc = In December 2011, "Anonymous" attacked the global intelligence company known as "Stratfor" and consequently disclosed a veritable treasure trove of data including hundreds of gigabytes of email and tens of thousands of credit card details which were promptly used by the attackers to make charitable donations (among other uses). The breach also included 860,000 user accounts complete with email address, time zone, some internal system data and MD5 hashed passwords with no salt.
        :name = stratfor (2011-12-24)
        :reporter = 4f8219203705461880a6bb8cd1185005
        :reporter:name = have i been pwned
        :target = 4c621ea2001a78ff58bea51a0af067ec
        :time = 2011/12/24 00:00:00.000

Use of meta:source nodes

Synapse-HaveIBeenPwned uses a meta:source node and -(seen)> light weight edges to track nodes observed from the HaveIBeenPwned API.

> meta:source=09a57e34b1238b7bed8f9eff82bf253b
meta:source=09a57e34b1238b7bed8f9eff82bf253b
        .created = 2024/05/08 16:18:47.006
        :name = haveibeenpwned api
        :type = synapse.haveibeenpwned

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-HaveIBeenPwned. The following example shows how to filter the results of a query to include only results observed by Synapse-HaveIBeenPwned:

> #cool.tag.lift +{ <(seen)- meta:source=09a57e34b1238b7bed8f9eff82bf253b }