Table: hibp_breach - Query HIBP Breaches using SQL
Have I Been Pwned (HIBP) is a service that allows users to check if their personal data has been compromised by data breaches. It collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts. The HIBP Breach resource provides information about the specific data breach incidents.
Table Usage Guide
The hibp_breach table provides insights into data leak incidents registered in the Have I Been Pwned database. As a security analyst, explore breach-specific details through this table, including the breach name, domain, date, and associated data classes. Utilize it to uncover information about specific breaches, such as the affected accounts, the nature of the leaked data, and the actions taken to mitigate the breach.
Important Notes
- This table does not require an API key to be configured in the
hibp.spcfile.
Examples
List breaches from the last 3 months
Explore recent security breaches to understand potential vulnerabilities and patterns. This query is particularly useful for identifying recent threats and enhancing security measures accordingly.
select title, breach_datefrom hibp_breachwhere breach_date > current_date - interval '3 months';select title, breach_datefrom hibp_breachwhere breach_date > date('now', '-3 months');List unverified breaches
Discover the segments that have experienced unverified security breaches. This can be useful in assessing potential vulnerabilities and prioritizing areas for security enhancement.
select title, pwn_count, breach_datefrom hibp_breachwhere is_verified = false;select title, pwn_count, breach_datefrom hibp_breachwhere is_verified = 0;List breaches for the "Passwords" or "Usernames" data classes
Discover the instances of security breaches involving either passwords or usernames. This can be helpful in understanding the magnitude and timing of such incidents, which can aid in improving data security measures.
select distinct(title), pwn_count as size, breach_datefrom hibp_breachwhere data_classes ?| array [ 'Usernames', 'Passwords' ];Error: SQLite does not support array operations.Schema for hibp_breach
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| added_date | timestamp with time zone | The date and time (precision to the minute) the breach was added to the system. | |
| breach_date | timestamp with time zone | The date (with no time) the breach originally occurred on in ISO 8601 format. This is not always accurate — frequently breaches are discovered and reported long after the original incident. Use this field as a guide only. | |
| data_classes | jsonb | This field describes the nature of the data compromised in the breach and contains an array of impacted data classes. | |
| description | text | Contains an overview of the breach represented in HTML markup. The description may include markup such as emphasis and strong tags as well as hyperlinks. | |
| domain | text | = | The domain of the primary website the breach occurred on. This may be used for identifying other assets external systems may have for the site. |
| is_fabricated | boolean | Indicates that the breach is considered fabricated. A fabricated breach is unlikely to have been hacked from the indicated website and usually contains a large amount of manufactured data. However, it still contains legitimate email addresses and asserts that the account owners were compromised in the alleged breach. | |
| is_retired | boolean | Indicates if the breach has been retired. This data has been permanently removed and will not be returned by the API. | |
| is_sensitive | boolean | Indicates if the breach is considered sensitive. The public API will not return any accounts for a breach flagged as sensitive. | |
| is_spam_list | boolean | Indicates if the breach is considered a spam list. This flag has no impact on any other attributes but it means that the data has not come as a result of a security compromise. | |
| is_verified | boolean | = | Indicates that the breach is considered unverified. An unverified breach may not have been hacked from the indicated website. An unverified breach is still loaded into HIBP when there's sufficient confidence that a significant portion of the data is legitimate. |
| logo_path | text | A URI that specifies where a logo for the breached service can be found. Logos are always in PNG format. | |
| modified_date | timestamp with time zone | The date and time (precision to the minute) the breach was modified. This will only differ from the added_date attribute if other attributes represented here are changed or data in the breach itself is changed (i.e. additional data is identified and loaded). It is always either equal to or greater then the added_date field, never less than. | |
| name | text | = | A Pascal-cased name representing the breach which is unique across all other breaches. This value never changes and may be used to name dependent assets (such as images) but should not be shown directly to end users (see the 'title' field instead). |
| pwn_count | bigint | The total number of accounts loaded into the system. This is usually less than the total number reported by the media due to duplication or other data integrity issues in the source data. | |
| title | text | A descriptive title for the breach suitable for displaying to end users. It's unique across all breaches but individual values may change in the future (i.e. if another breach occurs against an organisation already in the system). If a stable value is required to reference the breach, refer to the 'name' field instead. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- hibpYou can pass the configuration to the command with the --config argument:
steampipe_export_hibp --config '<your_config>' hibp_breach