Table: hibp_breached_account - Query HIBP Breached Accounts using SQL
Have I Been Pwned (HIBP) is a free resource that allows anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised in a data breach. HIBP provides a comprehensive list of accounts that have been compromised in a data breach. The service is widely appreciated for its usefulness in tracking down potentially compromised accounts.
Table Usage Guide
The hibp_breached_account
table provides insights into breached accounts within Have I Been Pwned (HIBP). As a security analyst, explore account-specific details through this table, including breach names, breach dates, and compromised data types. Utilize it to uncover information about breaches, such as the specific accounts affected, the extent of the breach, and the types of data compromised.
Important Notes
- This table returns data similar to the
hibp_breach
table, with the requirement and addition of anaccount
field.. While thehibp_breaches
table will return all of the known breaches, this table can be used to find breaches for a particular account. - This table requires an API key to be configured in the
hibp.spc
file.
Examples
List breaches from the last 3 months for an account
Discover the segments that have experienced security breaches within the last three months for a specific user account. This query can be used to monitor recent security incidents and take necessary actions to mitigate risks.
select title, breach_datefrom hibp_breached_accountwhere breach_date > current_date - interval '3 months' and account = 'billy@example.com';
select title, breach_datefrom hibp_breached_accountwhere breach_date > date('now', '-3 month') and account = 'billy@example.com';
List unverified breaches for an account
Uncover the details of unverified security breaches associated with a specific account to understand the potential risk and take necessary actions. This information is useful for improving security measures and mitigating potential threats.
select title, pwn_count, breach_datefrom hibp_breached_accountwhere is_verified = false and account = 'billy@example.com';
select title, pwn_count, breach_datefrom hibp_breached_accountwhere is_verified = 0 and account = 'billy@example.com';
List breaches for an account for the "Passwords"
or "Usernames"
data classes
Discover the instances of security breaches for a specific account, focusing on cases where either the usernames or passwords were compromised. This can be useful to understand the extent of data exposure and take necessary protective measures.
select distinct(title), pwn_count, breach_datefrom hibp_breached_accountwhere account = 'billy@example.com' and data_classes ?| array [ 'Usernames', 'Passwords' ];
Error: SQLite does not support array operationsand "?|" operator.
List breaches for active Okta users (requires Okta plugin)
Determine the areas in which active Okta users may be at risk by identifying any breaches associated with their accounts. This helps in enhancing user security by proactively identifying potential vulnerabilities.
select title, pwn_count, breach_datefrom hibp_breached_accountwhere account in ( select email from okta_user where filter = 'status eq "ACTIVE"' );
select title, pwn_count, breach_datefrom hibp_breached_accountwhere account in ( select email from okta_user where filter = 'status eq "ACTIVE"' );
List breaches for LDAP users (requires LDAP plugin)
This query is used to identify potential security breaches associated with LDAP users, particularly those in the 'Devs' group. It's a useful tool for maintaining the security of your system by pinpointing any instances where user details may have been compromised.
select title, pwn_count, breach_datefrom hibp_breached_accountwhere account in ( select mail from ldap_user where filter = '(memberof=CN=Devs,OU=Steampipe,OU=SP,DC=sp,DC=turbot,DC=com)' );
select title, pwn_count, breach_datefrom hibp_breached_accountwhere account in ( select mail from ldap_user where filter = '(memberof=CN=Devs,OU=Steampipe,OU=SP,DC=sp,DC=turbot,DC=com)' );
Schema for hibp_breached_account
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account | text | = | The email or phone account that was found in the breach (this field is required). |
added_date | timestamp with time zone | The date and time (precision to the minute) the breach was added to the system. | |
breach_date | timestamp with time zone | The date (with no time) the breach originally occurred on in ISO 8601 format. This is not always accurate — frequently breaches are discovered and reported long after the original incident. Use this field as a guide only. | |
data_classes | jsonb | This field describes the nature of the data compromised in the breach and contains an array of impacted data classes. | |
description | text | Contains an overview of the breach represented in HTML markup. The description may include markup such as emphasis and strong tags as well as hyperlinks. | |
domain | text | = | The domain of the primary website the breach occurred on. This may be used for identifying other assets external systems may have for the site. |
is_fabricated | boolean | Indicates that the breach is considered fabricated. A fabricated breach is unlikely to have been hacked from the indicated website and usually contains a large amount of manufactured data. However, it still contains legitimate email addresses and asserts that the account owners were compromised in the alleged breach. | |
is_retired | boolean | Indicates if the breach has been retired. This data has been permanently removed and will not be returned by the API. | |
is_sensitive | boolean | Indicates if the breach is considered sensitive. The public API will not return any accounts for a breach flagged as sensitive. | |
is_spam_list | boolean | Indicates if the breach is considered a spam list. This flag has no impact on any other attributes but it means that the data has not come as a result of a security compromise. | |
is_verified | boolean | = | Indicates that the breach is considered unverified. An unverified breach may not have been hacked from the indicated website. An unverified breach is still loaded into HIBP when there's sufficient confidence that a significant portion of the data is legitimate. |
logo_path | text | A URI that specifies where a logo for the breached service can be found. Logos are always in PNG format. | |
modified_date | timestamp with time zone | The date and time (precision to the minute) the breach was modified. This will only differ from the added_date attribute if other attributes represented here are changed or data in the breach itself is changed (i.e. additional data is identified and loaded). It is always either equal to or greater then the added_date field, never less than. | |
name | text | = | A Pascal-cased name representing the breach which is unique across all other breaches. This value never changes and may be used to name dependent assets (such as images) but should not be shown directly to end users (see the 'title' field instead). |
pwn_count | bigint | The total number of accounts loaded into the system. This is usually less than the total number reported by the media due to duplication or other data integrity issues in the source data. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
title | text | A descriptive title for the breach suitable for displaying to end users. It's unique across all breaches but individual values may change in the future (i.e. if another breach occurs against an organisation already in the system). If a stable value is required to reference the breach, refer to the 'name' field instead. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- hibp
You can pass the configuration to the command with the --config
argument:
steampipe_export_hibp --config '<your_config>' hibp_breached_account