It’s no longer shocking to hear that some company got hacked and the infiltrators made off with millions, if not hundreds of millions, of user accounts. It happens on an almost weekly basis — so frequently that many don’t even bother keeping up with when their account credentials may have been stolen. That’s where HackNotice, an information security startup providing real-time threat intelligence to consumers, comes in.
HackNotice is a free new service launching today for Android, iOS, and the web to help users stay informed about hacks and data breaches relevant to them. Based in Austin, Texas, HackNotice monitors when hacks occur, notifies you about the ones that affect your accounts, and guides you through the process of recovering from, and reducing the risk of, identity leaks.
You can specify any domain you want to monitor, but there are also 110 suggestions for popular social media, ecommerce, cryptocurrency, financial, and other sites that encompass more sensitive information you may want to track. In addition to real-time alerts, HackNotice also includes historical data: 20,000 “hack notices” going back 10 years.
In private beta until now, HackNotice is run by Steve Thomas, the creator of PwnedList, a similar offering that helped users figure out if their account credentials had been compromised. Founded in 2011, PwnedList was acquired by InfoArmor in August 2013, and subsequently shut down after the site itself was breached in May 2016.
After PwnedList was shut down, Thomas again decided to fight back against account takeovers, a lucrative business for hackers who steal user data to ultimately commit financial fraud and identity theft. This isn’t a new idea — businesses have had such solutions for years — but HackNotice wants to bring it to consumers:
Plenty of services exist for businesses to reduce their corporate security risk, but consumers have largely been left without help. Consumer services have historically been focused on how to help people recover from identity theft, after it happens, but few, if any, efforts have been made to address account take overs, as a major cause of that theft. Businesses have been harnessing the power of threat intelligence for years to get ahead of the attacks coming their way, and we believe it’s time to bring that same advantage to the people.
Thomas explained a bit more how his company reached this conclusion with a short anecdote.
“Individuals are really getting the short end of the stick with these breaches,” Thomas told VentureBeat. “It came from a lot of personal pain, as well. Equifax was just the tip of the iceberg. Through building this, I saw hackers passing around my wife’s credit card pin and password she used daily. The ultimate goal is to make individuals secure. I think it’s time for them to be able to put a stop to a lot of fraud that is committed against them.”
PwnedList focused on finding account credentials that had been leaked online, while HackNotice takes a broader approach by making users aware of hacks as they happen.
“It’s not just about credentials,” Thomas explained. “It’s much more about a person’s digital identity. So they can monitor for their name, their address, or their phone number … and get information about what’s being passed around about them that may not contain credentials. There’s been a lot of information that I’ve seen being passed around, like the type of stuff you get on Facebook — really sensitive information about people that doesn’t contain credentials. With my old service, we didn’t really have a place for that, so we wouldn’t include it.”
Here is Thomas’ breakdown for how HackNotice differs from its predecessor:
- HackNotice’s capability to alert people to hacks and the historical hack notices in our system is completely new. PwnedList never provided notices about hacks, only leaks, and usually only the leaks that were put into PwnedList.
- Users can search in much greater depth with HackNotice for leaked digital identities, searching for names, addresses, phone numbers. PwnedList was limited to only email addresses and only from collections of credentials.
- We are entirely focused on individual users, with mobile apps and language for people who aren’t experts in security. Most of our clients for PwnedList were security analysts and wanted more technical capabilities, such as APIs.
- We have security recovery steps for what to do after a hack, whereas PwnedList didn’t have any remediation advise other than “change your password.”
That last point is worth elaborating on. HackNotice isn’t offering custom advice depending on which account of yours has been breached. It’s just a generic checklist that everyone should go through when they are affected by a hack:
The eventual goal is to make this a tailored list, so the recommendations will be different depending on if, for example, your credit card information may have been swiped, or if the service in question offers two-factor authentication.
Like PwnedList, HackNotice is bootstrapped and hasn’t taken any outside funding, Thomas tells VentureBeat. But unlike PwnedList, which charged money to notify you when your account had been breached, HackNotice is free.
So how does the company plan to make money? “What we’re focused on right now is making sure that the value is where it needs to be,” Thomas said. “Assuming that people are interested — they sign up and are able to increase their knowledge of security — the plan is to offer some premium services. If we can show people are more informed and more secure, then I think this will be a great service for businesses to offer their employees.”
And we’ve come full circle. A service like HackNotice doesn’t exist for individuals because individuals aren’t interested in paying for such a service. It exists for businesses because that’s where the money is. So HackNotice is free, but will that be enough to get people to sign up?