Have I Been Pwned?
- Thread starter Aladdin
- Start date
souljacker
innit
Possibly. Change your email password either way.
Artaxerxes
Look out, he's got a gnu!
They are legit and I assume you must have signed up at some point
Puddy_Tat
naturally fluffy
I'm aware of Have I Been Pwned and have checked on their website occasionally.
Think the simple question is whether you have signed up for their notify service, which appears to be a thing.
If you have, this might be genuine. If you haven't, it's definitely not legit.
Your e-mail address being on there doesn't necessarily mean your e-mail account is compromised, it can just mean that somewhere you have used that e-mail address as part of your sign in has been.
Changing the password on your e-mail account won't do any harm, though.
And (at the possible risk of stating the obvious) if you use the same combination of e-mail address and password to sign in to multiple online things, that's not a great idea, as if one has a security breach, there's a chance that someone might try the same combination on other sites. I have a system for passwords, but don't think i use the exact same one on multiple sites.
Think the simple question is whether you have signed up for their notify service, which appears to be a thing.
If you have, this might be genuine. If you haven't, it's definitely not legit.
Your e-mail address being on there doesn't necessarily mean your e-mail account is compromised, it can just mean that somewhere you have used that e-mail address as part of your sign in has been.
Changing the password on your e-mail account won't do any harm, though.
And (at the possible risk of stating the obvious) if you use the same combination of e-mail address and password to sign in to multiple online things, that's not a great idea, as if one has a security breach, there's a chance that someone might try the same combination on other sites. I have a system for passwords, but don't think i use the exact same one on multiple sites.
Chz
Stark Raving Sane
My thoughts exactly. Password managers are your friend here. Yes, there's always a risk the password manager can get compromised, but it's still safer than using low-complexity passwords on multiple logins.
danny la rouge
More like *fanny* la rouge!
Me too: whenever asked to change my password I pick something I immediately forget and so have to change it next time I try to log in. And repeat.
Boris Sprinkler
Dont be scared
Yeah it’s legit. Seems he only published the write up on that list 3hours ago.
www.troyhunt.com
Troy Hunt is the Australian guy behind haveibeenpwned.
You should change the password on the email that you were notified on.
Inside the Massive Naz.API Credential Stuffing List
It feels like not a week goes by without someone sending me yet another credential stuffing list. It's usually something to the effect of "hey, have you seen the Spotify breach", to which I politely reply with a link to my old No, Spotify Wasn't Hacked blog post (it's just
www.troyhunt.com
You should change the password on the email that you were notified on.
souljacker
innit
Also, change the password on any other accounts that might use the same one.Thanks all... really glad I asked!!
I've 2 factor ID and changed my passwords so hopefully that's the end of it.
Thanks
abe11825
Like to take a cement fix
The pwned website always terrifies me, even when I willingly go on to see if there are any updates to my email being used somewhere. I've gotten the spam emails (luckily sent to spam) where some hacker threatens me to pay in bitcoin. So far, the pwned website has caught my address being flagged on a couple of data breaches. Primarily from sites who actually come out (months / years later) saying they had a data breach. Other sites listed haven't officially stated anything, so it's good to err on caution.
There's a sign they put up all over the place at my job: "Change your password like you change your underwear. Don't leave it out for people to see". First week that sign was up, some of us questioned how frequently people were changing their underwear, as changing a password everyday is a little obsessive.
There's a sign they put up all over the place at my job: "Change your password like you change your underwear. Don't leave it out for people to see". First week that sign was up, some of us questioned how frequently people were changing their underwear, as changing a password everyday is a little obsessive.
Ax^
Silly Rabbit
so signed up my original hotmail account which i've been using a a burner email for about 20 years
if i get a email in a few month saying you've been pwned i'll call bullshit as i've used it to sign up to almost every thing in that time frame and never used it for presonal data
so been surprised if i not popped up on data breachs already
if i get a email in a few month saying you've been pwned i'll call bullshit as i've used it to sign up to almost every thing in that time frame and never used it for presonal data
so been surprised if i not popped up on data breachs already
Boris Sprinkler
Dont be scared
The problem with this approach is the onus is placed upon the end user. Which leads to a blame culture and people hating (rightfully) on IT Security.
wemakeyousoundb
hopefully not gimboid
I have a system which means that when I die no one can access any of my online stuff, so not not all that helpfull really (well, there is a paper file to decrypt...)
Chz
Stark Raving Sane
Main benefit is just another line of password protection. Using the browser - so long as you're using it to generate different passwords for every login - is a step up from shared passwords for sure. But all you have to do is have signed in to your Google account on Chrome somewhere else and you could leave it open for someone else to come along and retrieve data. Be it a work computer that you left unlocked, or a library one you forgot to sign out of. Using a manager is just an extra step up from there because you still have to auth into the password manager.
Also, I don't know how advanced the browser ones have got but all the paid managers will happily tell you where you've used weak passwords, shared passwords, etc and offer to generate something nicely random and complex to replace them with. On the phone, depending on how the app in question works, the manager will also work for a lot of app logins which obviously doesn't work with a browser. I won't pretend that it works with all apps though. I think it depends on whether they're using the shared browser library for the login or not.
two sheds
Least noticed poster 2007
Interesting, thanks. Yes I do (normally
) close the computer down when I'm away from it, and always when I'm out of the house. I generally don't store passwords on my phone, which I hardly actually use. I sort of think that if someone gets into the house and gains the password for my computer they're going to have access to my network so I'm open after that anyway. Reassuring, though, ta, browser looks fine for me because my computers are at home.
The browser generates and remembers strong passwords.
abe11825
Like to take a cement fix
The IT department where I work is a shit show as it is, so I hate on the department anyway. I work for a small (90 person) company, so there are two guys that are in that department. One actually gets paid by my company (he has a company email) and the one is a contractor from an IT management company (has a contractor email).
The one on our payroll is not yet 30 and has no formal education in IT. He had started in another department before landing his current role. However, not a lot of people know what he actually does for the company, since he gets frustrated real quickly when tasked with even the simplest of things. It's almost like he can't be bothered or he doesn't know what to do. Sometimes it is a combination of both. With the contractor, he's nearing 50 and allegedly has a couple decades of experience. But he's a total creep show and actually skeeves me out. There's something about him that's a little "off". At least it feels like he can do a couple more things correctly than the other guy, but I've not had that much need from him.
With the contractor, we have to go through his management company for everything. They are our help desk, so every little incident needs to be recorded through them, before we even get someone to look at our problem. Which means, once the help desk ticket is created, you're better off calling the management company and having them remote view into your computer to fix the problem because you're not going to get immediate help from the people in the building. We have all run into big delays in having one of the guys see us, and there are only 20 people in house on a good day. Majority of the folks are either 75% remote or 100% remote (the latter are ones who moved out of state when the pandemic forced a lockdown). The IT team pushes people to the bottom of the list, daily, so your issue might be looked at next week if you're lucky. Don't even bother asking for help to the in house kid in passing, because he will tell you one of two things - "did you clear your cookies and cache?" or "submit a help desk ticket" and walks away from you as you answer yes or no. There's no secondary sentence from him because he's already leaving the area. The contractor is only in the office a couple times a week and for 4 hours in the afternoon.
The long of the short of it is.. yeah... the "change your password like you change your underwear" sign is so that the end user has to be the one doing everything for themselves. We don't have the luxury at work to have a password manager as our computers are managed by the IT department. The newest issue some of us are facing is the Microsoft Authenticator app, which is a beast problem of its own.
UnderOpenSky
baseline neural therapy
If anyone is thinking of using a password manager, I can't recommend BitWarden enough. It's got an app for your devices and it's also got a web page. The free tier is absolutely fine, but I think I might pay for the next one up as its so good. I use Authy for MFA, but anything that does OAuth works.
It integrates with a browser as well, but I'm a little paranoid and don't want my password manager attached to my browser, so I copy and paste.
It integrates with a browser as well, but I'm a little paranoid and don't want my password manager attached to my browser, so I copy and paste.
two sheds
Least noticed poster 2007
Again so you've got a separate password for it?
UnderOpenSky
baseline neural therapy
The browser extension or the password manager app/Web page? They will use the same password.
I've got a strong, unique password for BitWarden, protected by MFA. I've printed out the recovery codes and hidded them in my house as they can't reset it for you if you loose them. One reason I may pay for the next tier is you get more authentication options, like using a FIDO key. You also get a small amount of storage so I could upload things like copies of passports etc.
two sheds
Least noticed poster 2007
Not sure I understand - my browser password is different from the browser's web page password. Upthread someone remarked that having a different password for the browser and the password manager gives extra security.
Just about all my browser passwords are strong and unique - Firefox suggests them and I just use those. Printing out recovery codes somewhere is a good idea, although knowing me I'd forget where I put them
I think I've lost the £10 I paid for Google Apps because I did a factory reset on the phone and am not sure whether I still have the password for that
UnderOpenSky
baseline neural therapy
Not sure I understand - my browser password is different from the browser's web page password. Upthread someone remarked that having a different password for the browser and the password manager gives extra security.
Just about all my browser passwords are strong and unique - Firefox suggests them and I just use those. Printing out recovery codes somewhere is a good idea, although knowing me I'd forget where I put them
Not quite sure what you mean by browsers web page password. I'd assume you mean a Goolge/Microsoft account, but you're on Linux and probably use Firefox?
abe11825
Like to take a cement fix
Forgive me for this statement, but it seems weird to me to use (paid / unpaid) cloud storage on any site (let alone a password management / encryption) for storing passport or other identification information.
I had to Google what a Fido key was. From what I read, sure, MFA and fingerprinting is a nice alternative, but what happens if there's some back end coding error that causes a problem and accounts are hacked? Is that such a thing? I'd be afraid of leaving important copies of documents online like that. Aren't there still risks in even the simplest of encryption going haywire?
I thought the point of the browser password management stuff is they create a new password key for every site every time you log in. You just give the manager what should be that site's password and the manager scrambles something new. Didn't LastPass get breached at one point?
As far as using unpaid storage is concerned, yes, I use Dropbox and iCloud. My Dropobx is used to share voice memos with a friend on an Android (there's been issues sharing iPhone files after I've tried to do basic editing on them in Audacity, so he wants the raw file). Lately I keep one file in my account (a running list of David Bowie vinyl I collect so I don't end up buying multiple copies). My iCloud account has my resume, but the only information on that is my mobile number. I don't care if people find out where I've previously worked. They'd probably laugh at me if they read it.
I don't know... I could be misinterpreting it all.
I had to Google what a Fido key was. From what I read, sure, MFA and fingerprinting is a nice alternative, but what happens if there's some back end coding error that causes a problem and accounts are hacked? Is that such a thing? I'd be afraid of leaving important copies of documents online like that. Aren't there still risks in even the simplest of encryption going haywire?
I thought the point of the browser password management stuff is they create a new password key for every site every time you log in. You just give the manager what should be that site's password and the manager scrambles something new. Didn't LastPass get breached at one point?
As far as using unpaid storage is concerned, yes, I use Dropbox and iCloud. My Dropobx is used to share voice memos with a friend on an Android (there's been issues sharing iPhone files after I've tried to do basic editing on them in Audacity, so he wants the raw file). Lately I keep one file in my account (a running list of David Bowie vinyl I collect so I don't end up buying multiple copies). My iCloud account has my resume, but the only information on that is my mobile number. I don't care if people find out where I've previously worked. They'd probably laugh at me if they read it.
I don't know... I could be misinterpreting it all.
Chz
Stark Raving Sane
This is the crux of things. Everything - BitWarden, LastPass, 1Password, any cloud storage used anywhere - could be hacked. I know someone who uses his own password manager stored on MyDrive in some insane belief that Microsoft will never be hacked.
But does it matter? For instance, I use LastPass. Couldn't be bothered to change after the hack, though I did change the Master Password. Why? Because if your Master is complex/long enough and you're not using a flawed encryption scheme it does not matter who has the encrypted data. By the time a hacking group, or even a national government! has the spare computing capacity to brute force decrypt the LastPass breach for users like myself with 16+ character complex passwords, it will be 10+ years into the future. And you should always change your passwords every year, right? Right? (I admit, I'm biennial on it) We probably won't even be using passwords for anything important by then. Heck, right now there is literally nothing that's important to me that doesn't use 2FA.
So yes, there's a theoretical point that never trusting anyone but yourself with the data is more secure. But in practical terms, it's nonsense. Use a complex Master, then use whatever service is most convenient to you (I may still use LP, but I don't actively recommend anyone choose them - I'm just on pure inertia here). It's extremely rare that anyone even attempts a brute force decryption of these leaks. It's all based on dictionary attacks, with AI identifying any probable hits. You should worry more about your local internet forum being hacked if you share passwords with other things, because they're probably not using strong encryption. The password managers? Nah, you're fine.
ETA: Here's the thing - properly done password managers, like the ones we're talking about here - do not have your unencrypted data. The only time they have that is when it's first encrypted and stored. Nor do they have a copy of your Master Password. The only thing the hackers get from their breach is a massive gob of heavily encrypted data. The really bad part about the LastPass hack, and the bit that was actually useful to the hackers, is they got their regular database with names and email addresses for everyone. (and like why the fuck wasn't that encrypted too?) That helps massively in trying to hack weak passwords. (Like, I shouldn't have to say this, but do not use your name or email address in your password!)
Last edited:
Chz
Stark Raving Sane
Depends if you share passwords or not. If everything is unique, you're probably right. But there's been dozens of major login leaks over the years from companies with poor encryption, and if you happen to use that same password elsewhere....
I will confess that there are probably a dozen sites where I still use my old "low security" password, shared. But I couldn't give a fuck if any of them got hacked.
UnderOpenSky
baseline neural therapy
I mean current advice is now not to have users change their passwords often, because their more likely to use shit ones/write them down/recycle them. They probably do that anyway.
Last edited:
Similar threads
