Security researchers have set up a website that allows punters to check whether or not their email addresses have appeared in data dumps slurped from compromised databases. Hacking attacks on sites including Gawker and the network of Sony's gaming division have led on to the publication of hundreds of thousands of users' …
Does it include the 46,524 recently dumped by El Reg?
Someone want to forward it to them? :-)
Not that useful
"Theriault concludes that if users even think their login credentials might have been compromised they ought to change their login credentials"
On which, of the many hundreds of forums and businesses I've used that email, should I change the password. Given that, in keeping with best practice, they're all unique.
Without that information it's *useless*. There's a huge difference between some old forum login I've forgotten about getting leaked and a bank account.
Does the website...
...also tell you if certain vulture mascotted IT news websites have inadvertently emailed your details to other people?
my work one was on the list. i think its from when bethesda got hacked but gonna change pass again just in case....
Of course if I'd listened to the scaremongering here
then all my details including my PSN details were be here.
Of course reality is somewhat different..
I wonder the all those El-Reg details are included on that list?
"Users enter a username or email address into the site’s search box to find out if their username has appeared in any recent public data dumps. Users are not prompted to enter their password itself."
So this website now has your email address as a result of your search, but not your password.
So what information do spammers use to send you spam?
Read on past the first paragraph...
"Data entered is not stored, re-used, or given to any third parties," the terms and conditions of the site explain. Tech savvy users can submit a SHA-512 hash of their email address or username as input instead of the plaintext version.
"Data entered is not stored, re-used, or given to any third parties,"
And if you'll trust another company who makes that statement, I've got a bridge you might be interested in. And the phone number of a deposed Nigerian prince with TWENTY MILLION UNITED STATES DOLLARS to give away.
But, in part, true...
Think about how many people are now looking for a 'how to convert plain text into SHA-512 hash' website. How would you know that one is legit, the other is not?
Isn't that what they all say?
Don't read, or don't understand?
You are replying to a post that mentions the SHA 512 hash option, which appears in the first paragraph on the web site. Did you not read down that far in either of these, or do you think that the hash is personally-identifying or has some other value to a third party?
Very high risk indeed
It could so easily be a highly sophisticated honeytrap where it gets my IP and my email address and by matching them together with the already public information in their database it would allow them to ....
... er ...
... send me email?
...I'm expected to go to this site and enter my email address? I think not. ;)
If you were tech-savvy...
...you could enter the SHA512 hash of your email address. But if you're not, why are you even here?
Again, and I got downvoted for this already...
Who's to tell me that this is legit, in comparison to another website that asks you to enter your email address 'and we will check for you if your address appears on any other list'.
Go ahead, downvote as much as you want.
But, this is a bit like that big red button that says 'do not push'... You kinda want to enter your email address, don't you? ;-)
10 year old email address not pwned
All well and good until THEY get hacked...
...and the paradox causes the internet to collapse in on itself.
They do explain...
that they don't store any of the actual data . They only calculate the hashes and then discard the data, to help guard against exactly such an eventuality.
My email address of 12 years is on the list, but I've used that to sign up for just about everything over that time. So the email address could be on there for any number of reasons.
It has a unique 16 character random password that I created about a year ago, so should be safe. If not, tough; I really cannot be bothered to create a new one and update every password manager on all my machines again just to be sure.
Damn I wish I hadn't checked that site now!
Enter your email address + password + bank account number + pin number + inside leg measurement...
I entered a couple of pwned e-mail addresses from members of my Freecycle group I am getting SPAMmed from regularly and they came up as clean. I guess 5 million isn't enough.
One day I will create a site like this where they are asked to submit an e-mail and password, and have it direct to a page that just says "Yes."
"encouraging users to hand over even part of their logins credentials to supposed security checking sites is not necessarily good thing, Carole Theriault of Sophos notes"
Isn't that the reason why part of your credentials is public and part is private? What am I missing?