my gmail addy haz been pwned :(
Infosec researcher Troy Hunt has revealed that more than 700 million email addresses have been floating around “a popular hacker forum” - along with a very large number of plain text passwords. The data dump, which Hunt has uploaded to his Have I Been Pwned site for people to check if they’re included, comprises “1,160,253,228 …
Stop using one email address.
Buy a domain. Make a new address at that domain for each service. If a service is compromised, throw it away / block it, and use another.
Have them all redirect to... whatever you want. Like a GMail. If that gets compromised, you just point the domain at a fresh account and you don't have to go and change everything.
Costs pennies a year. Takes about 20 minutes to set up even in the worst case. Gives you infinite email addresses (and ones to put in spam forms that you have to supply an email). Let's you keep the same emails on services forever, and change to whatever provider you like at any time.
As a demo, HaveIBeenPwned also lets you search for anything@yourdomainname.
I get the following:
The address I use to report brokenlinks on my website.
The address I use as complete junk that doesn't even deliver any more (just bounces anything incoming email with a rude server message)
About 14 variations of the above junk (with appended letters, cut-off short, etc. so obviously lots of spam software suffers from off-by-ones!)
A handful of addresses given to companies that were compromised (including places like Kickstarter, SolarWinds, 1&1 and Macromedia).
Two addresses used to sign up on forums I used to frequent.
Two addresses used on public Usenet mailing lists
20-30 literal made up rubbish that has never existed at my domain (more off-by-ones, e.g. "real" usernames that are alphabetically close to addresses that do exist, but not at my domain).
Most of these things are just everyday compromises of forums and stuff, and using one GMail address to sign up for them all is just asking for trouble. Presumably at least some of those accounts had their passwords compromised too, not just the email address.
These people can't be trusted to keep your account information secure from spambots or password compromises. So use unique addresses and passwords, and then manage them all from one place, including terminating them if compromised and not using those companies again.
> Any clue as to what websites/services have been compromised.
> I need to know what passwords i need to change....
The site itself is badly laid out. If you're on a laptop, chances are you'll be baffled by seeing nothing more than a single sentence saying you have/have not had N websites/logins pawned.
You need to scroll down to the bottom. There will be a list of websites pwned, plus dates.
In my case, I'd already handled them for all my non-spamtrap accounts. Eg, dropbox's crack a few years back, linkedin ditto, etc.
This is what I did by accident in the 90s. Hadn't realised at the time that I'd improved my security by doing so. It was caused by my e-mail provider shutting my account down in error (Nildram BTW) It only took them a couple of days to bring it back but the fact they'd done it annoyed the hell out of me. So inconvenience was the driver but the result was improved security.
I now have a few domains, all of which I redirect to gmail etc but it's great knowing that I can swap around whenever I want. Importantly though I never save any password for my domains or e-mail in a password manager, always have multi factor on those as I see them as the crown jewels - anything else can get hacked but those I need to ensure are as secure as I can reasonably make them.
Been doing that for years, it's interesting to see which firms have been hacked when the spam starts arriving at their assigned email address :-)
One point - this approach requires catch-all email forwarding on the server, which some suppliers don't like to provide.
It also means that you then get all the cr4p sent to randomly generated addresses at your domain - any that turn up more than once I forward to a junk folder.
You don't need catch-all, just remember to create the address in their management panels before you use it. But even 1&1 and the cheapy 99p domain places don't care how many you have as the number of email aliases doesn't affect a domain host at all, generally.
The solution for the techy people - make a secret format. For example, have the username (before the @ prefix) contain a number with, say, the number of vowels in the username itself (e.g. fred1, barney2, etc.) or some such way of identifying valid emails you've given out (e.g. just prefix them all like valid_username or somesuch). Then just reject ANYTHING that comes in on a username that's not compliant with whatever policy you've chosen.
Still unlimited aliases. Still all at your domain. Easy to remember/create. Stops all the spam username-guessing. Can be implemented with a manual filter on the end account.
Personally, with the above, going to a server under my control, implementing postfix, postgrey (greylisting), Spamhaus and then forwarding to a third-party webmail service the spam I get is zero except to those addresses that I know are spam (e.g. forum signup accounts). Hell, the underlying account gets spammed more than my domain, and that's not EVER been advertised anywhere (I have no need to). Solution: Block all mail directly addressed to the underlying account that wasn't originating from my server. Or just IMAP into your server mailbox direct (but I don't like the thought of running something like SquirrelMail on my own server for web access, to be honest).
Gmail itself has tightened up their security very well in the last year or so, now doing sanity-checks on geo-location.
I discovered this via an alert from Google. I'd got a bit slack with password re-use (and the HaveIBeenPwned site only has a subset of pwned sites) and there'd been various news items re cracks, and due to job-hunting and the egregious blending of databases behind the scenes in modern recruitment firms (you may not be aware that massive mergers mean that when you apply for a job and are mandatorily required to enter your life details and ID details, that then gets immediately spammed through as many as a dozen or more other companies when you hit Save) (And often multiple countries -- quite surprised to discover a govt job app in Australia took me through 3 or 4 countries, finishing in IIRC Portugal).
I got a warning someone tried to login to a specificuse email with the correct password, from Texas, then just a month or so ago someone on another email likewise from Mt Gravatt, just down the road from me in Brisbane.
So your actual gmail account itself is probably OK.
And it serves as a timely reminder to not get lazy with password reuse :)
Oh, and you ARE subsetting your email by specificuse addresses, right? Free on gmail.
Gmail itself has tightened up their security very well in the last year or so, now doing sanity-checks on geo-location.
I discovered this via an alert from Google.
Nice when it tells you of stuff from out of your city. Not so nice when it says 'Someone from Wellington" and you happen to live in Wellington. Did it just throw a hissy fit when one of the machines polled it, or was it someone else? What's the IP address?
That would help. Then again, while they say "Wellington" they could mean "Brazil" - Google's claims about my location (even when using a NZ ISP) has not always been known to be within 2,000 miles of where I actually am.
I'm afraid selling a password manager doesn't exactly work... possibly one of the best password managers out there is already free of charge, and with an update in Google Chrome it even allows you to create a random password that it stores.
The password manager is called Google Passwords. If you've got a google account and you've ever told Google to remember a password in Chrome and have Chrome Sync set up just head on over to passwords.google.com - login to your google account and hey presto! there are all the passwords you ever told google to remember for you.
In reality there is no point in selling password managers because there are that many free ones out there, unless you make your password manager do something extremely flashy then your running against something that is already there.
Also the better solution to this to save your account from being hacked is to also use 2FA - you can download an app called Authy which will allow you to create 2FA codes easily on your phone, or if you search U2F or Yubi key on Amazon you can pick up a cheap U2F key which adds hardware security to your accounts (a U2F key is a small USB dongle that plugs into the computer when you want to login, after entering your password you then press a button on the dongle and it authenticates your login. The dongle produces a unique code and so to login it ensures you have the device (of course if someone steals the device then they could login but they'd have to also figure out your username and password as well and which accounts the U2F key are for, and hope they can login before you change the U2F key - there are also backup single use codes just in case you lose the device.)
Type in a password you suspect is out there and it tells you if it appears in the list. Without tying it to you, or anyone, of course.
Of course, for a laugh, I typed in 'password' and said over 50 million accounts used it. This kind of hack is nasty, but some of us should at least TRY to have a proper password!
Typed in the password 'donaldtrump'
Oh no — pwned!
This password has been seen 294 times before
This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it!
If you've ever used it anywhere before, change it!
You can't tell me that. I have the best passwords, the yugest passwords. Everyone tells me so. I'm a stable genius and I know which is my password. You can't take my password from me. I'll pass a law, make the best deal in Congress. Then write an Executive Order so the courts will support me.
Psst! Barron! How do I change my password? Good boy. Daddy loves you. No, not like Eric. And definitely not like Daddy loves Ivanka.
Sometimes "Password" is the best password. I have a domain that I've been using for almost 25 years. In that time I've been asked for a email address and password for hundreds if not thousands of sites that I don't trust at all. Far too many of those untrusted sites happen to be on HIBP's lit of Pwned Websites. The most common email address I use for these throw away things managed to get 4068 spam messages already this year and that is the ones that got past the spam filters.
. . . tried my work email on it. Said I was compromised three times. One of them was a 2013 breach. Problem is. that email account was created in late 2015.
The other two are companies I've never heard of, much less created an account with.
And, gee, if I want more details, I have to sign up for their pay service. . . .
I'm thinking of this as maybe 20% informative, 80% Biz dev for their paid product. . .
Everyone I know with an enforced automatic password change has a list of the passowrds posted on their monitors.
I've done that, nothing wrong with it.
If you have the full user name plus PW, that may be an issue. But only if undesirables can see it. If no one undesirable is going to see it then not a problem.
Lots of sneering at enforced password changes.
For clarity - I 100% agree that it's terrible practice. Sadly several of the large certification bodies disagree.
We recently had to "cyber essentials certify" because some extremely large client thought it important.
This is one of the boxes you have to tick. That we enforce regular password changes and complexity blah blah blah. Left up to us, it'd be different. Not up to us in I.T though.
Depends on your context. The tradeoff is over-frequent enforced changes encouraging weaker passwords or password practice (postit note reminders, eg), vs old passwords still usable some time later.
For banks and investment managers, for example, my own risk assessment is that regular and moderately frequent changes ARE a nett positive, in view of the huge risk of an soon-to-be-ex-employee remembering someone's once-overheard or over-seen password. That could be half a billion dollars out the door without anyone noticing for a coupla days. For example.
Horses for courses, basically. There IS no silver bullet.
And even the most technically-tight control can be utterly abrogated by social/cultural practice (eg, something I saw 2 years ago: all offshore (multimillion to multibillion) offshore payments controlled via a separate machine. Yay. With a hardware dongle. Yay. Said dongle left next to the machine for everyone for convenience. Whoops.
We recently had to "cyber essentials certify" ...
This is one of the boxes you have to tick.
The NCSC(UK) rules that came into effect on 1st March 2017:
> The requirement to change admin passwords on a regular basis (at least every 60 days) has been removed.
> The requirement that passwords be promptly changed if the applicant knows or suspects they have been compromised has been added.
> The requirement for password lockouts or timeouts has been added. This limits the risk of brute force attacks on accounts and will:
- lock accounts after no more than 10 unsuccessful attempts
- limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes
> You should have a password policy that tells users:
- how to avoid choosing obvious passwords (such as those based on easily-discoverable information like the name of a favourite pet).
- not to choose common passwords — this could be implemented by technical means, e.g. using a password blacklist.
- not to use the same password anywhere else, at work or at home.
- where and how they may record passwords to store and retrieve them securely — e.g. in a sealed envelope in a secure cupboard.
- if they may use password management software — if so, which software and how?
- which passwords they really must memorise and not record anywhere.
Suspect your certifying organisation was using an old questionaire.
Companies have sub companies, trade under different names, get sold on to other companies etc.
Just because you haven't heard the company name doesn't mean that your email address was never used to sign up to that company. Also the breach lists are usually sold on by 'hackers' who may be merging data, combining it with other data etc. You know they may not be the most reliable people and therefore might try to inflate a 1mill list to 2mill.
However if your e-mail address is on that list then it has almost definitely been compromised somewhere.
Just went through my list of current passwords, just in case, and the only one compromised is the one I use for throwaway accounts. I hadn't noticed that option before but it's been sometime since I last checked Troy's site.
Still changed passwords on key accounts (those tied to money) anyway.
There are invalid email addresses in this list (I know because someone tried to tell me it was a scam site based on that fact), probably from people generating potential email addresses for company domains using common names etc and then they end up in a phishing attempts list or something. Details for the breach show that the data may have come from several sources.
There isn't any push to purchase anything, other than the recommendation that 1password is good because it uses an API to alert you if passwords you store in it are part of a breach. It's written by a totally different company (any company can hook their software into the data to check this).
I seriously did have someone tell me they're convinced this is a huge scam to harvest email addresses and passwords entered by people from the same source IP address (to link them together) which to be fair would be a brilliant one - spend years building a reputation and working for Microsoft etc to then use a fake massive email and password data breach to harvest thousands of peoples real details. I did point out (among other reasons) that why would you tell people their data had been breached and advise they change their password....
"...this is a huge scam to harvest email addresses and passwords entered by people from the same source IP address (to link them together) which to be fair would be a brilliant one..."
Years back when I was managing a few forum pages, I wondered if it would be worth logging failed login attempts along with the failed credentials. Never bothered but I can bet I would've been given people's email acc passwords and/or passwords to other sites they often visit.
I would also bet that 1) I am not the only person to have thought of this and 2) it has already been done.
> I wondered if it would be worth logging failed login attempts along with the failed credentials.
Well, in doing some research I came across this:
From the attached guidance, I suggest MS had been doing this for some time, and that MS and other identity providers (IdPs) are doing this today (why wouldn't they?)
>Said I was compromised three times.
I found it useful to use the password search.
Whilst it says my main email address has been compromised four times.Like you two breaches, I recognise (Adobe & LinkedIn) however, the other two (Onliner Spambot & Modern Business Solutions) aren't really helpful, as without knowing the password I cannot identify the site that was originally compromised.
With the two I recognised, I was able to use the password lookup to confirm that the password that I was using on those websites back then doesn't appear on any breach list.
In this instance I'm uncertain of the real value of a password manager, over and above a pocketbook. But then 1Password has been integrated with Troy's website and so can automatically check for compromised passwords...
But where am I supposed to get a lavatory (let alone a disused one)...?!?
Well, once you've put a "beware of the leopard" sign on the door - your frequently used lavatory will soon become disused. Especially after the first few maulings.
A yellow warning Wet Floor sign in a conspicuous pool of blood helps, if you're a bit short of leopards...
I store my low security passwords in a Keepass wallet.
I store my high security passwords in a Keepass wallet that's on a VeraCrypt volume.
I store my really high security passwords (ie. banking info) in a Keepass wallet that's on a VeraCrypt volume that's on a portable drive that's disconnected and locked in a fireproof safe when not being used.
And no, I'm actually not joking about that.
Password managers don't have to be networked applications. There are many standalone password wallets that are essentially just password-protected local files.
My favourite is Keepass (link). It's free, open source, and available on numerous platforms, both desktop and mobile. And most importantly, it's been audited by security experts like nobody's business.
I agree, "cloud-based password manager" can be synonymous with "single point of failure". But if your passwords are stored in an encrypted file on your Windows/Mac/Linux/Android/IOS box/tablet/phone, they're going to have to be able to access it either physically or remotely before they can even start cracking the password file.
I believe they used to tell you what sites you were breached from... but now it looks like that's gone. They only point you to an FAQ, so I can't easily tell how bad the damage is. Perhaps that's what's happening... so many people say, "Meh, that's so old that i won't bother buying these password services..." so they've stopped telling people which sites they were pwned on, perhaps in the hope of panicking more people to buy their services.
Not accurate. Read the full description and it does indeed tell you where it came from. You're so bloody cynical.
iPmart: During 2015, the iPmart forum (now known as Mobi NUKE) was hacked and over 2 million forum members' details were exposed. The vBulletin forum included IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked. A further 368k accounts were added to "Have I been pwned" in March 2016 bringing the total to over 2.4M.
I work for government. Being cynical is part of the job description. Yes Minister.
They are counting collections and separate data breaches as "breached sites" so I suppose that's where the problem is coming from. Telling me x number of breached sites, but actually being within larger collections.
If you have unique passwords for every site and they are very strong passwords then you can use the api to create a hash of your passwords and upload the first 5 characters. The reply can be used to check against that password to see if it has been used.
In that case you will be able to work out which site the password came from.
Similarly if you use unique email addresses for each site (i.e. you have your own domain or use the + method of email addressing) then the compromised e-mail address will tell you the site it came from.
I got an email about this. When I ran the domain level report to see which accounts appeared I saw 5 that were valid and current email addresses and another 23 which were mangled versions of these, or really old "one off" emails that were used about 15 years ago.
While it's a big number, I don't think it will have hugely increased the number of pwned addresses overall.
It is El Reg, so hopefully sarcasm. PW managers are the biggest risk out there. At least one of the big ones has already been breached a couple years back and the others all have huge bullseyes on them.
Never understood the mindset that a single point of failure is a somehow a good idea.
I have a list using a notepad that sits on my desk at my house. The last page of said notepad. For "backup", there's a copy in my fireproof lockbox in the closet. Not too paranoid, right? If the house burns down, the lockbox should be safe although I'll probably have bigger problems than not having a password at had.
The ones I've seen are about having activated your webcam and videoed you watching porn. The ones I got at work weren't even using my work email address, so I don't know if that was a mistake in their email software - as they sent it to the right email, just used a different one in the body.
But I got a panicked call from a friend about it - I suspect her email address went in the Experian hack. Then had to navigate a rather embarrassing ten minutes to reassure her that changing a few passwords would be a good idea if she'd been re-using them - but she was fine. The question I definitely wasn't asking being about online porn - because she's incredibly uncomfortable about sex, and I'm pretty sure she was more worried about that than her online email being hacked. Nasty little email, and I hope that particular hacker's server racks fall on his head.
Yes, that's the one I've had. manutd is one of my passwords that I only use in places I really don't care about, don't trust and expect to get hacked. My email is mail@domain, which explains the first part of the subject:
Subject: mail : manutd
I am aware manutd is your pass words. Lets get straight to the point. Not one person has compensated me to check you. You don't know me and you're most likely thinking why you are getting this email?
actually, i placed a malware on the X video clips (porno) site and do you know what, you visited this website to have fun (you know what i mean). When you were watching videos, your browser began functioning as a Remote control Desktop with a key logger which provided me with access to your display screen as well as web cam. immediately after that, my software obtained all your contacts from your Messenger, Facebook, as well as e-mailaccount. after that i created a double-screen video. 1st part displays the video you were viewing (you've got a good taste lmao), and next part shows the view of your web cam, & its you.
You have got only 2 solutions. Lets read up on these types of choices in details:
Very first alternative is to ignore this e-mail. in that case, i most certainly will send your tape to all of your contacts and just think regarding the disgrace you experience. and as a consequence if you happen to be in a romantic relationship, just how it will affect?
Number two alternative should be to give me $887. Lets describe it as a donation. in this scenario, i most certainly will instantaneously eliminate your video footage. You could resume everyday life like this never occurred and you will not hear back again from me.
You will make the payment through Bitcoin (if you do not know this, search 'how to buy bitcoin' in Google).
BTC address: [redacted]
[CaSe-sensitive copy & paste it]
if you have been making plans for going to the cop, well, this message cannot be traced back to me. I have taken care of my steps. i am also not attempting to ask you for a huge amount, i simply want to be rewarded. e mail if i do not receive the bitcoin, i definitely will send your video recording to all of your contacts including membe rs of your family, colleagues, and so forth. However, if i receive the payment, i will destroy the video immediately. If you really want evidence, reply Yes then i definitely will send your video to your 10 contacts. This is a non-negotiable offer that being said please do not waste my personal time & yours by replying to this e-mail.
I ended up checking the list of 2,000 plus websites just to see which ones I was registered on.
Not a single one of them I knew of.
Could possibly be a fake list containing details from previously leaked breaches, then randomly mixing the passwords with other e-mails in order for hackers to sell to morons.
I've received two blackmail spams (pay or we send your web cam porn to all your contacts) using info on there.
It's the junk email and password I used when a site requires you create an account to download an update. I don't know who leaked it and don't much care, that's why I used a junk email forwarder. As a bonus it was forged to look like it came from that address.
In case anyone missed the link above, you can check if your passwords appear on any of the lists at https://haveibeenpwned.com/Passwords
As expected, the passwords I use for forum sites (including this one) and other throwaway accounts all have "been seen nn times". Happily the ones I use for sites that hold data that actually matter are fine.
Or maybe they aren't now that the site has linked all my passwords to my IP address. WHAT HAVE I DONE?
Hence why I shall not partake of the opportunity to vanity-surf.
Just because a password has been seen doesn't mean it's not safe. In time every human-possible password will be 'seen' (at least in theory). Matching them with a user name or email is another matter.
I'm certainly not testing my bank ones without firing up some torified or other hide-me browser/connection.
According to haveibeenpwned, none of the passwords I use have been compromised. What a letdown. Granted, I only checked the ones I deem important, but still. Seems like I would get some damned respect.
Mine's the one with all the passwords on index cards in the pocket.
I haven't even bothered checking if the email addresses I've used exclusively for PayPal are there. They will be because those numpties think it's a good idea to pass it on to every merchant even if it's also the logon ID. The only way to handle that would be to change the email after every purchase.
Why do so many businesses think that an email address is a good logon ID?
I was surprised to find that my dedicated (15+ years) PayPal address wasn't in there. Especially since it is occasionally received on a spam email.
Only two of the ones I checked were there - and both would have appeared in either Yahoo Groups postings - or as public contact details on a web site I manage.
I note using the "I've been pwned" password check using old passwords, and spam I've received telling me my porn watching habits are for sale for all and including an old password from Linkin as proof, that each breach cracks a one digit longer random password that I have used in the past. They are making progress......
Those pathetic scamming emails have been increasing lately, I've seen loads come through for accounts I've killed off 2-3 years ago. I check the passwords they send me in my keystore but out of 15 in the last 3 months none are active and none of the passwords are active.
Always, always use a password manager you can then always ensure you have non-reusable passwords, even for crappy one-off logins for forums and such like. I can't believe that a quick straw poll at work showed me that out of 10 IT techies only 2 of us use password stores for work and home account details. Where does everyone store their passwords, on Post-Its on desks? In text files?!
it's just reporting that your email address has been found on a list for a site which has been pwned.
it's NOT able to say if you HAVE been pwned, merely that you are at risk.
and yes to the replier above: most of these emails are taken from leaked lists, which have often been trawled rather than cleverly pieced-together-with-sites. it's not an either/or thing, it's both.
I'm concerned that in the pursuit of headline grabbing numbers the quality of the list is at hazard. I've got numerous gmail accounts designated for different purposes so the first problem is that I can't submit a list but have to do the names one by one.
One example of a second issue is that one of my addresses is shown as leaked on Disqus, but was it? The report says "In October 2017, the blog commenting service Disqus announced they'd suffered a data breach. The breach dated back to July 2012 but wasn't identified until years later when the data finally surfaced."
I joined Disqus in 2016. So was the leak of 2012 data or did the leak continue right up to the date of the announcement in 2017? The password that might have been "disclosed" (disqus stored as salted SHA1) was unique to access that site, it wasn't my EMAIL password, even if it had been it's protected with 2FA giving extra security. I don't recall if Disqus sent a breach report to all their users but if they did I would have changed password. Good practise on their part after a leak would be to require a password change on next login, if that were the case much of the database would be entirely misleading - your email address is "known to third parties" but what use is an email address that's not known to others?
It seems to me that haveibeenpwned lists any email address that has ever been on any site that's suffered a leak irrespective of other considerations and they are being treated as compromised.
So the email address check is not very useful, is the aim of haveibeenpwned.com merely self aggrandisement? More use might be the "pwned password" test but don't forget that's not YOUR usage of that password and not necessarily linked to one of your sets of login credentials. It just tells you that someone, at some time in the past, has used that password on one or more of thousands of compromised sites. Interestingly it seems plenty of low-grade passwords haven't been compromised. Obviously "123456" and "password" have millions of instances, we are advised against short passwords but even "l2e4S6" and "p4s5w0Rd" (letter/number substitutions) aren't in the database.
A combined test for email and password would be more value to you but who'd be stupid enough to enter both to a third party web site? I'm reasonably confident that haveibeenpwned.com is trustworthy but I'd not disclose full credentials on the basis of "I think it's probably a trustworthy web site". Even if you checked email and then password on the same site, visitor tracking capabilities are such that the two separate enquiries could be shown as coming from the same source so you've potentially provided the site owner with the full set of login credentials.
I'm reasonably confident that haveibeenpwned.com is trustworthy but I'd not disclose full credentials on the basis of "I think it's probably a trustworthy web site".
Oh, I can see it now!
In normal, safe, un-threatening text "Please enter your email address to check if you have been pwned".
Non-threatening "Please wait while we check"
Very large, flashing, super-scary "YOUR EMAIL ADDRESS HAS BEEN HACKED! URGENT ACTION IS NEEDED! ENTER YOUR PASSWORD SO WE CAN CHECK IF THAT IS SECURE!".
And the sad thing is I know so many people who will do it because the site told them to.
Maybe we need a new line of computer furniture. With built-in shackles and spikes, custom designed to cause unpleasant feelings in those who are likely to give their details away. Carefully custom-designed so those who revel in pain don't get the sort of pain they enjoy, but other pain instead.
Biting the hand that feeds IT © 1998–2019