What to do if haveibeenpwned says yes?...
-
...specifically & only for the scenario wherein one's email account itself was not breached, but Troy's site reports that said email address was exposed when a 3rd Party site one uses, was hacked.
In this thread, i'm not interested in the myriad alternative potential account pwns [eg, if it was the email account itself that was compromised (in which case it would be utterly duh obvious that a new email account password would be the very least of the things one urgently should do)].
Step 1: Change Your Password
If you get pwned, you need to change your password as soon as possible-->I riposte: Which password? The email account, or the 3rd Party account which exposed said email? Why are you tech journalists so crappy?
- Change Your Password
If you get pwned, change your password as soon as possible.
-->I riposte: As above.
- Now, change your passwords
This is one of the most important steps to take. It’s a healthy habit to change your passwords every now and then. If you suspect or know that your email has been pwned, you must change them.
-->I riposte: As above.
For starters, change your password.
-->I riposte: As above.
If your email address has been compromised in a data breach, it’s a smart move to change your login password for your email address, and for the service which was affected by the breach. Even if your email account itself hasn’t been victim of a data breach, there’s a security risk if another account that you log into with the same password has been affected.
-->I riposte: Aha, finally a slightly better-quality tech journo, more adept at avoiding the bleedin' obvious logical ambiguity of the previous ones.
Step 1: Change your passwords
You know your credentials have been leaked, and your email address is out there for someone to possibly brute force and access your accounts. So, the first thing you should do is change your password.-->I riposte: Sigh, so the quality plummets again.
What should I do if my email address was pwned?
As Troy notes in a response to this question on Twitter, "if you've got strong, unique passwords. I wouldn't do anything".
Frankly, if you've got strong, unique passwords, I wouldn't do anything. Plus it would make you exceptional
— Troy Hunt (@troyhunt) August 30, 2017For privacy reasons, Troy doesn't save the passwords in these lists so the service can’t tell you which one was compromised. The best option then is to assume it has been.
For anyone not using strong and unique passwords everywhere, this means you should change your passwords.-->I riposte: Oh yay, finally a much more thorough journo who did the radical thing of actually "checking" with Troy himself [i don't use twatter, so had no way of knowing such a chat had occurred].
-->I DO use strong and unique passwords everywhere, so his advice seems entirely rational to me.
I'm curious for feedback / reality checks here please -- what would you do if/when you find yourself in this identical scenario? Is Troy's advice appropriate?
- Change Your Password
-
This post is deleted! -
@guigirl Well, "your email address has been exposed" - would that mean it has the same exposure as your Vivaldi email address?
-
Aw...
Will i ever know what you were gonna say to me?
-
@guigirl said in What to do if haveibeenpwned says yes?...:
Is Troy's advice appropriate?
use strong and unique passwords everywhere
Always appropriate!
-
@tbgbe No, that's not the part i was querying. I seek others' opinions, specifically on his...
Frankly, if you've got strong, unique passwords, I wouldn't do anything. Plus it would make you exceptional
— Troy Hunt (@troyhunt) August 30, 2017...given all the others i quoted merely mindlessly screamed "Change your password" without any nuance.
-
@guigirl Oh, OK.
So the "other sources" are just advising the majority (i.e. the non-exceptional); in that case "change your password" is fair enough; isn't it?
They could/should have added "change your password to a strong, unique password" I suppose.
Then again changing a "strong" password to a "stronger" password would be good advice too! -
@tbgbe ...this isn't going quite as i'd envisaged, she mumbles to herself...
-
@guigirl
Yes:Hi, it happend for me some time ago but it was a simple password (5 numbers) I am not using anymore so I ignored it. Cheers, mibAfter reread I thought it is not relevant.
Bye, mib
-
Does it say if password hashes were even leaked or was it just email-addresses?
What algorithm was used for the hashes?
https://en.wikipedia.org/wiki/Comparison_of_cryptographic_hash_functionsWere they salted and if so did the attackers also obtain the salt in the data?
https://en.wikipedia.org/wiki/Salt_(cryptography)There's a lot of things to consider here, not easy to figure out for most people whose data has been exposed in a breach. That's why the general advice is to change your password anyway.
And do you really want even a cryptographic hash of your password hanging around in some hacker's data files? Even if it most likely can't ever be brute-forced in a million years - unless they're the NSA/GRU/MI6.
In addition to the password, they now of course have your email. It's good advice to use a "plus address" when signing up for services, if supported by your provider. This way you can just filter mails from that address if you start receiving a lot of spam.
https://en.wikipedia.org/wiki/Email_address#Sub-addressingI actually think the largest value of such breaches to a hacker is the email addresses. The passwords in general are not worth the trouble to try brute-forcing. Emails at least can be sold off to spammer lists. And of course any other personal data can be abused for blackmail/impersonation/scams etc, depending on its nature...
My current main email gives:
"Pwned in 9 data breaches and found no pastes (subscribe to search sensitive breaches)"
These include Avast, Disqus, Gravatar, Imgur andLast.fm.🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
🦆"With a rubber duck, one's never alone" -Douglas Adams🦆 -
@pathduck Nice info ta.
Fwiw, here's what Troy's site says:
Email 1 [this is an ancient account that i often forget i have, do not actively use any more, & whose site no longer even lets me login to change details or even delete the account. So today i scoured my KeePassXC db for each instance of my 3P accounts that used that addy for login, then either changed them to another email or closed the entire 3P account]:
Cit0day (unverified): In November 2020, a collection of more than 23,000 allegedly breached websites known as Cit0day were made available for download on several hacking forums. The data consisted of 226M unique email address alongside password pairs, often represented as both password hashes and the cracked, plain text versions. Independent verification of the data established it contains many legitimate, previously undisclosed breaches. The data was provided to HIBP by dehashed.com.
Compromised data: Email addresses, Passwords
Collection #1 (unverified): In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.
Compromised data: Email addresses, PasswordsEmail 2 & 3 [i do not even have a damn gravatar account, dagnabbit]:
Gravatar: In October 2020, a security researcher published a technique for scraping large volumes of data from Gravatar, the service for providing globally unique avatars . 167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data. Following the impacted email addresses being searchable in HIBP, Gravatar release an FAQ detailing the incident.
Compromised data: Email addresses, Names, UsernamesEmail 4:
This email was used as login for one of the charities i donated to for years, which was seriously breached early this year. I'm not going to name them here or provide other info, but i'll mention that this one alarmed me the most at the time, albeit so far i've seen zero personal consequences...
-
@guigirl said in What to do if haveibeenpwned says yes?...:
i do not even have a damn gravatar account, dagnabbit
Have you ever had an account on Wordpress? They own Gravatar so that's probably why. Or maybe Tumblr and some others.
https://en.wikipedia.org/wiki/Automattic🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
🦆"With a rubber duck, one's never alone" -Douglas Adams🦆 -
@pathduck I have a gravatar, which means if I join a site that uses gravatar and tell them my email address I automatically get the same avatar you see here. Do I have a "gravatar address"? No idea, maybe?
-
@pathduck said in What to do if haveibeenpwned says yes?...:
ever had an account on Wordpress?
No... but i do have an account in the site for
Firejail, which has/had a presence on a Wordpress-based site... dunno if that's too tenuous to be a viable pathway here.Tumblr
No, never.
some others
Hey, now these sound quite familiar to me -- i bet they're the rotters wot burned me! I should unleash
nobodyonto them, pronto. -
I use https://monitor.firefox.com to monitor all my email addresses.
It shows the gravatar breach for me also, and advice for what to do.
For this one there is not much risk, and all you can do is change the email used with the account, or close the account.Then there is the breach of verifications.io which is not a site you or I would ever have made an account with.
It is a 3rd party that was used by other sites we use.
They collected things like phone number and IP address.
There is no way to resolve this -
Ppafflick moved this topic from Security & Privacy on
