What Matt said - yes, the site is trustworthy (as in, they are not harvesting your details).
They don't really need to, because they already hold 1,400,000,000 records of email addresses collated from various breaches.
I may be paraphrasing what's already there to read in the BBC article (I haven't read it - I read Troy's own report when it came out) but basically, HIBP built a database of ~700m records over the last two years by pulling
freely available data (if you know where to look) dumped on the internet by black-hat (bad) hackers after they had breached various organisations (LinkedIn, Plex, various internet forums, Adobe, P*rnhub, etc).
This week they were made aware of a new,
single, dump containing ~711m records of email addresses,
passwords, locations etc. The analysis is that this data was being used by spammers to target and send emails - the passwords were those of peoples SMTP (mail) servers (i.e. likely your ISP or gmail etc password) which means the spammers can send mail
as you.
Most of those passwords were traced back to a couple of breaches (LinkedIn being one of them) where the SHA1 hashes of peoples passwords were exposed. SHA1 is now fairly trivial to reverse (and should
not be used as a hashing mechanism anymore) and so those passwords have been reversed and matched to other accounts.
So, basically:
1) Don't use the same password everywhere
2) Do use a good password manager, so that you don't do #1
3) If you have been pwned, and you know you were in a breach that contained password information
or use the same password everywhere - change your password on the affected service and enable two-factor authentication where possible or, if you used the same password everywhere, change your password everywhere.
Sadly a large number of UK banks don't offer two factor authentication (i.e. a token you must physically possess) which, IMHO, is irresponsible on their part - and clearly demonstrates that they are rich enough or well insured enough to
not care about your money going missing and potentially having to refund it to you, rather than wanting to actually protect you from that in the first place.
Incidentally, using SMS messages to implement the second factor is
not fool-proof as it is reasonably trivial to redirect your SMS messages to anywhere in the world (the messaging system mobile phone companies use to manage delivery destinations is thoroughly insecure - it's already been used to impersonate politicians, steal information etc); but it is better than nothing, where available.
[edit] My mistake, they hold 4,712,017,449 records now!
Also, for the record:
Oh no — pwned!
Pwned on 9 breached sites and found 1 paste (subscribe to search sensitive breaches)
Now ask me if I'm concerned?
(No, I'm not - I have low password re-use, use a password manager and have two-factor auth where possible on sensitive accounts)
Author
Topic: haveibeenpwmed.com (Read 5110 times)