Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[zirk]

Check if you have an account that has been compromised in a data breach

haveibeenpwmed.com

Just checked all my email addresses, do far so good.

[zirk]

Hmm, link not working try this -

https://haveibeenpwned.com/

This was in the News this week, for those wondering wtf is this about, -

http://www.bbc.co.uk/news/technology-41095606

[moggy]

Hmm, link not working try this -

https://haveibeenpwned.com/

This was in the News this week, for those wondering wtf is this about, -

http://www.bbc.co.uk/news/technology-41095606

Hi Zirk,the site says i have been pwned,so what do i do about it Dean.

[Gaffers]

For those accounts that are listed as pwned, change the password to one which is complex enough (10 characters min pref 16, mix of upper/lower case, numbers and symbols)

If any cards are listed in pastebins get them reissued.

If bank details are there inform your bank.  It's up to them to act, but if they are informed and anything goes wrong it helps with your claim.

If personal details are there then look at changing any security questions that overlap such as mother's maiden name, etc.

[Gaffers]

For info I have 2 entries on there, mainly from harvested details from a couple of websites that should have done better to protect themselves.  Follow the basics above and you'll be fine 

[Sir Tigger KC]

So this haveibeenpwmed site is genuine and not some sort of data harvesting scam itself?     

[zirk]

Hi Zirk,the site says i have been pwned,so what do i do about it Dean.

Change your Password as Guffer said, and if your using the same password across multiple accounts stop doing that, thats the key here, lose the same password on one account then your other accounts are also at risk, thats what the Hackers are banking on.

After changing your Site Login Passwords, dont forget to change your actual email account(s) Password, a lot of people actually change all there Logins and forget their emails accounts.

On the same Site - https://haveibeenpwned.com theres a Password Checker as well (Dont check active passwords, only old ones that your not using anymore), this will tell you whether your old Password has also been indexed with there Data Base info. 

[zirk]

So this haveibeenpwmed site is genuine and not some sort of data harvesting scam itself?     

I did check, as well as the Sites Owner, comes back as Trusted, but hey this is the Twinterweb.

[Gaffers]

So this haveibeenpwmed site is genuine and not some sort of data harvesting scam itself?     

I did check, as well as the Sites Owner, comes back as Trusted, but hey this is the Twinterweb.

I work in IT/Info Security and it is well known as one of the good guys.  Respected is a bit strong but certainly no evidence to suggest it's a data harvester.  In fact there are some companies that use it as a service offereing for identity theft protection etc..

[aaronjb]

What Matt said - yes, the site is trustworthy (as in, they are not harvesting your details).

They don't really need to, because they already hold 1,400,000,000 records of email addresses collated from various breaches.

I may be paraphrasing what's already there to read in the BBC article (I haven't read it - I read Troy's own report when it came out) but basically, HIBP built a database of ~700m records over the last two years by pulling freely available data (if you know where to look) dumped on the internet by black-hat (bad) hackers after they had breached various organisations (LinkedIn, Plex, various internet forums, Adobe, P*rnhub, etc).

This week they were made aware of a new, single, dump containing ~711m records of email addresses, passwords, locations etc. The analysis is that this data was being used by spammers to target and send emails - the passwords were those of peoples SMTP (mail) servers (i.e. likely your ISP or gmail etc password) which means the spammers can send mail as you.

Most of those passwords were traced back to a couple of breaches (LinkedIn being one of them) where the SHA1 hashes of peoples passwords were exposed. SHA1 is now fairly trivial to reverse (and should not be used as a hashing mechanism anymore) and so those passwords have been reversed and matched to other accounts.


So, basically:

1) Don't use the same password everywhere
2) Do use a good password manager, so that you don't do #1
3) If you have been pwned, and you know you were in a breach that contained password information or use the same password everywhere - change your password on the affected service and enable two-factor authentication where possible or, if you used the same password everywhere, change your password everywhere.

Sadly a large number of UK banks don't offer two factor authentication (i.e. a token you must physically possess) which, IMHO, is irresponsible on their part - and clearly demonstrates that they are rich enough or well insured enough to not care about your money going missing and potentially having to refund it to you, rather than wanting to actually protect you from that in the first place.

Incidentally, using SMS messages to implement the second factor is not fool-proof as it is reasonably trivial to redirect your SMS messages to anywhere in the world (the messaging system mobile phone companies use to manage delivery destinations is thoroughly insecure - it's already been used to impersonate politicians, steal information etc); but it is better than nothing, where available.

[edit] My mistake, they hold 4,712,017,449 records now!

Also, for the record:

Oh no — pwned!
Pwned on 9 breached sites and found 1 paste (subscribe to search sensitive breaches)

Now ask me if I'm concerned? (No, I'm not - I have low password re-use, use a password manager and have two-factor auth where possible on sensitive accounts)

[Allenm]

I might be being thick here  , the email address I put in showed as pwned on 1 site.

How am I supposed to find out what information has been compromised - the info just looks like a list of what sites have been hacked and looked up.

[aaronjb]

Which site?

Most give a description like this that clearly say what you should believe has been compromised (taken from one of mine):

Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text.

If you were found in a 'paste' then you can't always know, you just have to assume it may contain a password you use. If you don't use the same one everywhere, I wouldn't worry.. if you do, I'd be changing it.

[aaronjb]

For info I have 2 entries on there, mainly from harvested details from a couple of websites that should have done better to protect themselves.  Follow the basics above and you'll be fine 

Incidentally - I figure it's likely only you who'll be interested in this A colleague of mine has the source files from the recent leak (the ~711m records) and has cracked 100% of the hashed passwords contained therein..

..it took 32 NVidia GeForce 1080TIs under 12hrs to do.

I don't know if I'm more impressed that he found the source files, or that he has 32 (expensive!) graphics cards to dedicate to hash cracking..

[Kevin Wood]

For info I have 2 entries on there, mainly from harvested details from a couple of websites that should have done better to protect themselves.  Follow the basics above and you'll be fine 

Incidentally - I figure it's likely only you who'll be interested in this A colleague of mine has the source files from the recent leak (the ~711m records) and has cracked 100% of the hashed passwords contained therein..

..it took 32 NVidia GeForce 1080TIs under 12hrs to do.

I don't know if I'm more impressed that he found the source files, or that he has 32 (expensive!) graphics cards to dedicate to hash cracking..

.. and clearly gets bored easily.

[Allenm]

Which site?

Most give a description like this that clearly say what you should believe has been compromised (taken from one of mine):

Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text.

If you were found in a 'paste' then you can't always know, you just have to assume it may contain a password you use. If you don't use the same one everywhere, I wouldn't worry.. if you do, I'd be changing it.

Under "Breaches you were pwned in"  it says "Online Spambot"

I can't see how a spam bot would have got the password though - I don't follow email links unless I absolutely trust them, and even then, I go to the homepage of the site by typing it in on the address bar.

[zirk]

For info I have 2 entries on there, mainly from harvested details from a couple of websites that should have done better to protect themselves.  Follow the basics above and you'll be fine 

Incidentally - I figure it's likely only you who'll be interested in this A colleague of mine has the source files from the recent leak (the ~711m records) and has cracked 100% of the hashed passwords contained therein..

..it took 32 NVidia GeForce 1080TIs under 12hrs to do.

I don't know if I'm more impressed that he found the source files, or that he has 32 (expensive!) graphics cards to dedicate to hash cracking..

A friend of mine is the IT Manager of a Private High School or what ever their called these days, anyway come Summer Holidays plus the other breaks, He has a large Network of Computers (and as you say Graphic Card Power) at he's disposal. 

[aaronjb]

Kevin -  He has a six month old kid so I am assuming it was "Must escape from baby" time in his household

Actually I was off on my statistics - it took six hours, 32x 1080TIs and another ~50 other, smaller GPUs..

Under "Breaches you were pwned in"  it says "Online Spambot"

I can't see how a spam bot would have got the password though - I don't follow email links unless I absolutely trust them, and even then, I go to the homepage of the site by typing it in on the address bar.

Allen, then further down the page you should see:

Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.

Compromised data: Email addresses, Passwords

A spam Bot didn't get your password, a spam bot was using your password (potentially).  This would be the breach I just noted as needing only 6 hours for a single individual to crack the password hashes - organised criminals would have even more power at their disposal.

Basically .. change your password(s). Everywhere, because Troy (who runs HIBP) isn't going to tell you which password has been compromised. Theoretically I could find out via Justin (the aforementioned individual with time on his hands) but I can't really pimp him out as a service

FWIW, he worked out that ~95% of his Facebook friends all have their details (including password, including mine!) in that dump, so you're not alone.

[Gaffers]

I would hazard caution against using online password managers, they are often targeted for obvious reasons and they are not infallible.  Only use offline ones that you can control access to (and by that I do not mean an excel spreadsheet, just look at Sont Pictures to figure out why that is a very bad idea)

I have recently got a Mooltipass to play with and I am quite impressed.  The wife is terrible at remembering the passwords for her important, yet frequently used, accounts and so needs this device.  I have trouble remembering all the various passwords for the Raspberry Pi devices I run so rather than using the same for them all or writing them down I have a separate card for me which I use for that.  It can also be used for a digital will in the event of death or incapacitation so that NoK can access the important stuff.

[Allenm]

Kevin -  He has a six month old kid so I am assuming it was "Must escape from baby" time in his household

Actually I was off on my statistics - it took six hours, 32x 1080TIs and another ~50 other, smaller GPUs..

Under "Breaches you were pwned in"  it says "Online Spambot"

I can't see how a spam bot would have got the password though - I don't follow email links unless I absolutely trust them, and even then, I go to the homepage of the site by typing it in on the address bar.

Allen, then further down the page you should see:

Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.

Compromised data: Email addresses, Passwords

A spam Bot didn't get your password, a spam bot was using your password (potentially).  This would be the breach I just noted as needing only 6 hours for a single individual to crack the password hashes - organised criminals would have even more power at their disposal.

Basically .. change your password(s). Everywhere, because Troy (who runs HIBP) isn't going to tell you which password has been compromised. Theoretically I could find out via Justin (the aforementioned individual with time on his hands) but I can't really pimp him out as a service

FWIW, he worked out that ~95% of his Facebook friends all have their details (including password, including mine!) in that dump, so you're not alone.

Thanks Aaron, I will have to change all my passwords then!  what a ball ache. I don't use the same password across multiple sites, so have shit loads as a result.

[Doctor Gollum]

LinkedIn seems to be the source. I no longer have a LinkedIn account, haven't done for a while now, should I worry, or is it the current email address etc that has been exposed

[biggriffin]

Kevin -  He has a six month old kid so I am assuming it was "Must escape from baby" time in his household

Actually I was off on my statistics - it took six hours, 32x 1080TIs and another ~50 other, smaller GPUs..

Under "Breaches you were pwned in"  it says "Online Spambot"

I can't see how a spam bot would have got the password though - I don't follow email links unless I absolutely trust them, and even then, I go to the homepage of the site by typing it in on the address bar.

Allen, then further down the page you should see:

Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.

Compromised data: Email addresses, Passwords

       

.

The above statement is what I got on one email address, could it be linked to one company the above statement  (virgin).

[frostbite]

I have 2 but I have never been on those sites
Last fm and River city spam list

both of which had issues back in  2012 according to the checker

[omega2018]

its easy to have just one basic password but never use the same password for every site. then for every site you will know each individual password but only have to remember one password.   just needs a bit of thinking about

similar method with pin numbers, you can write a different number (which isn't the pin) on all your cards, then by adding the number you do remember (and isn't written down) to each, you generate the pin unique to that card.

[aaronjb]

I'm just going to leave this here:



(Trouble is, most sites restrict the number of characters you can enter..)

[Gaffers]

ahem...dictionary attacks....ahem...

[aaronjb]

ahem...dictionary attacks....ahem...

Still made much more complex by passphrases rather than passwords.

What are the odds of a dictionary having "myauntoncedyedherhairpink" in it?

[Gaffers]

Depending on the phrase the entropy for a passphrase can be very weak  and reduce it even further by adding a bit of Natual Language Programming in order to workout possible word combinations like you describe.  You may have to have quite a long phrase in order to achieve the same entropy for a good complex 20 character password remembering that some websites restrict the size of a password to 20 chars or less due to the constraints on their hashing and salting algorithms.  This is where password managers come in and as long as they are offline and you keep a backup they tick nearly every single box.  They arent perfect but then nothing is, in this world it is all about making it hard to hack/break in/defraud you rather than your neighbour.

[STEMO]

I would imagine the thing you would like to protect more than anything else would be your banking. I use the iOS apps rather than websites and, I think, they're pretty secure.

[Gaffers]

Depends on the App as some are built well whereas others are absolute dog toffee.  Plus sometimes the teams they hire to pentest the app are not very good but as long as they get their tick in the box to say it has passed testing.....

[tigers_gonads]

Checked mine, all okay 

As for passwords, all based on the same thing BUT slightly different 
House Wi-Fi one is 34 characters long and uses more then just numbers and letters 

[STEMO]

Depends on the App as some are built well whereas others are absolute dog toffee.  Plus sometimes the teams they hire to pentest the app are not very good but as long as they get their tick in the box to say it has passed testing.....

Yes....but, then again, it's always been a balance between trust and paranoia.

[Kevin Wood]

Depends on the App as some are built well whereas others are absolute dog toffee.  Plus sometimes the teams they hire to pentest the app are not very good but as long as they get their tick in the box to say it has passed testing.....

Yes....but, then again, it's always been a balance between trust and paranoia.

Indeed. Whilst I roughly know where I stand with https site on a mainstream web browser, all bets are off with an "app" knocked up in a sweatshop somewhere so if it won't work with a web browser, I'm out.

[frostbite]

May be unrelated but would  it have been possible for the android system to have shared info?

If I install an app on my s6 it will ask to share some info before I can use the app, if you click no it will eitjer not work and ask you again or it will have limited functionality

[TheBoy]

Google store is known to be riddled with Malware, due to the (even now) lax attitude of Google towards security.

And you wonder why I refuse to use Chrome on any device .  Yet I wonder how many insist on running it on Windows with full Admin rights (and UAC disabled, for those who's ego far outweighs their capability).

[zirk]

May be unrelated but would  it have been possible for the android system to have shared info?

If I install an app on my s6 it will ask to share some info before I can use the app, if you click no it will eitjer not work and ask you again or it will have limited functionality

You can probably sideload the APK on Rooted / Developer Android, will probably work, most Apps opt for Google Services to be installed and running thats mostly where the Privacy issue comes in, personally I dont use Google Services for one of them reasons.