Jump to content
Sign in to follow this  
Starkiller

have i been pwned?

Recommended Posts

3 hours ago, Somedude said:

Not a good idea to give your info to this website. 

You aren’t giving any info to them. They already have the info. You are just checking to see if your email address (or password) is in their database.

Share this post


Link to post
Share on other sites
chef   
21 hours ago, Starkiller said:

For people who may not be aware, this is a handy site to see if your email address (or passwords you commonly use) has shown up in publicly available website security breeches. They just got a big data cache uploaded recently, so it might be worth a look.

 

https://haveibeenpwned.com/

If you have an email listed as breached, you think it's enough to simply change password?

Share this post


Link to post
Share on other sites
2 hours ago, chef said:

If you have an email listed as breached, you think it's enough to simply change password?

Yes, though that may not even be necessary if you have already done it. Or it might not even have a password, it could just tell you that a marketing company got hacked and your email was on their list.

 

For example, I put in my email address and it tells me what services were involved and roughly what date. So it says Dropbox got hacked in mid-2012. Well I already changed that password so I don’t need to do anything, but that’s only because I remember they forced everyone to change passwords.

Share this post


Link to post
Share on other sites
OzTitan   

This website is run by Troy Hunt - a very well known name in the tech security industry. It's trustworthy and highly regarded.

 

If you put your email in, it should tell you the exact breaches it was detected in, and spell out if it involved passwords, sometimes as specific as clear text or poorly hashed passwords (meaning the password is known). Any breach that uses bcrypt or basically just not clear/MD5/SHA passwords means your password is probably only known if it is a simple password, but it's still worth considering it to be known and to change it.

 

FWIW when you use the password search feature, you're not actually sending your password to them. What's happening is your clear text password is turned into a hash in your browser, and it sends the first 5 characters of this hash to their server, which returns a list of all known passwords that also have the same first 5 characters in their hash. Your browser then compares this list to your hashed password and reports if your full hashed password was found. So as far as the network and their server is concerned, it sees the first 5 characters of a 40 character password hash, which is useless to them and effectively keeps it private.

Edited by OzTitan

Share this post


Link to post
Share on other sites
OzTitan   
20 hours ago, Denali said:

So I put in “[email protected]” and it says that it’s been breached 3 times and then it gave me instructions for how to download and use their app.

 

LOL

 

Scam.

 

No, it means that address was found in a breach. If you search for "[email protected]" you'll see it says no breach, so it isn't just saying everything is found.

 

Like I said, this is a well known resource and is based on valid data. It has become a bit more commercialized with links to 1password (which he earns commission on if sold) but Troy runs this on his own volition as a free service, and it has exploded in popularity in recent times so isn't cost-free to run.

Edited by OzTitan

Share this post


Link to post
Share on other sites
Denali   
2 hours ago, OzTitan said:

No, it means that address was found in a breach. If you search for "[email protected]" you'll see it says no breach, so it isn't just saying everything is found.

 

Like I said, this is a well known resource and is based on valid data. It has become a bit more commercialized with links to 1password (which he earns commission on if sold) but Troy runs this on his own volition as a free service, and it has exploded in popularity in recent times so isn't cost-free to run.

So your point is that “[email protected]” was actually used by someone?

Share this post


Link to post
Share on other sites
OzTitan   
1 hour ago, Denali said:

So your point is that “[email protected]” was actually used by someone?

If it comes back as being part of a breach then yes. It could be someone's real address, or it could have been used as a fake address to bypass a signin page or something - not every service requires you to verify your email. For example "[email protected]" is in 198 breaches.

Share this post


Link to post
Share on other sites
OzTitan   
6 hours ago, titanruss said:

And I’m sure they don’t save any of the emails that people type in to get searched ...

https://haveibeenpwned.com/Privacy

 

Can't say I've had spam as a result. Is spam even a problem anymore? gmail handles it well for me *shrug*. Haven't thought about spam for years.

Share this post


Link to post
Share on other sites
klaatu-   
Quote

Oh no! Looks like your passwords have been compromised.

Sign up for 1Password and follow the steps below to fix your at risk passwords now.

Try 1Password FREE for 30 days

 

It might not be a scam per se, but they just want you to buy their $60 a year service. A small price to pay for peace of mind! But really, if you've changed your password since the breach occurred then you're not compromised.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...