711 million email addresses and passwords dumped.

[Malevolence]

Out of all my 16 email addresses, only 1 has been 'pwnd'. Luckily though it's just an old Hotmail address because thanks to Microsoft I can't do a thing to change the password because it keeps on trying to send a validation text to a mobile number that was replaced years ago, and there's no option to update the number without entering a code sent via text to that old number.

 

[Brizzles]

8 breaches

Adobe is the top one

Haven't even heard of the others

 

[FoxEye]

Oh well, time to change all my passwords again.

Why would you do that, unless you used the same password for everything?

Having your email "in the wild" is hardly a security risk. And really nobody should be re-using passwords between services/websites.

 

[Raymond Lin]

I changed it 3 times in the past 8 months!

 

[FL630]

7 here. Realistically what does it mean to be listed on these sites? As one of 700M+ the risks are low.

Password changes are hassle.

 

[unwashed potato!]

woo. checked 3 emails. all 3 clean

little tip for creating passwords. have a system in place for creating a different password for every site. you'll use the same system on each site, so only have to remember the one system, but have many different passwords so that if one is compromised, the others are safe.

The system could be something like the below:

combine 2 random words. e.g. phoneshoe

this word will be used for all passwords.

now, use the first letter from the website/app you're creating an account for, and put that letter at the end of your password. e.g. overclockers.co.uk. take the O and put this at the end, so phoneshoeo. now do the same but using the last letter from the site, put it at the start of your password, resulting in sphoneshoeo

no make the first character a capital, and the last, change to the best number equivalent, so a t becomes a 7, e becomes 3, o becomes 0,

so now for this site we have Sphoneshoe0

for google, it's

Ephoneshoe6

each password is different, but using the same system makes it super easy to remember

 

[Em3bbs]

That's great, assuming you only use 26 websites all starting with different letters.

 

[Malevolence]

Another one is just use your name, so for Hotmail it would be AlbertsHotmailAccount1. Then for an added layer just stick some symbols before and after so it becomes @#AlbertsHotmailAccount1#@

 

[Freakbro]

I'm obviously in this latest dump as I checked haveibeenpwnd a couple of months ago and no hits, now there is 1 on both my plusnet and work email, still nothing on my Gmail account.

Is it worth finally using something like last pass? How does that work when accessing sites on various machines, or say when out and on someone else's PC?

 

[Rroff]

I'm obviously in this latest dump as I checked haveibeenpwnd a couple of months ago and no hits, now there is 1 on both my plusnet and work email, still nothing on my Gmail account.

Is it worth finally using something like last pass? How does that work when accessing sites on various machines, or say when out and on someone else's PC?

Yeah all of mine were clear 2-3 months ago now got 1-4 hits on some addresses. Looks like there has been a few breaches of marketing data, etc. combined with some automated attempts to try and tie that up with other data + used for phishing campaigns, etc. to try and fill in more of the blanks which means a lot more people have email entries in these dumps but not necessarily have had their passwords exposed - although some of the extra data they've harvested and/or tried to connect together might include data that would allow an attacker to try and reset passwords to gain entry via information on physical location, etc.

 

[G-MAN2004]

woo. checked 3 emails. all 3 clean

little tip for creating passwords. have a system in place for creating a different password for every site. you'll use the same system on each site, so only have to remember the one system, but have many different passwords so that if one is compromised, the others are safe.

The system could be something like the below:

combine 2 random words. e.g. phoneshoe

this word will be used for all passwords.

now, use the first letter from the website/app you're creating an account for, and put that letter at the end of your password. e.g. overclockers.co.uk. take the O and put this at the end, so phoneshoeo. now do the same but using the last letter from the site, put it at the start of your password, resulting in sphoneshoeo

no make the first character a capital, and the last, change to the best number equivalent, so a t becomes a 7, e becomes 3, o becomes 0,

so now for this site we have Sphoneshoe0

for google, it's

Ephoneshoe6

each password is different, but using the same system makes it super easy to remember

Or just use Lastpass. It's free now I think.

All of my different passwords for the ~40 different sites I use are 16 characters long and look pretty much like this 8V676o*8xA@8lDzg for example. LastPass generates them, remembers them all and automatically logs me in, both on PC and my phone.

 

[Mark1989]

Been done on accounts I don't even remember epic games, war Inc, MySpace and last fm?

:/ epic games I can assume would have been due to paragon

 

[NewGamer11]

CeX have been pwned too. You'll get an e-mail like I did if you could have been affected. Might be in your spam folder.

 

[Uther]

One breach on an old googlemail email! Thought something had happened as I got an email yesterday saying someone was trying to link my account.

 

[Surfer]

2 of my emails breached apparently. But its worth mentioning that it was through....cdprojeckt forums, nexusmods, dungeons and dragons online ....ie THEIR forums. My email passwords i very much doubt have been hacked because i never told those sites. I never use dob info as well when i sign up to other sites.

 

[Phate]

If you have 2FA switched on then you're safe, right?

 

[krooton]

The new breach has my yahoo, but not my gmail or hotmail.

Password updated.

 

[ci_newman]

I have 2FA enabled on all of my important accounts anyway....

 

[kaiowas]

I was reading about this a little after I got a similar email last night, it looks like the data is collated from many sources and is mostly just email addresses with only a proportion also including passwords.

Whenever I sign up to anything or need to provide an email address I use a different address in the same domain. I got an email telling me that 38 addresses on my domain are included.

Most of the addresses were made up addresses that I've never used or given out. There were another bunch that I've used to sign up to various forums and which had presumably been screen scraped or pulled from insecure forum software (including my ocuk and msn addresses from my sig here)

Of some concern were my ebay and paypal addresses although they've already ended up on numerous mailing lists as a result of ebay sellers presumably selling them on. It would be useful if HIBP at least indicated which addresses within the dataset had passwords associated with them so that I could confirm whether these accounts have been compromised (unlikely) or whether they just have my address from a mailing list somewhere (more likely).

There were two that stood out that shouldn't really have found their way into the public domain suggesting they have been leaked as part of genuine breaches, one was used for buying tickets for Silverstone, another was for Hastings insurance.

 

[Nasher]

I think I'm going to start using throw away email addresses for forums. They seem to get hacked and details stolen from them regularly :/