711 million email addresses and passwords dumped.

Pottsey · 30 Aug 2017 at 20:41

touch said:
How are you so sure your password has not been leaked?

As I don’t have accounts on those websites that leaked. Take Last.fm I have never used that site, my email address isn’t in use on that site either by me or someone else so how can my email and password be exposed from a leak?

Another one Heroes of Newerth: the multiplayer online battle arena game. I never sighed up. My email hasn’t been used in an account by someone else so again why is it listed as exposed?

QuinStreet is another one I have never used and there is no account. Like I said I don't trust the haveibeenpwnd website.

Hiijinx · 30 Aug 2017 at 20:41

Didn't even know you could get multipurpose 2FA keys! :O

Only ever seen ones bundled with WoW etc

Housey · 30 Aug 2017 at 20:53

Seems my iCloud one is on the list, which would explain why it has become a SPAM hell over last 6 months. I use 2FA should I still change my password?

Dirk Diggler · 30 Aug 2017 at 20:59

I get a security warning in chrome and Firefox when I try to access haveibeenpwned

mmj_uk · 30 Aug 2017 at 21:06

Is there a more reputable source? websites such as these might just be designed to get peoples email addresses so that they can be sold to spammers.

MatsyLR · 30 Aug 2017 at 21:07

welp
Pwned on 12 breached sites on my main account.
Lucky its all useless sites with no real information apart from my email, I recently changed my email passwords but I'll do it again.

Housey · 30 Aug 2017 at 21:28

I checked and I had not changed my iCloud password since 2014 so thought it was about time. Now weeks and weeks of password resets as I have forgotten it already

touch · 30 Aug 2017 at 21:42

Pottsey said:
As I don’t have accounts on those websites that leaked.

There's loads of reasons why you might appear on a dump listed against a site you havn't used:

whichever hacker stole the passwords from last.fm also managed to access another site you use and merged his list of credentials together.
Hacker mislabeled file containing the data.
server which hosts a hacked site also hosts other sites which could confuse a hacker with which database they have accessed.
hacker lied about where the data came from.
There are subsites or alternative trading names under the main headline of the attack. For example, the 28 "predominantly technology forums" effected by the QuinStreet hack.
The dumped data may have been stolen from the original hacker and whoever published it doesnt actually know all the details of the hack. For example, the leaked data from the OP's link wasn't released by whoever harvested it. It was found in text files on a server which was also used by a spambot and associated with that spambot - a reasonable assumption but possibly has nothing to do with it.

Unicorn · 30 Aug 2017 at 21:48

Why this is going on I feel it may be a good time for someone to explain lastpass to me. How does it work what happens if I get locked out my own account or change or loose my phone etc? I'd like to use it for my email service, Facebook, Google services. All of which have 2fa but I would feel better if they all had unique passwords generated by software which makes abit of a scrambled password hard to guess.

Can it generate me a password I can view within the vault though for things I'd barely login too which are app based?

Glaucus · 30 Aug 2017 at 21:52

Unicorn said:
Why this is going on I feel it may be a good time for someone to explain lastpass to me. How does it work what happens if I get locked out my own account or change or loose my phone etc? I'd like to use it for my email service, Facebook, Google services. All of which have 2fa but I would feel better if they all had unique passwords generated by software which makes abit of a scrambled password hard to guess.

Can it generate me a password I can view within the vault though for things I'd barely login too which are app based?

just do it.
only skimmed the video but seems pretty comprehensive.

change or lose a phone no issue, its on any device and on the web.
if you forget your master password you are screwed.
you can view login info on website or app
if you have app on the phone most apps can be auto filled, or you'll get a box where you can copy and paste

Malevolence · 30 Aug 2017 at 21:57

mmj_uk said:
Is there a more reputable source? websites such as these might just be designed to get peoples email addresses so that they can be sold to spammers.

Did you not read the post a few above yours? What is it that makes you assume the bloke behind the site https://www.troyhunt.com/about/ is anything but reputable? Do you know something we don't?

MooMoo444 · 30 Aug 2017 at 21:59

Apparently I'm compromised on some old sites I haven't been on in 5-10 years

Enjoy those bountiful accounts lads..

Malevolence · 30 Aug 2017 at 22:04

MooMoo444 said:
Apparently I'm compromised on some old sites I haven't been on in 5-10 years

Enjoy those bountiful accounts lads..

One of the 4 sites it says I'm compromised on is MySpace - I've never used MySpace in my life. in fact I'm very surprised to see it's still a thing.

RJC · 30 Aug 2017 at 22:33

Just checked and one of my old O2 email addresses was done through Dropbox 5 years ago.

I can't remember when I deleted this account.

Pottsey · 30 Aug 2017 at 22:41

touch said:
There's loads of reasons why you might appear on a dump listed against a site you havn't used:

whichever hacker stole the passwords from last.fm also managed to access another site you use and merged his list of credentials together.

Hacker mislabeled file containing the data.

server which hosts a hacked site also hosts other sites which could confuse a hacker with which database they have accessed.

hacker lied about where the data came from.

There are subsites or alternative trading names under the main headline of the attack. For example, the 28 "predominantly technology forums" effected by the QuinStreet hack.

The dumped data may have been stolen from the original hacker and whoever published it doesnt actually know all the details of the hack. For example, the leaked data from the OP's link wasn't released by whoever harvested it. It was found in text files on a server which was also used by a spambot and associated with that spambot - a reasonable assumption but possibly has nothing to do with it.

All of which makes haveibeenpwned almost useless. So there could be 1 leak 10 years ago but it reports 10+ leaks and keep rereporting every so often as an old obsolete password keeps getting relisted in new leaks even though its not been used in 10 years. Its like the Onliner Spambot August 2017 for the most part it’s just a giant email list. Changing your password does nothing.

While its good practise changing your password once every so often. It’s not good precise to use haveibeenpwned and basing passwords changes when it says there is a leak.

Raumarik · 30 Aug 2017 at 23:04

HIBP has lots of junk on it, use it for guidance only. The longer the site goes on the worse it seems to get. For example I made my dad a new e-mail account last year and it shows up as having been compromised in 2012, I have owned that domain since 1990s and the account never existed prior to 2016 so the account has never been compromised. I'm not saying there isn't a match for it in the database, but that's not this account.

Remember your e-mail address is not private and being public doesn't really change anything.

Ugley_Matt · 30 Aug 2017 at 23:06

Wish it would provide more details says my email is listed, but not clear if its the password and what the website is. I have dozens, which ones to change?

Halfmad said:
HIBP has lots of junk on it, use it for guidance only. The longer the site goes on the worse it seems to get. For example I made my dad a new e-mail account last year and it shows up as having been compromised in 2012, I have owned that domain since 1990s and the account never existed prior to 2016 so the account has never been compromised. I'm not saying there isn't a match for it in the database, but that's not this account.

Remember your e-mail address is not private and being public doesn't really change anything.

Remember how everyone's phone number used to be in a book? Your email is no different really

Raumarik · 30 Aug 2017 at 23:09

Ugley_Matt said:
Remember how everyone's phone number used to be in a book? Your email is no different really

It's funny because I've had to explain this to people at work and family, it's just an address and frankly could be guessed anyway

Ugley_Matt said:
Wish it would provide more details says my email is listed, but not clear if its the password and what the website is. I have dozens, which ones to change?

It should say which breaches you are allegedly involved in, just ensure you have changed your credentials since and if possible have two factor authentication enabled where you can. Also make sure no passwords used previously are still in use on other sites.

Supercow · 30 Aug 2017 at 23:24

I've used that site before - and changed my password in the past. How do we know if the site doens't just have my previous email listed with the old password?

ps: I have 2step verification now too, so it should be all good now anyway

Glaucus · 30 Aug 2017 at 23:27

Supercow said:
I've used that site before - and changed my password in the past. How do we know if the site doens't just have my previous email listed with the old password?

ps: I have 2step verification now too, so it should be all good now anyway

It tells you when the breach was. So it's not hard. Did you change the password after the breach.

I'm on the Dropbox breach but that was 2012 password has changed many times since then.