Has your email address been compromised in a data breach?

D

DeclanDublin

Registered User
Messages
134
I caught the tail-end of an item on Newstalk (lunchtime I think) yesterday where they mentioned a website to check if your email has been compromised. I ran a check on three email accounts I use routinely, and two had been, but the third, my main email was luckily secure. It's worth checking it out, and the service is free. Here's the link:
 
If this site is not legit.. then you are putting your email address in a database and would that list not be worth something as a list of "verified" email addresses?
 
It looks like the site is able to tell you if your password is "exposed" - the site sounds dodgy to me
 
This is just a bit of nonsense intended to get you to sign up for 1password. We have no idea what it really going on behind that site, but at best all it is doing is checking to see if the address entered appears on and website. You can probably do a similar exercise by doing some google searches.

Just because your email address is listed on a website does not mean it is compromised in the sense that most people understand. It just means that it could be harvested for spamming purposes that is all. Of course, your address may be auto generated in any case using a simple loop linking names, letters and well know domains together etc.

Thinks it is better off not to do:
- Enter your address on sites like this, you just confirm a valid address exists
- Click an unsubscribe link on a list you did not sign up to, again you are confirming a valid address
- Allow mail clients to auto download pictures etc..., again it can be used to confirm a valid address
- Don't use your main address for online shopping
- Don't use a single email address for online shopping
 
The site is not dodgy. It's run by a well known security researcher and if you read his articles he says how its set up it.
https://www.troyhunt.com/
The guy has put the dumps of previous beaches into a database.
If you type in your email address into the field the system just tells you if your email already exists in it. If it does then your email address and password was exposed in a breach.

We know the dumps of the Linked In beaches / Dropbox etc. breaches are available on the Internet. It's a simple system to set up.
If you don't trust it that's reasonable (you shouldn't trust random websites) but make sure that if any company was hacked that you've changed your password on that site and haven't used the breached password anywhere else.

The main protection is to use a unique password for every website. Easier said than done. Many people reuse passwords so if one site is breached the hackers know to try the passwords on other websites.
 
Last edited:
qwerty5 said:
Many people reuse passwords so if one site is breached the hackers know to try the passwords on other websites.
Click to expand...

It's not quite that simple: they will have an encrypted form of the password. They can still use this as part of an attempt to guess your password as it can confirm whether the guess is correct, but they still need to guess. That's why it's important not to use anything that can be easily guessed. Note that "guessed" in this context means a highly automated procedure capable of testing potentially millions of combinations for each password: having the encrypted password makes this process feasible, as they don’t have to try each guess against a live Web site
 
qwerty5 said:
The main protection is to use a unique password for every site
Click to expand...

People tend to reuse passwords so they can remember them. A better idea is to remember a rule for generating them. Say for example: last 2 letter + ‘*$’ + first 2 letters + ‘12k’, so gmail.com would give: il*$gm12k no need to rember names or keep lists.
 
newtothis said:
It's not quite that simple: they will have an encrypted form of the password. They can still use this as part of an attempt to guess your password as it can confirm whether the guess is correct, but they still need to guess. That's why it's important not to use anything that can be easily guessed. Note that "guessed" in this context means a highly automated procedure capable of testing potentially millions of combinations for each password: having the encrypted password makes this process feasible, as they don’t have to try each guess against a live Web site
Click to expand...

In a properly designed system your password will be encrypted.
A lot of companies still don't do this. There were still breaches this year where non encrypted passwords were stolen. Most smarter companies do encrypt (or actually, hash your passwords now).
Obviously don't use simple passwords either. I wasn't giving a full list of password protection tips and didn't want to get too technical. I just mentioned a tip that was relevant.
In the LinkedIn breach (for example) the passwords were able to be decrypted.

The best tip is to use two factor authentication where available. It's not widely available though.
 
Last edited:
I personally use a password service to secure and maintain my password(s). It can also generate them. I have used them for around ten yrs without a problem. . They offer a paid 'premium' service or a free one. I need only remember the key 'master' password to access it. I have to say, I find it really useful. Personally, I admit to reusing passwords on a few sites, I simply find it too darn difficult to remember them all. But, I do have completely different ones for important services like banking & my main email address etc. Altho, I also should change them occasionally and I don't. This feels like confession.....:D:D:D
 
You must log in or register to reply here.
Back
Top