Check your email address(s) and passwords for cyber security breaches

[Halcyon]

Good morning all,

A few of you may have noticed some user accounts posting spam on the forum, where they previously seemed to make legitimate posts. These are different to the normal spammers who create new accounts, foolishly attempt to make them seem genuine but then end up posting spam.

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.
Before anyone panics, it's important to stress that the breached sites/services do not include EEVblog, the forum or anything connected to Dave.

I think this is a timely reminder to review your cyber security practices and check your email address(s) and passwords against known leaks. https://haveibeenpwned.com is an excellent resource for this. Troy Hunt (who created/runs HIBP) is a well known and reputable Australian Cyber Security professional. This site is totally legitimate and is a valuable resource for checking your email addresses and passwords against a list of known leaked data.

A lot of breaches occur when people use the same passwords across multiple platforms, so when one site is breached, threat actors can gain access to multiple sites/services you use. In terms of a secure and reputable password manager, I personally use BitWarden, but if you're the type of person who doesn't want their credentials "in the cloud", KeePass is a great offline alternative.

You may also consider using 2FA/MFA on your forum account. You can enable this by going to Account Settings > Modify Profile > Two-Step Authentication.

[SeanB]

Thanks, done over 3 times. first my metro, then Gravatar ( where I do not even remember having actually using it either...), and finally patreon.

Now waiting to see if the latest will show up there now.

[RoGeorge]

I think this is a timely reminder to review your cyber security practices and check your email address(s) and passwords against known leaks. https://haveibeenpwned.com is an excellent resource for this. Troy Hunt (who created/runs HIBP) is a well known and reputable Australian Cyber Security professional. This site is totally legitimate and is a valuable resource for checking your email addresses and passwords against a list of known leaked data.

You think wrong.  To give such advice you have to be either very gullible, or maybe malicious.


To put personal data in a webpage, because "trust me that's safe" is the worst idea ever.  To check a passwords in somebody else's webpage, dumbest idea ever.  Why would anyone trust an online place?


Also, Halcyon, please do not use user's email for your experiments, or other user's personal data.  Not without written consent.  Nobody named you to check the status of my email.

I have already enough spam without you putting my email in some "totally legitimate" online webpage.

Whether you realize it or not, you did a childish thing from a security standpoint.  You probably abused your admin privileges, too, by putting everybody's email in who knows what online database(s).  Please don't do that again.

[JohanH]

I don't know what to say, but RoGeorge got practically everything wrong in his post here... (at least if nothing was edited away in Halcyon's post, because the answer doesn't make sense).

[JohanH]

haveibeenpwned.com is perfectly legitimate. You don't enter your password there, you just enter your email address and it looks if your address is part of leaked data. This leaked data comes originally from hacker forums and is now practically public data.

E.g. when I enter my email, it says my email has been part of following leaked data:

"Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text."
"Dropbox: In mid-2012, Dropbox suffered a data breach which exposed the stored credentials of tens of millions of their customers."
"Twitter (200M): In early 2023, over 200M records scraped from Twitter appeared on a popular hacking forum. The data was obtained sometime in 2021"

and a couple more.

I have been careful enough to use different passwords in different places, so if one place is hacked, they can't login to my other services. Also, when receiving notice from haveibeenpwned.com I've been quick to change password and turn on 2FA in the sites that have been breached.

[RoGeorge]

That's what I wrote, not edited.  The point is, one can not trust an online page.  If that place is "legit" or not, that's irrelevant.

There is no way to know for sure where the info will land, now or in the future.  If you really want to know if your email or pass is in a database, then download the databases and examine them offline.  This is security 101 - consider anything online as already compromised.  Trust no one.

In the past there was the possibility to check if a given password is in the known databases of leaked passwords.  I didn't say the linked page can still do that or not.  I said it's dumb to put your pass in a webpage to get it checked it for you, and I still think it is, from a security practices standpoint.  "Don't tell your pass to others."  No exceptions.

Such benevolent online checking places can be easily used to prune away old data, or to prioritize spam to confirmed email addresses (confirmed by entering the address in a pwned checking webpage, for example).  Same to prioritize brute force attacks by starting first with those password somebody checked online against pwning.

[DavidAlfa]

Almost all my emails are ** up, even relatively new ones.
I really hope the 2-factor authentification makes really hard for hackers to access my data (Or that's what I'd like to believe  )

[JohanH]

In the past there was the possibility to check if a given password is in the known databases of leaked passwords.  I didn't say the linked page can still do that or not.  I said it's dumb to put your pass in a webpage to get it checked it for you, and I still think it is, from a security practices standpoint.  "Don't tell your pass to others."  No exceptions.

But you are not giving your "pass" to the web site, only _email address_. That's a big difference. But if _your_ email is that secret, well then don't give it to any site. If you never give away your email, you are certainly not among the data leaks.

You are correct in one way, that you shouldn't give your email address to random sites on the net. On the other hand, I'm sure you have handed over your email address to a lot of sites and people without thinking, when registering on sites etc. How do you know the sites were the real thing?

haveibeenpwned.com is an exception, because by _reputation_ it is known for a long time, and the person behind it is well known in cyber security circles around the world. There is really no other way to know.

[RoGeorge]

I will explain one more time, because you seem to have a wrong understanding about security practices.

1.  I don't care about my email address.  I care about wrong security advice coming from a forum's "Global Moderator".

2.  My post here was against the advice to use a webpage to check "security".  Particularly to check your PASSWORDS online.

I think this is a timely reminder to review your cyber security practices and check your email address(s) and passwords against known leaks. https://haveibeenpwned.com is an excellent resource for this.

That phrase implies one should check own passwords against a webpage.  WRONG!
And do that periodically maybe ("timely reminder" can be interpreted as "periodic reminder").  So not only a WRONG advice, but an advice to turn a one time mistake into a habit.  Even WORST than wrong.

3.  Yes, but said webpage has _reputation_.  You don't get it.  DO NOT WILLINGLY TELL YOUR PASSWORD.  There are no exceptions from this.  Any amount of reputation can be lost in a blink of an eye.  The website can be compromised, the server admin can be blackmailed, an employee can stole the databases, man in the middle attacks, zero days exploits, drunk IT misconfiguring the website, social engineering, an evil villain taking over your gov while Batman was depressed that day and didn't come to rescue the city of passwords, etc., etc., etc.  DO NOT GIVE YOUR PASSWORD TO 3rd PARTIES.  No exception.


NOTE:
Words were chosen intentionally to be harsher than in casual replies.  Not trying to get a flame or to offend, stronger words were meant to make some ideas to stick:
- never willingly hand your passwords to 3rd parties
- something safe today might become a threat later, times changes
- trust nobody
- don't spill info

[JohanH]

For the last time. NOBODY IS TELLING THEIR PASSWORD TO ANYONE!    The phrase that you seem to be stuck on "check your email address(s) and passwords against known leaks" doesn't mean that you have to enter your password. It is badly phrased in the post, I admit that. But that's not how the site works. It means you can check the site to see _if_ your credentials have been leaked.    I'm not going to waste time arguing and have to sadly admit that the site isn't perfect, due to people misunderstanding its purpose.

[RoGeorge]

The same recommended website can also check for compromised passwords:
https://haveibeenpwned.com/Passwords

I know that the databases of leaked emails and/or passwords are supposed to be in hashed form and not in clear.  I know that the checking webpage is supposed to hash locally (in your computer) the email or password you typed, then only send the hashed value (not the clean text) to be checked against the online databases.

That is how the check is supposed to be working, assuming there are no bugs and no bad actors involved.  Yet we all know software use to have bugs, and the world use to have bad actors.  So don't spill info.

The whole idea of checking against a known list is kind of useless.  If you are not in the databases, that doesn't mean you haven't been pwned.  It only means you are not in that database.  You pass or email might still have been compromised.  And if you find yourself in such databases, then you probably already noticed you have been hacked.

Such databases usually goes exploited before going public.  And most often they never go public.  Hackers do not just steal passwords only to upload them next day to a public pwned checker.

[SiliconWizard]

Oh, a website that asks for passwords to see if your passwords have been stolen, what a nice idea!

[alexanderbrevig]

How do you use a password that you never spill? You enter it on this site, don't you?

I get the criticism here, and to never spill is a good advice. Though, if you care to research the linked site you will come to trust it _more_ than you trust whatever site you use that password for. I trust haveibeenpwned to keep my entry safe during transit much more than I trust this forum install to keep it safe at rest.

BTW: They actually buy leaks early from the same marketplaces that threat actors would, so it's not getting information any later. This means routinely checking with this particular respected service (or signing up for an alert on email leaks) is _good_ advice. Much better than never spilling hoping for the best and not knowing before it's too late.


I think your advice is good in general, but the outcry here is misplaced in my opinion.

[SiliconWizard]

I looked at the source code of the above site.

The password is part of a very simple HTML form which directly submits the password through a post method. The site is on a https connection, so your password is relatively safe until it reaches the server, which then gets it in full clear. What could go wrong? Seriously. Through this site, you are submitting passwords in CLEAR to them. They are not hashed before being sent. You may argue that this is how most sites handle passwords, but one that is *dedicated* to collecting passwords is something else. You'll have to fully trust the owner's code, the server, and everyone involved.

But please submit your passwords!

[alexanderbrevig]

Oh hi, let me research that for you https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

TLDR: It does not send your password in the clear.

[SiliconWizard]

Oh hi, let me research that for you https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

TLDR: It does not send your password in the clear.

I'm not a HTML5 specialist, but from what I've read, such a form will post the password in clear. It will just not show it in the browser. But a HTML5 specialist may correct me and then tell me what the standard says about this.

Code: [Select]

<form action="/Passwords" method="post" novalidate="novalidate">
<div class="input-group">
<input autocapitalize="off" autocorrect="off" class="form-control" data-val="true" data-val-maxlength="The field Password must be a string or array type with a maximum length of &#39;450&#39;." data-val-maxlength-max="450" data-val-minlength="The field Password must be a string or array type with a minimum length of &#39;1&#39;." data-val-minlength-min="1" id="Password" maxlength="450" name="Password" placeholder="password" spellcheck="false" type="password" />
<span class="input-group-btn">
<button class="btn btn-primary btn-lg" type="submit" id="searchPwnedPasswords">pwned?</button>
</span>
</div>
<div class="progress progress-striped active" id="loading">
<div class="progress-bar" role="progressbar" aria-valuenow="100" aria-valuemin="0" aria-valuemax="100" style="width: 100%">
</div>
</div>
</form>

[alexanderbrevig]

The password is part of a very simple HTML form which directly submits the password through a post method.

Did you lie on purpose or just misread the code?

See the script here: https://haveibeenpwned.com/scripts/passwordsearch
Relevant snippet:

Code: [Select]

function getPwnage(n,t){var i=sha1(n).toUpperCase(),r=i.substring(0,5);$.get("https://api.pwnedpasswords.com/range/"+r)
Without javascript your are right that it would send it in the clear. Though because of this it won't:

Code: [Select]

$("#searchPwnedPasswords").click(function(n){n.preventDefault(); ...That preventDefault stops the form from sending, so javascript takes over and sends the hash. 

[jpanhalt]

Call me gullible?  I checked my email address shortly after reading Halcyon's post.  I assumed he had thoroughly vetted it.  Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com

The text in the email was: NOTE: Only send YES! via email; recruitilluminatii@gmail.com

The actual url shown was: (see attachment)

Safe?  Rarely, very rarely do I get such emails because I am very stingy about giving out my address.  Coincidence or ploy?  Maybe Halcyon will address what he did to vett the site.

[madires]

Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key. BTW, SHA1 is a bit outdated and shouldn't be used anymore. A nice feature is the 'notify me' service, i.e. you'll receive automatic notifications when some new data includes your email address.

And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.

[thm_w]

Call me gullible?  I checked my email address shortly after reading Halcyon's post.  I assumed he had thoroughly vetted it.  Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com

Its just a coincidence.

Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key. BTW, SHA1 is a bit outdated and shouldn't be used anymore. A nice feature is the 'notify me' service, i.e. you'll receive automatic notifications when some new data includes your email address.

And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.

Yeah I probably wouldn't enter my main password there.
But its a sort of useful tool to tell someone: hey think of a secure password, now test it on this site.
Oh qwertyuiop12345 was used 11,000 times? clearly its not secure, even though it is a long seemingly complex password.

[alexanderbrevig]

Come on people!...

Call me gullible?  I checked my email address shortly after reading Halcyon's post.  I assumed he had thoroughly vetted it.  Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com

https://en.wikipedia.org/wiki/Apophenia

Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key.

The password is not the search key. The first five characters of the sha1 of the password is.

BTW, SHA1 is a bit outdated and shouldn't be used anymore.

It's perfectly fine to use! Just don't use it to encrypt passwords in its entirety and expect it to be safe. Here it's used and then stripped to the first five characters. There is no way to retrieve anything compromising from that.
Perfectly usable for https://en.wikipedia.org/wiki/K-anonymity

And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.

Yes! I take it for granted that we use different passwords for different services in 2023. Wholeheartedly agree 

[madires]

Call me gullible?  I checked my email address shortly after reading Halcyon's post.  I assumed he had thoroughly vetted it.  Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com

If you tell someone your email address you have to consider it being published. Some people use this as a feature and create a different email address for each website/shop/whatever and see which ones get SPAM. Then they know who has a data breach issue.

[Halcyon]

I don't know what to say, but RoGeorge got practically everything wrong in his post here... (at least if nothing was edited away in Halcyon's post, because the answer doesn't make sense).

Exactly.

RoGeorge: With all due respect, you have no idea what you're talking about. Secondly, your email address wasn't checked (I'll leave that up to you), only the compromised accounts were (those addresses have already been leaked and are out in the wild). Unless you choose to sign up to the "notification" service on HIBP, email addresses are not stored anywhere.

Safe?  Rarely, very rarely do I get such emails because I am very stingy about giving out my address.  Coincidence or ploy?  Maybe Halcyon will address what he did to vett the site.

Coincidence. Spam and fraudulent calls and SMS's have only increased over the last few years. I now get spam emails to my personal email address (which isn't published anywhere), which I can only assume is a complete accident/guess by throwing names at my domain name. Same with my mobile, previously I might get 3 or 4 dodgy messages or per year, that's now up to about 3 to 4 per month, and again my number is rarely disclosed outside Government organisations.

Submitting passwords for checking against known-breached passwords, as others have pointed out, is done by using part of the SHA-1 hash, not the actual password itself. Furthermore email addresses/account information are not stored together with the password. If your email comes back on HIBP as being breached, it's already out there, available in a list for anyone to download (along with who knows what other information), but it's still not perfect. Not every breach is made public in this way and it's possible that your email address has been sourced from somewhere and sold to spammers/scammers. There is plenty of information here about the use of SHA-1 https://www.troyhunt.com/understanding-have-i-been-pwneds-use-of-sha-1-and-k-anonymity/

Of some of the governments using this service includes New Zealand, Canada, Finland, Switzerland, and of course some government and cybersecurity agencies in Australia.

At the end of the day, I don't expect anyone to blindly trust what I, or anyone else on this forum says. Do your own homework and come to your own conclusions. If I have said something incorrect, I stand to be corrected provided you can prove to me what I was saying was wrong. Guesswork and assumptions are not forms of proof.

[jpanhalt]

Not all of us are as savvy as you and a few others are about such spoofs.  Nor do I intend to become that savvy.  If the site you presented as safe is not safe, then that assertion needs to be corrected.  Fact is, I have rarely gotten such clearly dangerous emails.  The temporal relation to "checking" as you suggest cannot be ignored.  Whether that is important to Dave is his choice.  My decision has already been made.  The link you provided has been deleted and my trust in you has been affected.  Not that that any of that matters to a site this size.

[james_s]

Oh, a website that asks for passwords to see if your passwords have been stolen, what a nice idea!

What are they going to do with it? Knowing a password is useless if you don't know what it's the password to. If you search for it and it comes up in a database of known leaked passwords then you already know that it's in a database that likely includes associated usernames.