Even though I use a different password for each service, I have no idea which service's password was compromised because my "main" gmail was included in this breach. Do I need to use https://haveibeenpwned.com/Passwords to manually test each password I have saved with that email?
Yea, I thought about that too. I know there are some sketchy websites that provide paid access to leaks, but I was hoping for a course of action that is more legitimate.
try your email with https://search.0t.rocks/ I checked mine and it did pop the Naz.API leak showing the first and last character of your password. Mine was leaked from Netflix
Has there ever been a Netflix breach (on public record anyway)? I'd be more wary that your machine was infected, from my experience naz.api logs are mostly from infected machines.
Which is a weird thing to see. I used Netflix on Apple TV or on a mac. The likelihood of a malware on the latter is low but nonetheless it was an old pass from few years back and I have stopped Netflix subscription long ago.
1Password’s Watch Tower doesn’t show anything related to this breach, which might indicate it’s a super old password from pre-2011 that I’ve already deprecated
The majority of my accounts are through a custom domain with a different username for each service. But that also means I don't have HIBP alerts set up for any of them.
Same here. I call them canary email addresses when I have to describe it to someone, so I can tell when that organization loses its data.
For those of us crazy enough to do this, I came up with another type of canary, a "Do they check for compromised passwords?" canary. I have an old password that used to be strong enough for sites I considered low value and was too lazy to break out the password safe. Of course at least one of those low value sites was compromised and that password was leaked.
Now some of the services are high value to others while they remain low value to me. So they have enabled MFA and notifications when someone logs in. Since no one knows the email address I'm using and I've turned on MFA, I feel safe enough leaving that old compromised password in place. I'm waiting for the day they force me to reset it because they bothered to check their customer's existing passwords against compromised ones.
I just did, since I only had less than 15 accounts associated with that email, and no hits reported. So either his Password search isn't loaded up yet with the latest breach, or whatever was in that breach was an old password that I've already rotated.
Some of my passwords weren’t found on that tool but I was able to find them on but scatteredsecrets.com - I searched because I was getting 2fa emails from services with that password. Just keep in mind it isn’t a definitive list
I feel there ought to be some much-more-secure option, but it probably involves a level of client-side computation that the average person won't do on their own.
I have 388 items in my password manager. 138 of them use my email address which was found in this breach :(
Not that you're wrong, but there is no reasonable way to rotate all of those. I guess I'll have to spend a few hours manually going through the ones I care about and rotating them?
Is that the point? People want to know the source. I have rights under the GDPR that companies should be treating my data securely. I want to know who was compromised.
This particular dataset appears to have been collected by malware. So it wasn't a breached company, it was malware on some machine that impacted users used that logged usernames/passwords.
I think the same malware that had breached my data awhile ago "Polish Credentials" is apart of this because the same old user:pass pairs so maybe its a bunch of data from multiple breaches if you were in the polish breach it dumped your google saved passwords so that would be whats affected
