Haveibeenpwned.com

damon5

https://haveibeenpwned.com/ came across this website this evening while i was looking for solutions to my computer freezing,running very slow especially on yahoo etc and using kaspersky,malware anti malware,super anti spyware and others showing up nothing running full scans.You put in your email address or password and see the results.two of my usernams for websites it said had been compromised where as the email address had not,any imput appreciated,cheers..

Atlantic Dawn

You put your password in to it? If you did change it.

Riesen_Meal

Atlantic Dawn wrote: »

You put your password in to it? If you did change it.

You don't put your password into it, it checks your email address across known databases of hacker lists and if it shows up then chances are your account email has been compromised via say the PSN hack, or some of the other sites where user info has been leaked....

wofias8

damon5 wrote: »

where as the email address had not

It has been now! :pac:

damon5

Atlantic Dawn wrote: »

You put your password in to it? If you did change it.

Hi it says to put your email address or usernames which i did for three of them and two out of three said i was compromised...

liamo

This is why it's important to use different passwords for different sites - so that a single breach won't compromise all of your accounts. And, while some reuse is probably inevitable, the password(s) for your email account(s) should always remain unique - preferably also using 2FA, if available.

You've got to assume that the sites to which you supply your information won't look after it properly and act accordingly.

Joe Exotic

A note on this site

Its run by Troy hunt (It's legit)

I'm Troy Hunt, a Microsoft Regional Director and Most Valuable Professional awardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight.

If your Email address is present it does not mean you have been compromised it means your email has been found in a dump online, this could be that a database was hacked which had your email address(could simply be a mailing list).

The reliability of pastes
The presence of an email address on a paste site doesn't always mean it's been compromised in a breach and the process that scans for addresses is entirely autonomous — there's no human review. Do take a look at the paste and assess the impact for yourself if your address appears there.

It is however a good idea to change any passwords associated with this account just to be safe.

You can sign up for a notification to warn if your address if found in the future.

This can be done for an entire domain so if your worried about work emails you could also do this (i advise getting permission first)

Blowfish

murphk wrote: »

This can be done for an entire domain so if your worried about work emails you could also do this (i advise getting permission first)

For obvious reasons, you can only do it for an entire domain if you can actually prove you own/have control of that domain. Definitely no harm in asking your Infosec/IT guys if they have it set up though.

We've had it alerting us on our domain for a good while, it's useful, though can lead to some...interesting conversations with users regarding some of the stuff they've signed up for using their work address which probably would have best been left to a personal one.

damon5

Thanks for replies lads,when i put in my email address on that site it came up that it was fine but the other 2 i submitted were the usernames of 2 differant websites and it showed a compromise.Quick question what is 2FA,cheers.

Riesen_Meal

damon5 wrote: »

Thanks for replies lads,when i put in my email address on that site it came up that it was fine but the other 2 i submitted were the usernames of 2 differant websites and it showed a compromise.Quick question what is 2FA,cheers.

2FA is the when you need your mobile to sign your account into say your PlayStation account or your Ebay/Xbox/Steam account...

When you go to login on a "foreign" device it texts you a unique code to input on that device...


https://en.m.wikipedia.org/wiki/Authentication#Two-factor_authentication

damon5

Fieldog wrote: »

2FA is the when you need your mobile to sign your account into say your PlayStation account or your Ebay/Xbox/Steam account...

When you go to login on a "foreign" device it texts you a unique code to input on that device...


https://en.m.wikipedia.org/wiki/Authentication#Two-factor_authentication

Cheers for that Fieldog,appreciated .....

ItHurtsWhenIP

damon5 wrote: »

Thanks for replies lads,when i put in my email address on that site it came up that it was fine but the other 2 i submitted were the usernames of 2 differant websites and it showed a compromise.Quick question what is 2FA,cheers.

Fieldog wrote: »

2FA is the when you need your mobile to sign your account into say your PlayStation account or your Ebay/Xbox/Steam account...

When you go to login on a "foreign" device it texts you a unique code to input on that device...


https://en.m.wikipedia.org/wiki/Authentication#Two-factor_authentication

While texting you a unique code is more secure than not having 2FA, you would be better off going with an authenticator app, like Google Authenticator. It's available for both Android and iOS.

This generates the unique codes for the second factor. It can also use Push notifications, so instead of using codes, when you log in to your account from a strange device, your phone asks you if this login is OK and you say "Yea" or "Nay".

Edit: Everybody should use 2FA on every on-line account where available - it dramatically improves your security posture.

damon5

ItHurtsWhenIP wrote: »

While texting you a unique code is more secure than not having 2FA, you would be better off going with an authenticator app, like Google Authenticator. It's available for both Android and iOS.

This generates the unique codes for the second factor. It can also use Push notifications, so instead of using codes, when you log in to your account from a strange device, your phone asks you if this login is OK and you say "Yea" or "Nay".

Edit: Everybody should use 2FA on every on-line account where available - it dramatically improves your security posture.

Have to start doing my homework as i,ve mentioned before not computer literate so its like a foreign language to me,cheers..

Joe Exotic

Blowfish wrote: »

For obvious reasons, you can only do it for an entire domain if you can actually prove you own/have control of that domain. Definitely no harm in asking your Infosec/IT guys if they have it set up though.

We've had it alerting us on our domain for a good while, it's useful, though can lead to some...interesting conversations with users regarding some of the stuff they've signed up for using their work address which probably would have best been left to a personal one.

@blowfish you are of course correct i should have been clearer.
I was referring more to a member of IT SEC doing it without informing IT SEC Management, its important that if this resource is being used then that it be official as not having it listed can cause complications in the above situations

e.g. senior Manager has email in a NSFW site and you find out through the haveibeenpwned service. if you inform the company then it may become about how your using unauthorised service rather than about what the senior manager has been up to with their account !!

testicles

This post has been deleted.

liamo

testicles wrote: »

I would argue that that is not 2FA at all, but instead 2 stage authentication, seeing as it's the same factor.

Yeah, it's an old and ongoing argument. My own opinion is that it's somewhere in the middle.

You do have to have possession of your phone to receive the code. That's the "Something your have". Of course, once you view the code, it becomes "Something you know".

However, regardless of which side of the argument you come down on, it's better to have this enabled than not, where possible.

testicles

This post has been deleted.