Have I been pwned website - Test your e-mail addresses to see if compromised

[DaveLembke]

I was checking out www.hak5.org that I have donated to and watched since 2005 and Shannon Morse shared a cool website on "The Top 5 Biggest Hacks of 2016 – Threat Wire" video as video is linked here: https://www.hak5.org/episodes/threatwire/the-top-5-biggest-hacks-of-2016-threat-wire

And the Have I been pwned website to test your e-mail addresses out is located here: https://haveibeenpwned.com/

I checked my many e-mail accounts and the only one that hasnt been part of information leak/theft hacks is my gmail account. My yahoo accounts are tied to multiple data security problems not just with yahoo but also other sites that I registered with and used that e-mail with. The coolest thing is that for me its not that big of a problem that my data is out there and leaked. Nothing personal in these e-mails and websites and I have for years used false information with all my e-mail accounts so I have aliases and alias birthdays and addresses and fake maiden name security question answers and all that stuff. The problem is for those who have real information that is registered and those foolish enough to use mothers maiden name and all sorts of other security questions that should never be used etc. For all my security reset questions I might pick a category like your favorite instrument and use "YellowBigBird" as the answer. No one ever would come up with that, its so outside the box. The worst and weakest security reset question has to be your favorite color.

Figured I would share this here as for there may be many of you who are unaware of this cool website that is able to tell you if your email is linked to data leaks/hacks and it also gives a listing of what websites and what data breach and hacks it was grabbed from. Its also always best to change your passwords and security questions to change up your account with what may have been leaked. If the information contained in a leak is stale then its useless to a hacker. 

I added some pics of my results with e-mails blanked out. The one below with 5 listed breaches is my oldest e-mail account from 2003 that is still used and is mainly the one that i use to register everything and anything that requires a registration. Its my junk bin that i keep active.

[attachment deleted by admin to conserve space]

[BC_Programmer]

It should be noted this isn't checking if your E-mail account was compromised, but rather whether one of your online accounts associated with that E-mail have been compromised.

For my Hotmail E-mail, it Looks like I've had two accounts compromised: "Daniweb" which I registered on before I even registered here and have pretty much ignored for 8 years, and DropBox. In the former case I couldn't care less- I have a good idea what password I would have used then and it isn't used for any web account that I can think of, so presumably nothing that matters. Dropbox responded to the hack immediately by informing users pretty quickly and I changed my password at that time; but the compromised password wasn't used elsewhere.

Interestingly, my web domain e-mail "@bc-programming.com" also had a related account exposed, for some recruiting website I don't remember ever using. All my web-hosting associated Account passwords are unique randomly generated passwords which I don't use for anything else (largely for this reason!) so I'm probably fine.

Interestingly, a while back I found my own site had been compromised through a wordpress vulnerability which was also able to get my FTP password, (or my FTP was somehow compromised, I don't know) I saw a login from Argentina  in the logs and decided to change the password. Managed to clean up the mess and change the config to avoid the vulnerability.

The funny part was the most damaging part- an attempt to change my index.php to serve malicious drive-by downloads- was up for a grand total of 5 seconds, because by sheer coincidence at that exact time I was making changes to the file, and when I uploaded the changes I overwrote the hacked version!

Another related issue is the question of whether a site you give your E-mail to sells it onwards. Most sites will say "We never sell your E-mail to third parties" or something to that effect.

I heard of somebody coming up with a rather clever approach to this; they would actually create a brand new  E-mail account (with unique profile info) and have it forward to their main e-mail for every online sign up, then write down the E-mail and the attached website they used it to register with. Then when they got spam, they could see exactly who sold their E-mail address (or was compromised). Seems like a lot of work to me but it's pretty effective.