Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

1.37 billion email addresses compromised


  • Please log in to reply
13 replies to this topic

#1 auto1571

auto1571

  • Members
  • 296 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 15 April 2017 - 06:28 PM

In January this year a huge database leak revealed 1.37 billion email addresses. Other data leaked includes IP addresses, Names and Physical addresses. You can find out more about this by visiting

Huge database leak.  To find out if your email address has been comprised visit Have I been pwned.


Edited by auto1571, 15 April 2017 - 06:29 PM.


BC AdBot (Login to Remove)

 


#2 Just_One_Question

Just_One_Question

  • Members
  • 1,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:05 PM

Posted 15 April 2017 - 06:45 PM

I haven't used any protection whatsover, but just practised 'thoughtful' computing, and I am not pwned. Nice! :)

#3 auto1571

auto1571
  • Topic Starter

  • Members
  • 296 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 15 April 2017 - 06:49 PM

That good to hear Just_One_Question.



#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 7,526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:02:05 PM

Posted 15 April 2017 - 07:36 PM

What I find amusing is that my only e-mail address that's been pwned had a breach from the Avast Anti-Virus Forum.  Since that was all the way back in 2014 and "no pastes" are reported I doubt I have anything to worry about.

 

It seems that a great many of these breaches are for the sole purpose of "bragging rights" rather than actual nefarious purpose (for which anyone should be grateful).


Brian AKA Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

 

     In a modern society where everyone thinks their opinion deserves to be heard nothing annoys me more than individuals who mistake their personal preferences for fact.

         ~ Commenter TheCruyffGurn on the The Guardian website, 8/13/2014

 

              

 


#5 ranchhand_

ranchhand_

  • Members
  • 1,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest
  • Local time:12:05 PM

Posted 16 April 2017 - 08:23 AM

I have a "garbage" email site that I use at Yahoo; it has been "pwned" several times by Yahoo's lax security. I really don't care. My active email is still Outlook, and I use Mailwasher to review any incoming on the server, then delete and bounce any I don't like. Never been hacked or virus-infected in over 15 years. Same for my wife.


Help Requests: If there is no reply after 3 days I remove the thread from my answer list. For further help PM me.


#6 34BLEEP00XX

34BLEEP00XX

  • Members
  • 272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:05 PM

Posted 16 April 2017 - 03:12 PM

Thanks for that Have I been pwned site. Much USEFUL info there.


Edited by 34BLEEP00XX, 16 April 2017 - 03:12 PM.


#7 Mishima

Mishima

  • Members
  • 338 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:05 PM

Posted 17 April 2017 - 02:10 AM

I'm not using the Have I Been Pwned site, because it has various tracking on it, and does not appear to have ToS or Privacy Policy on the site.

Interesting to see so many accounts, but the Have I Been Pwned site said it's in the hundreds of millions, not billions.

Edit: This confuses me on their FAQ page, because it's not explained enough:

Does the notification service store email addresses?

Yes, it has to in order to track who to contact should they be caught up in a subsequent data breach. Only the email address, the date they subscribed on and a random token for verification is stored.


How do I know the site isn't just harvesting searched email addresses?

You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.


Edited by Mishima, 17 April 2017 - 02:14 AM.


#8 auto1571

auto1571
  • Topic Starter

  • Members
  • 296 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 17 April 2017 - 06:49 AM

BC advisor states that "have I been pwned" as trustworthy: https://www.bleepingcomputer.com/forums/t/632660/is-leakedsource-legitimate/?p=4123907

 

As for being hundreds rather than billions perhaps the news article might have been a slight exaggeration as with many news articles online.



#9 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:04:05 AM

Posted 17 April 2017 - 05:44 PM

I'm not using the Have I Been Pwned site, because it has various tracking on it, and does not appear to have ToS or Privacy Policy on the site.

Interesting to see so many accounts, but the Have I Been Pwned site said it's in the hundreds of millions, not billions.

Edit: This confuses me on their FAQ page, because it's not explained enough:

Does the notification service store email addresses?

Yes, it has to in order to track who to contact should they be caught up in a subsequent data breach. Only the email address, the date they subscribed on and a random token for verification is stored.


How do I know the site isn't just harvesting searched email addresses?

You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.

 

If you dont know who Troy Hunt is and you are interested in Security then i would suggest you read up on him because he is one of the top security researches in australia.

he has admited that he has been given the dumps by people who have purchased them and he does not at any point give any of the details to any one.



#10 Mishima

Mishima

  • Members
  • 338 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:05 PM

Posted 17 April 2017 - 09:40 PM

Okay guys, I'm not advising anyone here. What I am saying is that I have chosen not to use it, because the site tracks you using two different elements, does not have a ToS/Privacy Policy (which is very important to me since I care so much about privacy), and does not specify enough to be trustworthy as a source.

 

Although the security researcher is trustworthy, why not have a ToS? Why not have a Privacy Policy? Such things are important on a site that asks you to enter your username or email address. The site is secure; however, is the Azure database private? Such questions need to be answered... I do not trust based on who someone is, but actually based on the service they provide and the disclosure (if needed). These days, there is so much risk of information stealing that it does not make sense to just "trust" on the fly. I think of my security standards and privacy standards as default-deny, and I even set all of my software to such things. Nobody else has to make these decisions, as they are mine alone. This is my story and I'm not attempting to advise anyone or argue. :)



#11 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 7,526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:02:05 PM

Posted 18 April 2017 - 10:20 AM

 

Although the security researcher is trustworthy, why not have a ToS? Why not have a Privacy Policy? 

 

Because for a simple database lookup, which is what this is, that's really gross overkill.

 

Your e-mail address is not private.  Anyone who believes an e-mail address is private does not understand how e-mail works.

 

I'm not advising you, either, as it is entirely your choice as to whether or not to use the previously mentioned site.  That being said, it should be expected that once an e-mail address has been established, even if no one knows to whom it belongs, the address itself will not be private in any meaningful sense of that word after the first several e-mail messages have been sent.  There are just too many ways to "sniff out" e-mail addresses as messages make their way from the sender to the recipient.

 

Nothing asked for on that site as input could generally be considered private.  Our usernames are plastered all over the place for the world to see, including our usernames here on BC.

 

If the inputs asked for were something that's not easily found, and quickly, via just the slightest bit of web searching then I'd be worried.


Brian AKA Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

 

     In a modern society where everyone thinks their opinion deserves to be heard nothing annoys me more than individuals who mistake their personal preferences for fact.

         ~ Commenter TheCruyffGurn on the The Guardian website, 8/13/2014

 

              

 


#12 robby501

robby501

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 18 April 2017 - 03:31 PM

Okay guys, I'm not advising anyone here. What I am saying is that I have chosen not to use it, because the site tracks you using two different elements, does not have a ToS/Privacy Policy (which is very important to me since I care so much about privacy), and does not specify enough to be trustworthy as a source.

 

Although the security researcher is trustworthy, why not have a ToS? Why not have a Privacy Policy? Such things are important on a site that asks you to enter your username or email address. The site is secure; however, is the Azure database private? Such questions need to be answered... I do not trust based on who someone is, but actually based on the service they provide and the disclosure (if needed). These days, there is so much risk of information stealing that it does not make sense to just "trust" on the fly. I think of my security standards and privacy standards as default-deny, and I even set all of my software to such things. Nobody else has to make these decisions, as they are mine alone. This is my story and I'm not attempting to advise anyone or argue. :)

In that case, is there any chance you could pin your^ post here to the top of this thread because I've just scanned my email accounts before reading your post here telling us that the site may not be legit. And I'm sure others will do the same. 


Im a rookie and purely recreational pc user. Im utterly obsessed with security (even though I consider myself a safe and law-abiding internet user!) and run a combo of the following freeware security suites.....

Windows Defender/firewall

Regular scans with Malwarebytes, AdwCleaner, JRT, HitmanPro

 

 

 


#13 Mishima

Mishima

  • Members
  • 338 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:05 PM

Posted 18 April 2017 - 03:45 PM

Although the security researcher is trustworthy, why not have a ToS? Why not have a Privacy Policy?

 
Because for a simple database lookup, which is what this is, that's really gross overkill.

Your e-mail address is not private. Anyone who believes an e-mail address is private does not understand how e-mail works.

I'm not advising you, either, as it is entirely your choice as to whether or not to use the previously mentioned site. That being said, it should be expected that once an e-mail address has been established, even if no one knows to whom it belongs, the address itself will not be private in any meaningful sense of that word after the first several e-mail messages have been sent. There are just too many ways to "sniff out" e-mail addresses as messages make their way from the sender to the recipient.

Nothing asked for on that site as input could generally be considered private. Our usernames are plastered all over the place for the world to see, including our usernames here on BC.

If the inputs asked for were something that's not easily found, and quickly, via just the slightest bit of web searching then I'd be worried.

It's not overkill at all, it is responsible! Let's take TinEye for example, a simple service where you search images against their database to see if it is located elsewhere on the web. Although pictures are not that private, people prefer to keep certain photos private (and email addresses too). TinEye has a full disclosure on their entire service, even though their service is very similar to the Have I been Pwned service. I do not find the details here different, and I see that TinEye even expresses how it does not collect any data that is personally identifying. I trust TinEye because of their disclosure, not because they are trusted by many top level websites across the web. I'm saying that we have the power to keep our information as private as possible so that spammers and cybercriminals do not obtain our information or credentials, or try to hack or hurt us. A IP traceback, for example, can be very dangerous if the criminal can spot your physical location.
 
When websites track or set cookies, it is required in many countries to have a privacy policy stating why you're tracking, how you're tracking, and what you do with the information that you track. It is not a standard of overkill, every site that tracks users at all should have a privacy policy not according to my advice, but the advising of governing councils for internet usage and maintenance. I have chosen to express my opinion here that I will not use the site because it is not responsible enough for my standard.

I apologize if anyone was misled to believe I was giving advice, but due to my opinions being misinterpreted, I will unsubscribe from this thread to avoid any further troubles.

 

Okay guys, I'm not advising anyone here. What I am saying is that I have chosen not to use it, because the site tracks you using two different elements, does not have a ToS/Privacy Policy (which is very important to me since I care so much about privacy), and does not specify enough to be trustworthy as a source.
 
Although the security researcher is trustworthy, why not have a ToS? Why not have a Privacy Policy? Such things are important on a site that asks you to enter your username or email address. The site is secure; however, is the Azure database private? Such questions need to be answered... I do not trust based on who someone is, but actually based on the service they provide and the disclosure (if needed). These days, there is so much risk of information stealing that it does not make sense to just "trust" on the fly. I think of my security standards and privacy standards as default-deny, and I even set all of my software to such things. Nobody else has to make these decisions, as they are mine alone. This is my story and I'm not attempting to advise anyone or argue. :)

In that case, is there any chance you could pin your^ post here to the top of this thread because I've just scanned my email accounts before reading your post here telling us that the site may not be legit. And I'm sure others will do the same.

It is your choice alone to use the site, I expressed my opinion and I'm not an expert - I am far from being trusted to give advice. The reason why my posts were misinterpreted was because this topic was moved from General Talk to General Security. I will now unsubscribe. Have a nice day everyone! :)


Edit: I'm going to leave these articles here to help as references for what I stated above - FTC info - Terms Feed on Laws of PPs - SBA info

Edited by Mishima, 18 April 2017 - 04:08 PM.


#14 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:04:05 AM

Posted 18 April 2017 - 05:59 PM

 

Okay guys, I'm not advising anyone here. What I am saying is that I have chosen not to use it, because the site tracks you using two different elements, does not have a ToS/Privacy Policy (which is very important to me since I care so much about privacy), and does not specify enough to be trustworthy as a source.

 

Although the security researcher is trustworthy, why not have a ToS? Why not have a Privacy Policy? Such things are important on a site that asks you to enter your username or email address. The site is secure; however, is the Azure database private? Such questions need to be answered... I do not trust based on who someone is, but actually based on the service they provide and the disclosure (if needed). These days, there is so much risk of information stealing that it does not make sense to just "trust" on the fly. I think of my security standards and privacy standards as default-deny, and I even set all of my software to such things. Nobody else has to make these decisions, as they are mine alone. This is my story and I'm not attempting to advise anyone or argue. :)

In that case, is there any chance you could pin your^ post here to the top of this thread because I've just scanned my email accounts before reading your post here telling us that the site may not be legit. And I'm sure others will do the same. 

 

You have nothing to worry about with Troy Hunt mate, he is like the Brian krebbs of Australia.

 

he is a very well known white hat and is endorsed by microsoft and vmware just to name a few.

He also has joined Plurasight and lectures all over thw rold so if you cant trust him then who can you trust LOL.

 

 

By the way its just a lookup tool. This is the go-to website to check if your email account has been added to any hacked data base dump.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users