
Have I been pwned? Check if your email has been compromised in a data breach - mountaineer
http://www.haveibeenpwned.com/
======
pvnick
Shit. Looks like I got caught up in the adobe breach. Let this be a lesson to
all engineers in charge of such situations to implement strong security. You
are partially responsible for these disasters.

I got a call from PayPal a week or two ago. It turns out somebody in Indonesia
accessed my Paypal account, presumably with credentials scraped from adobe. I
know, I know, shame on me for reusing passwords. Luckily no damage was done
and I did a change to the strongest password I've assigned anything yet.

Great job, op (if you're the one who wrote this service) for such an amazing
tool. Everyone, if you haven't already, you really should check if you've been
compromised. I will be sending this to all my friends.

~~~
da_n
This should be a lesson not to manage your own passwords, use a password
manager there are many to choose from. I was also caught up in the Adobe
breach but my password was randomly generated by my password manager.

~~~
elwell
What do you do when you are using a different computer and need to login to
site?

~~~
zenojevski
Presumably you can open your password manager's web service and do it from
there.

~~~
baddox
That or use your phone. Most password managers have apps.

~~~
elwell
Ok, that makes the most sense to me.

------
zoul
It’s a bummer to find my e-mail between the leaked Adobe accounts. Especially
after the ordeal I had to go through to have my Adobe account “deleted” months
ago:

 _You have requested that we deactivate your Adobe account. We have sent a
request to the relevant team to process your request. Please note that you
will lose access to Adobe services and support for which you have registered
or paid for. You will not be able to obtain serial numbers for past purchases
and the deactivation process may take up to ninety (90) days. Once completed,
your adobe.com membership and all personal data will be deleted from our
database._

Adobe, every single time I had anything to do with you it sucked. Big time.

~~~
stevekemp
It took 120+ days for my ebay account to get deleted, but thankfully I could
delete my paypal in only a few weeks.

~~~
Crito
The 120+ days thing with ebay is allegedly because they need to make sure any
outstanding deals are closed and accounts settled.

Of course that is absolute bullshit, it took them 120+ days to close my
account and I had not used it for over _4 years_ at that point. They actually
emailed me telling me that they were closing the account due to inactivity.
They gave me 3 or 4 months to log on before it would be killed, so I thought
to myself _" good, saves me the hassle of doing it myself"_. Fast forward 3-4
months and I get an email telling me my account was compromised. Weird... so I
log on, confirm any payment info I had was long since expired, confirmed
nothing had happened and that my password was intact... then I scrambled the
security question and password just to be safe and told Ebay to delete the
account. Cue _" this will take 120+ days"_ bullshit... but whatever.

At nearly the end of that 120+ days I get emailed again telling me the account
was compromised. I'm convinced this is a scam they run to trick you into
logging into your account, thus resetting the the countdown.

Ebay and paypal are among my least trusted companies. I have a higher opinion
of even Comcast or Halliburton.

~~~
stevekemp
I think my story pretty much echos yours; I'd stopped using paypal for a
couple of years, and stopped using Ebay.

I cancelled and about three months later I was "compromised". At that point I
reset the data to random values, deleted my "ebay@example.com" email alias,
and just resigned myself to forgetting about it.

------
Udo
Funny/scary anecdote I experienced a few days ago: most Linux flavors check
against the cracklib database when changing passwords, and as I typed in an
account password, a brand-new cracklib said it was based on a dictionary word.
Now, my passwords are alphanumerical jumble, and they're usually comprised of
an alphanumerical jumble "core" that I memorize and then a site-based or
computer-based pre- and suffix.

So, let's say for example, my current core is "kgA85kjF3". Then for example,
I'd morph that for my Hacker News account to "ZkgA85kjF39!" and my fileserver
as "UkgA85kjF3O2". I thought this was a good method of having reasonably long
passwords but I'd have to memorize very little per site.

So imagine my surprise, when I created a new password "NkgA85kjF3T3", cracklib
found a dictionary word in it. It got worse from there. Through
experimentation, I determined that it was _indeed_ the core that was
compromised. Any password containing "kgA85kjF3" was compromised.

I have no idea how this happened. If this was not a big cosmic coincidence, if
this is not just a random regex filter accident, that means data from at least
two known password databases containing my cores has been correlated, and put
into cracklib no less. There is really no limit to the imagination regarding
what illegitimate databases might contain...

~~~
basch
whynotjustusereallylongpasswordsthatarehardformachinestocrack?

~~~
overgard
Passphrases are a really good idea, but a lot of sites have very short length
limits.

Granted if they have limits thats a really big red flag that they're storing
your password in plain text, as a hash should always be the same length, so
you probably shouldn't sign up there anyway. I remember a few years ago I was
signing up for a TD account, and about 5 pages through the signup page it
wouldn't allow me to continue because my password was /too secure/ (not their
exact wording, but that was basically the problem). What makes it funnier is a
lot of sites would reject the password I used at the time as not being secure
enough.

I stopped signing up at that point, but I remember getting a phone call (!)
from them a couple days later asking why I didn't finish the sign up, and my
answer was: because I'm not giving my money to a company that doesn't know how
to store passwords!

~~~
sb23
In Australia, our "welfare" system is taken care of by Centrelink. They have
all of your personal details, as well as access to the amount you're getting
per fortnight, and job history, resume etc. Lots of stuff you don't want
compromised.

They also limit your password to 8 characters.

This is a huge government website that heaps of Australians have to access at
least fortnightly.

------
oal
LastPass has a similar service for some of the recent (and not so recent)
hacks:

* [https://lastpass.com/adobe/](https://lastpass.com/adobe/)

* [https://lastpass.com/linkedin/](https://lastpass.com/linkedin/)

* [https://lastpass.com/lastfm/](https://lastpass.com/lastfm/)

* [https://lastpass.com/eharmony/](https://lastpass.com/eharmony/)

~~~
acheron
Thanks for that; I had ignored the Adobe leak, because why would I have
created an Adobe account? Turns out I did at some point, so I guess I'm the
goat there.

~~~
mcv
Often you need to create an account or somehow register your email at sites,
just to get something very basic, like a free download, or use a feedback
form.

This demonstrates nicely why that's a bad idea.

~~~
aestra
[http://www.bugmenot.com/](http://www.bugmenot.com/) is useful for such a
case, registration required for a download.

------
peterwwillis
For those freaking out about somebody "misusing" this information (your e-mail
address) .... I have some bad news.

E-mail addresses are not secret. They cross the wire in plaintext, they get
stored in various mail server logs in various relays across the globe, they
get passed around by spam analysis services, anti-virus services, and any
company you submit it to has the right to sell it and any other information
about you to anyone they want, without your consent.

 _" Although partial regulations exist, there is no all-encompassing law
regulating the acquisition, storage, or use of personal data in the U.S. In
general terms, in the U.S., whoever can be troubled to key in the data, is
deemed to own the right to store and use it, even if the data were collected
without permission."_ [1]

California is one of the few (only?) states with privacy laws, and it
basically just says companies must post a privacy policy and follow it - and
that policy could, for example, say they are allowed to sell on your
information, which i'm sure 99% of companies would opt for.

Your e-mail address alone is not worth much in a general sense. In terms of
spammers, they already _have_ all the e-mail addresses in this list. And if on
the off chance this guy's service is "selling" e-mail addresses to spammers
(at what... $0.10 per e-mail address?), are you really so afraid of someone
sending you spam?

[1]
[https://en.wikipedia.org/wiki/Information_privacy_law#United...](https://en.wikipedia.org/wiki/Information_privacy_law#United_States)

For more information about all the other personal information about you that
isn't private, see
[https://epic.org/privacy/profiling/](https://epic.org/privacy/profiling/)

~~~
beering
Hi, two things.

People knowing that you have account yyy@example.com at example.net could use
that information in a spear-fishing attack, or know that you're involved in a
controversial website, prohibited website, etc.

Emails were not the only things that were stolen. For example, in the Adobe
breach, encrypted passwords were stolen. If your email address is shown as
being in the Adobe breach, that also means that your encrypted password,
password hint, etc. were stolen. For Sony, maybe credit card information.

If this website was only about whether email addresses were leaked, then why
would anyone type in their email address into this website (thus leaking your
email)?

------
l0c0b0x
Normally wouldn't trust this, but:

[http://www.troyhunt.com/](http://www.troyhunt.com/)
[http://www.intodns.com/haveibeenpwned.com](http://www.intodns.com/haveibeenpwned.com)
(forwarded from haveibeenpwned.azurewebsites.net)
[http://www.whois.com/whois/haveibeenpwned.com](http://www.whois.com/whois/haveibeenpwned.com)

Seems legit.

~~~
brc
Troy Hunt has been blogging about this for a while. Troy is a good guy who
blogs extensively on security matters. I don't see any risk in putting your
details in here.

His recent posts on pwning peoples phones and tablets while they were at his
conference talk are pretty amusing. Shows just how insecure things really are.

------
k4st
As someone who was 'pwned' by the Adobe leak, I have no idea how bad the
pwnage was. That is, I don't recall what my Adobe password was, and so I have
no idea which of my many passwords was compromised.

Also, I partially went through the Adobe password reset procedure two or three
times--each time guessing at what my original password was. Unfortunately,
they accepted all of my guesses, so I was still none the wiser about which
password was compromised.

To top the entire ordeal off, Adobe was _not_ the one to tell me that my
password was compromised. Instead, my hosting provider and some other services
notified me.

~~~
TillE
Yeah, I'm downloading the leak and trying to check if I can deduce whether it
was the common I-don't-care password I think it was. A couple other people had
used the same password, but the hints didn't help me.

[http://security.stackexchange.com/questions/45413/how-do-
i-d...](http://security.stackexchange.com/questions/45413/how-do-i-decrypt-an-
adobe-triple-des-ecb-mode-encrypted-password)

------
cleaver
I tend to create a new email address for everything I sign up for. This makes
a little harder to check :)

EG: twitter@example.com, facebook@example.com, hackernews@example.com

It also makes it a little harder for people to find me on social media. Not
sure if that's a bug or a feature ;)

~~~
millerm
That's actually a very unadvisable scheme. By doing this you make yourself a
target. If any one of those are compromised, attackers will attempt to try
that against a lot of popular sites (including banks). If you have your own
domain (which I assume you do based on your scheme), I suggest not doing this.
You would be better off coming up with a random account name for each and
using a password manager to keep track of these.

FYI, I used to do this too. And this is how (in a similar fashion) Mat Honan
got Gizmodo's Twitter and his iCloud and Gmail accounts hacked and also had
his computer remotely wiped because he used his name in every domain/service
as his account name or email account name.

Edited for more information.

~~~
cleaver
The key motivation is not security, but if any account starts receiving spam,
I will have a good idea where it is coming from. It also lets me shut off mail
from any source.

Some services will use that as the username, others allow me to pick my own.
Using a password manager helps this whole scheme. Now that I do that, I could
go to random email addresses and usernames.

~~~
walden42
The only problem I've found with this method is the spammers that try to guess
your email, so they end up sending emails to "admin@domain.com",
"webmaster@domain.com", etc. The catch-all forwards them all to me.

The only way around this, I think, is to only have uncommon emails, like
instead of admin@domain.com, use contactadmin@domain.com. Put a block on the
common ones and you're good to go.

~~~
octo_t
regrettably this is against RFC 2142[1], which states that you need to leave
certain mailboxes open (such as abuse@domain, webmaster@domain etc)

[1] -
[http://www.ietf.org/rfc/rfc2142.txt](http://www.ietf.org/rfc/rfc2142.txt)

~~~
cleaver
Quite ironic, isn't it, how "abuse@example.com" is a conduit for abuse?

Spammers effectively killed that RFC.

------
wfunction
Who's to say these guys aren't stealing our emails?

~~~
aaronblohowiak
your email is not a secret.

~~~
mhurron
No, but it can be harvested for directed attacks or spamming. Entering it
would basically 'prove' it's a valid address.

~~~
manmal
The Adobe leaks list is mostly made up of verified emails, so...

Coming to think of it, there has been some spam lately (though that hasn't
happened in years now at gmail), and I wonder whether it's related to that
Adobe leak.

~~~
mhurron
Ah, but by checking if your email is compromised, they get even more emails
then they did just from compromised sources.

------
relet
Am I the only one who is reminded of the "Has your credit card number been
stolen? Check here!" phishing ads?

Isn't there a better way to check for stolen addresses than to enter your
email on a dodgy (hey, I followed a link on _Hacker_ News) website? Such as
calculating a hash on the client, and sending the hash for verification?

------
danso
This is an impressive service (the speed, especially)...collation of different
data sources into one easily accessible form is a hugely useful and underrated
service. That said...there's no such thing as better security without an equal
tradeoff. Here, it's now much easier (especially with the site response speed)
for a third party to look up email addresses, see who they've patronized, and
aggregate them into a database of less noble intent.

To check if a given email address was an Adobe/Gawker/whatever customer, you
would've not only had to query every separate form but you would also not be
guaranteed to get a definitive response (because some services will be
ambiguous to whether you got a password wrong or whether the account exists at
all). With the OP's service, with positive hits, you not only get confirmation
of patronage, but knowledge that they are vulnerable, even if in a small,
outdated way.

It's likely something Troy has anticipated but didn't want to outright
say...In the end, knowledge is better than ignorance, and the correct response
is for more rapid response to hacked victims and better security awareness.
But I also wonder if there's a way to provide the OP's service with more
(beneficial) obfuscation?

~~~
ericlewis
Whoa, slow your roll buddy. This could be really easily done by preprocessing
the data and creating simple objects in redis. One object = email, sub objects
of email could just be flags for the service it's on.

~~~
danso
It's not the processing that's the bottleneck, it's the gathering and the
_initiative_ to do that gathering which is rare. For example, criminal records
and notices have always been collectable and, once collectable, searchable.
But the incidence of "a prospective employer googled me and found a 5 year old
article of me publicly urinating in college" became more of an issue in the
age of Google.

This isn't an indictment of Troy at all, just an observation (and I'm also
just curious about what mitigation could be done, if any, that wouldn't
severely inconvenience the end user). The security that exposed people had was
security through obscurity, which is in the end, not enough security.

~~~
icebraining
Mitigation would be fairly simple: instead of a web form, put up an email
address that you can send a message to and get back the result.

------
bdamm
For the last 12 years or so I've been using unique email addresses. I have a
catchall domain and established patterns for giving out email addresses. Over
the years I've witnessed many companies either getting hacked or selling out
their mailing list. I know this because I start to receive spam to these
unique email addresses.

Just this morning I discovered that Sirius XM has been hacked. Shame.

It would make an interesting project to analyze all this history that I've
built up.

------
Joeboy
I am in the habit of making up email addresses on the fly when I register for
things. Looking in my spam folder, in the last couple of days I've had spam to
the email addresses I submitted to Adobe, Groupon and Abbey National Bank (now
Santander). As people have pointed out email addresses are not secret, but if
they've leaked out of these businesses' databases it's a bit worrying what
else they might be leaking.

------
denzil_correa
_Should I Change my Password_ is a push service which notifies if your account
is compromised and sends you an e-mail to change your credentials [0].

Cool hack btw! The only thing missing is a "What to do" link which could be
more useful for folks who are not so technically savy.

[0]
[https://shouldichangemypassword.com/](https://shouldichangemypassword.com/)

------
sp332
An introductory blog post: [http://www.troyhunt.com/2013/12/introducing-have-
i-been-pwne...](http://www.troyhunt.com/2013/12/introducing-have-i-been-
pwned.html)

------
rickyc091
Does anyone know the site that lists all the sites that have been compromised?

Edit: Found it, this was the one I was looking for.
[http://dazzlepod.com/disclosure/](http://dazzlepod.com/disclosure/)

------
Gustomaximus
I've started to sign up to sites with a unique email address based on the
websites URL.

E.g. If I signed up to Myspace I would use Myspace@exampledomain.com

I have the mail server at "www.exampledomain.com" set to accept all emails
under the domain so I can see if someone has passed on my details legitimately
or via hacking.

Since I've started about 12 months ago I've not found any cross pollination
which seems a good sign for the industry in general.

It also adds a layer of security as your sign-up email changes for different
websites if you use the same password across several.

------
znowi
Is this a clever way to harvest email addresses? :)

~~~
denzil_correa
No

    
    
        Passwords: I’m not storing them. Nada. Zip. I just don’t need them 
        and frankly, I don’t want the responsibility either. This is all 
        about raising awareness of the breadth of breaches.
    

[http://www.troyhunt.com/2013/12/introducing-have-i-been-
pwne...](http://www.troyhunt.com/2013/12/introducing-have-i-been-pwned.html)

~~~
rallison
Considering that this is made my Troy Hunt, I would trust it. He has built up
enough reputation in my mind.

------
danso
I have a question...how big is the backend to this site? Its average response
is about 100ms, which, to me, seems _impressively fast_ considering the number
of bulk records and the amount of concurrent traffic that such a site is
getting. Besides the obvious indexing of the email field...anything special
behind the curtains? Lots of machines? Something else besides a simple key
lookup? Or am I just vastly overestimating how slowly a properly maintained DB
will respond in such a situation?

~~~
troyhunt
This might answer your question:
haveibeenpwned.com/HowFastIsAzureTableStorage/?email=foo@foo.com

I'm writing up how the back end is done and will post it in the next day or
two, IMHO it's massively impressive but also very easy :)

~~~
danso
Looking forward to it! The raising of awareness about security is alone pretty
awe-inspiring, so the fact that I'm equally piqued by such technical details
as the site's backend is really saying something about the impressiveness of
the execution

~~~
troyhunt
Try this: [http://www.troyhunt.com/2013/12/working-with-154-million-
rec...](http://www.troyhunt.com/2013/12/working-with-154-million-records-
on.html)

------
code_duck
The email I used for Adobe was caught in their breach. Good news? I not only
used a different password, but I use a new email for almost every site. I have
a wildcard email and Adobe is the only site I've ever used that particular
email on. Meanwhile, my yahoo account (which I basically use for nothing) is
not listed as being exposed, but I logged into that recently and had a note
that it had recently been logged into from India. Good golly.

------
w-m
That Adobe got hacked isn't your fault - that you chose a weak password and
reused it, is.

Showing a few more numbers might help more people realize that their passwords
aren't actually unique, creative or safe. The data that came out of the Adobe
hack is pretty interesting, and the results are much more tangible than "oh
no, pwned!".

Something like:

"Your password was used by 8290 people.

Furthermore, 2615 persons gave a plain text hint as to what the password might
be."

------
mrleinad
"How to collect e-mail addresses" \- Exercise 1

------
bcuccioli
Feature request: Could you strip the dots from user input if the email address
is @gmail.com, and similarly strip the dots from the records of pwned email
addresses? Gmail usernames are dot agnostic, and I sometimes use
xyz@gmail.com, x.yz@gmail.com, etc. This makes it hard to use the tool to
check of my Gmail has been pwned. (Also, I assume you don't do this already).

------
Gyy0
This is what caused me to start using a password manager. I always knew that I
should, but it seemed to be a major pain, if I had known how convenient it is,
I would have switched to it long back.

Instead I first started off with my own "password generator":

    
    
        import random
        import string
        import sys
    
        def generate_random(length, simple):
            chars = string.printable[:-6] if not simple else string.letters + string.digits
            return ''.join(random.sample(chars, 1)[0] for x in range(length))
    
        def username():
            return generate_random(length=4, simple=True)
    
        def password(length):
            return generate_random(length=length, simple=False)
    
        if __name__ == '__main__':
            length = 6
            if len(sys.argv) > 1 and sys.argv[1].isdigit():
                length = int(sys.argv[1])
    
            for i in range(20):
                print username(), password(length)

------
benjamincburns
I'd like to see a site which validates whether or not your _password_ is
exposed. Users should assume that it is exposed, but it would be nice to know
wether or not it's floating around in some list somewhere.

Problem is, I can't think of a computationally efficient way to perform this
check securely. I could see handing the user an nonce, asking them to manually
hash their password concatenated with the nonce, and then comparing the user's
response with a list you've hashed yourself, but I'm sure this won't scale
well.

Is there such a thing as a secure, or "blind", bloom filter which allows a
user to search for some chunk of text without exposing to the world what that
chunk of text is?

Edit: Hmm, this might be what I'm looking for:
[http://www.tdp.cat/issues/tdp.a015a09.pdf](http://www.tdp.cat/issues/tdp.a015a09.pdf)

~~~
jrockway
It's possible to write a tool that will figure out all algorithms/salts used
by compromised sites, and then hash your password with those algorithms/salts
and see if that hash appears in the compromised password files.

Most of the compromised sites use worthless password storage mechanisms, like
unsalted hashes or plaintext, so this level of sophistication is mostly
unnecessary. For example, say you used the password "foobar".

md5 that:

    
    
        $ echo -n "foobar" | md5sum
        3858f62230ac3c915f300c664312c63f  -
    

Then Google for 3858f62230ac3c915f300c664312c63f. The first result's snippet
is:

    
    
        = rainbow.lookup('3858f62230ac3c915f300c664312c63f') # => 'foobar' ...
    

There you go. Don't use "foobar" as your password.

~~~
jason_slack
You've got me thinking about how I store passwords. I have in the past done:

    
    
        ~ $ echo -n "mypassword" | base64
        bXlwYXNzd29yZA==
    

How would one combine the above with md5? on OS X is it `md5 -s <string>`

So basically base64 'mypassword', then md5 the base64 result.

~~~
benjamincburns
Oh god, I hope you're joking.

[http://www.codinghorror.com/blog/2007/09/youre-probably-
stor...](http://www.codinghorror.com/blog/2007/09/youre-probably-storing-
passwords-incorrectly.html)

~~~
jason_slack
Well, I wasn't joking, but I didn't realize md5 was as vulnerable as Atwood
says it is. SHA-2 or Bcrypt.

~~~
benjamincburns
Sorry, that was overly snarky and that wasn't warranted.

Are you talking about how you store your own passwords so that you may
retrieve them in order to log into some service, or are you talking about how
you store user credentials as part of an application?

If you're storing your own passwords, just use a well-rated password locker
program, or store them in a TrueCrypt volume or similar. If you're storing
your users' passwords... well, don't -- store the hash like that Atwood
article suggests.

To your initial question, if you need to use the output of one program as an
argument to another program, you can wrap it in backticks:

    
    
        md5 -s `echo -n please_dont_actually_do_this | base64`
    

But really there's no benefit to converting it to base64 before you hash.

~~~
jason_slack
no, I am just storing my passwords in a text file and I don't want to do it
plaintext, but I also don't want to have to encode the whole text file and
have to decode it first to use it. Just make it more complicated if someone
opens it.

Thanks for the reminder of ticks (`) I was accidentally using single quotes
(')

~~~
benjamincburns
Ah, then I stand by my original advice. Keep in mind, base64 encoded
ascii/UTF-8/whatever encoding you like is still plaintext. If you want to be
secure, use a password locker program or store them in a text file inside of a
small encrypted volume which you unmount as soon as you're done with it
(TrueCrypt is nice for this).

But if you don't care about them actually being secure, party on...

Aside from backticks, you can also use the dollar quote (I'm sure this has a
better name):

    
    
       $(some_command some arguments | some_other_command)
    

Finally, back to the original "how do I combine this with md5" question, you
don't, as that won't do what you want. That is, you want to be able to recover
the plaintext, but cryptographic hashes are designed specifically to make that
practically impossible.

------
chengl
Many comments suggest to use password managers like lastpass, 1pass, etc. But
I think that may not be a good idea: a. What if lastpass/1pass is compromised?
b. You have to login to retrieve your password, which is inconvenient.

I think the best solution to this is to make sure your passwords ONLY exist in
your head, nowhere else. And to NOT reuse your passwords, you have to create a
unique and reasonably strong one for each service.

So how do I remember all these unique and strong passwords? I create an
algorithm which takes two parameters as inputs: my username and the domain of
the service, it will do some simple manipulation of the inputs and give me a
reasonably strong password. Hence, all you need to do is to remember your
algorithm and use it to compute your password when you need it. Of course, you
want the algorithm simple enough to be done in your head.

------
elorant
For cases like these is why you should NEVER use the same password in
different sites. While my email is in the Adobe list the password I used there
is unique so I don't bother too much-other that I've lost any trust in Adobe
and I'll think twice about doing any business with them in the future.

------
thrillgore
I got an email from LastPass about being caught up in the Adobe breach and it
took me one evening, two cups of coffee, and a lot of patience to switch all
my passwords to auto-generated strings and enable 2-factor where I could.

Only now in this fleeting moment do I realize that i'm now tied to LastPass's
ecosystem.

------
gojomo
Feature request: allow wildcard searches, with a sufficiently large literal
starting prefix, to return a simple "zero" or "more-than-one" result.

EG: "john*@gmail.com"

I'd then feel better about typing my address into a random site, and be able
to check site-specific variants of my address more easily.

~~~
legohead
Yes!

For every different site I use a different email address, so I know when
something fishy is going on. so I might have hackernews@mydomain.com. The form
wont accept just @domainname.com :(

------
kanwisher
Nice been looking for a tool like this, so I didn't have to download each of
these hacks lists

------
dudus
What about this one? [http://blog.spiderlabs.com/2013/12/look-what-i-found-
moar-po...](http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-
pony.html)

------
mdxn
This database includes emails that were simply listed in these data breaches.
Newer Adobe account emails were put in as entries in the database, but their
associated password/hint data was not. There were quite a large number of
these in the leaked db, including some of mine. I had to download the whole
thing and search to realize that the only information revealed/stored was the
email address.

------
andy_ppp
Idea: Write a service that you pass the unsalted hash to (only salted hashes
in the DB please), and the email address and hash type. Stop people if their
hash matches any previous ones.

Obviously this would stop people providing the same password for all
services... But might creep some people out!

Would hopefully highlight how insecure/guessable non salted hashes are. Does
anyone know best practice for doing things like this?

------
jwallaceparker
And then this happened:

[http://www.bbc.co.uk/news/technology-25213846](http://www.bbc.co.uk/news/technology-25213846)

------
Gyy0
And lets also not forget, this why you should always use
[http://www.mailinator.com/](http://www.mailinator.com/) instead of your real
address.

Lots of sites block mailinator, but then use one of their aliases –
foobar@spamgoes.in ... then check
[http://foobar.mailinator.com/](http://foobar.mailinator.com/)

------
goshx
Is this a trap to build a mailing list?

I tried a bunch of fake hotmail emails and 90% of them are "pwned". Very
suspicious to say the least.

~~~
gwu78
Aside from those who enter fake addresses or addresses they do not control,
the folks who set up websites like this can also connect each email address
with an IP address. This might be useful, e.g., for determining geolocation.
It is sad to think that naive users are falling for this every time a data
breach makes the news, handing over their email address to total strangers.

------
samweinberg
Welp, I now know my login was apart of the Adobe leak.

Shouldichangemypassword.com sent me an email a few weeks ago saying my email
address was found in a leaked database, although they couldn't say which one.
Considering I have more than 100 accounts which use that particular email
address, it didn't help at all. This site did!

------
3rd3
Is it possible to apply the same hash function to a string as it’s done in the
users database of the Adobe breach? I think it is 3DES. I’ve been able to
obtain my (hashed) credentials, but as it seems my account is deactivated at
adobe.com (probably due to inactivity?), so I’m not able to test which
password I used. :(

~~~
maxerickson
The key is not publicly known. Some passwords have been recovered, as
discussed here:

[http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-
pass...](http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-
disaster-adobes-giant-sized-cryptographic-blunder/)

It would be irresponsible for anybody to share the key, it would reveal all
the passwords.

------
dysoco
I got my Adobe account pwned, apparently.

I didn't even know I had an Adobe account, I don't use any Adobe products.

------
ScrawlingChaos
Weird. Flagged a hotmail addy I rarely use as having been compromised in the
Adobe breach, but I don't recall ever using that address with Adobe and when I
plug it into Adobe to reset the password for it, it says that they have no
account associated with that address.

------
DigitalSea
This site has done a good job highlighting just how badly Adobe screwed up
with their data breach. Everyone in my office had their email address show up
from the Adobe breach (including mine) and based on the comments, everyone
else mostly did as well. Whoa.

------
sltz
For those who aren't aware [https://chrome.google.com/webstore/detail/one-
last-pass-pass...](https://chrome.google.com/webstore/detail/one-last-pass-
password-ma/cnpobogcpnkgjpfjcmmgppgpmihanimo)

------
acolavin
This is a great service -- I've already shared it with my colleagues. But
doesn't this tool now make it easier for those with a grudge to find their
enemies' compromised accounts? ...all the more reason to change your
passwords...

------
beefsack
I always have an uncomfortable feeling these exist purely to harvest email
addresses. Not that it stopped me using it, the results are of interest and my
email address is already plastered all over the place.

------
nashequilibrium
My gmail was fine but my yahoo mail is compromised, but i actually changed the
password a couple weeks back because yahoo asked me, so worked out fine. I
have not used adobes services for over a year now.

------
staunch
You suck Adobe.

------
ritonlajoie
It looks like the guy having mark@facebook.com has an Adobe account !

------
damian2000
Seems pretty similar to this one from a year or two back...

[https://shouldichangemypassword.com/](https://shouldichangemypassword.com/)

------
easy_rider
For some reason I always forget I have an Adobe account.

------
saym
Funny that example@example.com has been pwned twice.

~~~
midnitewarrior
example.com is a special domain, not to be used for any legit purpose, so good
luck hacking that!

[http://tools.ietf.org/html/rfc6761](http://tools.ietf.org/html/rfc6761)

~~~
saym
I'm aware, that's why I wanted to see if people were using it for their
accounts.

------
soperj
I find it amusing that my real email address are not compromised but all of my
fake ones for signing up for various things are compromised.

------
pcx
Is it possible to find the actual data? I found an old email in there, would
be interesting to checkout what lame hint I used.

------
Houshalter
It says I haven't, yet if I google my email and an older password I used to
use, I find it listed on some Russian forum.

------
nishantmodak
You should also include dates alongside the breach. Just so that one knows, if
they have taken corrective action after that

------
elorant
For cases like these are why you should NEVER

~~~
cortesoft
Never finish your comments?

------
wil421
Adobe got me.

Does lastpass work great for checking banking on cellphones and other logins
that would require a cut and paste on a desktop?

~~~
ufmace
Yup, works great, I've been using it for over a year. To login to banking on
your phone, you first go to the Lastpass app, login to that, then copy the
password to your bank, open their app, and paste the password in. Lastpass for
Android also now has a notification that stays up while you're logged in, to
remind yourself to log back out when you're done.

~~~
BlackDeath3
That's the way that it worked when I first started using it, but am I the only
person using the full Lastpass browser these days? It's far more convenient
than the old Authenticator -> Lastpass -> Browser authentication workflow that
I had to use before the upgrade.

------
albemuth
They could just query against the MD5 of your email instead, if it's a match
they already had your email anyways :)

------
cm2012
This is very cool. I didn't even think of my adobe account when the breach
happened, since I used it so long ago.

------
josh2600
If you want to see what it looks like when your email address has been pwned I
tried lol@lol.com and got back 4 hits.

------
maerF0x0
also: [https://pwnedlist.com/query](https://pwnedlist.com/query)

------
aaronsnoswell
The real zinger - when you enter your email address to check, they store it
and steal your identity :P

------
0utsider89
This site is BS, I put in a BS email still say I was part of a adobe password
breach!!!

~~~
cynwoody
I got three hits for president@whitehouse.gov.

~~~
vacri
People put in bogus addresses when they register for things. I have a domain
that is similar to a common mash on the keyboard, and I get a steady stream of
backscatter from people signing up to things with crap@keyboardmash.org.

~~~
Nilzor
asdf.com? qwerty.org? Please don't leave us hanging :P

------
omegant
Pwned on amazon too. Thankfully it was a demo account, with an old email and
password.

------
cabbeer
Gmail also tells you you'r Last account activity at the bottom of the page.

------
borski
We send emails to all of our customers who end up in these breaches as well.

------
wybo
This looks like a brilliant way for spammers to collect e-mail addresses...

------
NicoJuicy
Pawned on Adobe's website 2.

My spam url and my real one, goddamned.

------
jheriko
how do i know this isn't a scam for collecting e-mail addresses for spam
purposes?

------
DonGateley
Adobe needs to be extinguished.

------
vladd
Any plans to add LinkedIn?

~~~
sp332
I thought emails weren't disclosed in the LinkedIn breach? You can check your
password over at
[https://lastpass.com/linkedin/](https://lastpass.com/linkedin/)

------
adelevie
Where's the API?

------
sciguy77
God damn it Adobe!

------
sbussard
enter your email to get pwned

------
berlinbrown
Adobe....

------
ionwake
[http://i1.ytimg.com/vi/4F4qzPbcFiA/maxresdefault.jpg](http://i1.ytimg.com/vi/4F4qzPbcFiA/maxresdefault.jpg)

