Hacker News new | comments | ask | show | jobs | submit login

so, can someone answer this for me?

I have a personal domain on google apps. The login ID is different than the email address I use/advertise.

e.g. my username for login is first-initial+last-name@[domain].com

But the email address I use for everything on that account is first-name@[domain].com

This service states that my account was compromised on 12/12/2010 most recently at the first-name@[domain].com though you could not login to my account with that email address...

So - how valid is such a check. Also - without it showing what information it is checking against, it feels really spammy. as if they are asking you to enter your email for a "check" knowing that you will enter a valid email - then they harvest the email as valid for spam.

It's referencing these sources: https://shouldichangemypassword.com/sources.php

To me this means that my password is out there, and now a part of someone's dictionary. Change all places where that password is used immediately. I am currently moving to LastPass with randomly generated 16-32 char passwords for every site. It's less of a pain than one might think.


It says it's using the perlmonks.org database, and I _know_ my password was revealed there (thanks to me foolishly reusing it on twitter), but it's not showing that against my email address...

I think the site is referring to some service/site that got hacked recently and that you signed up for with the first-name@[domain].com email adress and not to the email account itself.

Then it makes it COMPLETELY useless information. You know how many thousands of sites I used various email addresses on, clearly everyone else is the same.

It should tell you which sites were compromised such that you can ID if you used your email at any of said sites.

Just saying ambiguously that there was a site which may have been compromised out of the 2 billion sites online is laughable.

I would argue that it's not completely useless as the average person re-uses the same password everywhere. Even if you do it across a small number of sites it could easily start a chain reaction.

In fact, I would say that prompting the average person to change some passwords either way, is a good thing.

When in doubt, change your password. Then change it again.

I got the exact same date for my gApps-hosted domain. Odd.

That's the date of the Gawker hack.

So any Google-served address is marked as vulerable because of the Gawker hack?

No, the google address is a red herring. My non-google account is listed as compromised on the same date due to a Gawker account I had registered. Many google accounts were compromised in other events on other dates.

My mistake. I thought my Gawker account was on another address, but a quick search shows I got the hint.io mail on 12/13.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact