Check to see if your login is compromised

S0litaire
S0litaire Posts: 3,535 Forumite
Part of the Furniture 1,000 Posts Combo Breaker
edited 15 January 2015 at 11:23AM in Techie Stuff
Just a quick warning and some good housekeeping ;)

I got an email form Amazon last night saying it found my login email address on a list of compromised accounts (the compromised list was NOT directly Amazon related) but since the login address was the same, they reset my password as a precaution and asked me to login and use the "recover my password" option to change my password.

I checked with Amazon customer support and the email IS legit. As a security precaution they have started to check the Users logins against known lists of compromised accounts which can be found on the internet.

Seems their was a couple of hacks over Christmas, I think Dropbox (not sure) and a few other sites were hit.

Now I found a site called https://www.pwnedlist.com they have a free service that lets you log 3 email addresses to check and will alert you if they ever pop up on any on a list of compromised accounts. This is the company behind "LastPass Sentry" feature in Lastpass.
Other sites that do something like this are:
https://haveibeenpwned.com/
https://breachalarm.com/

I put my Amazon email in and it popped up in 4 places:
One of them was sort of OK since the password associated with it was encrypted. (it was a forum site which I changed the password ages ago before i cancelled the account on the forum)
The other was from the Adobe hack a few months ago and the password was stored in plaintext!?! (I changed this password when the Adobe hack was announced!)
The last 2 looked like they were scrapped from the adobe list.

It's a good reminder to keep an eye on your email addresses and change passwords regularly! Saying that I've just checked the Username / passwords stored on my browser and found out of the 1000 logins over 100 are using the compromised Username and password. >_< most are old sites that either closed down years ago or have no personal information but a few might. >_<

So I'll be spending most of they day going through the 100+ accounts and making sure the passwords are changed. (if the sites still exist!)
Laters

Sol

"Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"

Comments

  • tronator
    tronator Posts: 2,859 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    S0litaire wrote: »
    I got an email form Amazon last night saying it found my login email address on a list of compromised accounts (the compromised list was NOT directly Amazon related) but since the login address was the same, they reset my password as a precaution and asked me to login and use the "recover my password" option to change my password.

    One more reason for having your own domain and having different email addresses for every single login.
  • kwikbreaks
    kwikbreaks Posts: 9,187 Forumite
    I found using a wildcard name on domain emails resulted in spam so reverted to just using a few names with each domain.

    I am guilty of using the same email on multiple sites though. I sould probably use disposable emails such as https://www.guerrillamail.com/ for signups and the like but for the most part cba.

    I put my 3 most commonly used emails in pwnedlist and am happy that I don't have to spend all day changing passwords as there was nothing reported.
  • Hedgehog99
    Hedgehog99 Posts: 1,425 Forumite
    I had some spam like this supposedly from Amazon this week, but "view source" revealed otherwise. I'd be very wary of sites offering to check for me - they're probably collecting valid email addresses (because why would someone be concerned about a fake email address?) so they can send them more spam!
  • S0litaire
    S0litaire Posts: 3,535 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    tronator wrote: »
    One more reason for having your own domain and having different email addresses for every single login.

    Oddly enough I do have my own domain name (well a few) the compromised one is my oldest and the one I mainly use for forums and non important sites! Over 10 years worth of logins mount up ;)
    Laters

    Sol

    "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
  • S0litaire
    S0litaire Posts: 3,535 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Hedgehog99 wrote: »
    I had some spam like this supposedly from Amazon this week, but "view source" revealed otherwise. I'd be very wary of sites offering to check for me - they're probably collecting valid email addresses (because why would someone be concerned about a fake email address?) so they can send them more spam!

    The main one I wrote about in my post works with LastPass so they are not that much of a risk.

    It's also a good way of alerting you if one of your main email addresses (I.e. the one you use to log in to your online email for instance) is compromised in some way if the host is attacked.
    Laters

    Sol

    "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
  • Strider590
    Strider590 Posts: 11,874 Forumite
    Personally I use 4 different email addresses and NEVER use the same password.

    Most of my passwords are stored by my browser under a master password, except for anything money related like online banking and Paypal.
    “I may not agree with you, but I will defend to the death your right to make an a** of yourself.”

    <><><><><><><><><<><><><><><><><><><><><><> Don't forget to like and subscribe \/ \/ \/
  • bod1467
    bod1467 Posts: 15,214 Forumite
    It was last discovered approximately 1 years ago, on 2013-11-11.

    Oh noes!!! :D
  • tronator
    tronator Posts: 2,859 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    edited 15 January 2015 at 6:15PM
    kwikbreaks wrote: »
    I found using a wildcard name on domain emails resulted in spam so reverted to just using a few names with each domain.

    The trick is to create a subdomain and set up the catchall there. It's highly unlikely someone guesses the name of the subdomain as it is not in the whois database.
    S0litaire wrote: »
    Oddly enough I do have my own domain name (well a few) the compromised one is my oldest and the one I mainly use for forums and non important sites! Over 10 years worth of logins mount up ;)

    See above. I have a different email for every website.
  • abibee
    abibee Posts: 441 Forumite
    Part of the Furniture
    Changed my Amazon pass in the New Year, after I saw a news item about possible breach for them.
    Are multiple e-mail accounts any wiser than just having seperate strong passwords for every site (and your e-mail account), with LastPass? I have passwords 12 to 16 characters, mixed random upper/lower case and numbers.
  • tronator
    tronator Posts: 2,859 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    abibee wrote: »
    Changed my Amazon pass in the New Year, after I saw a news item about possible breach for them.
    Are multiple e-mail accounts any wiser than just having seperate strong passwords for every site (and your e-mail account), with LastPass? I have passwords 12 to 16 characters, mixed random upper/lower case and numbers.

    I would think so because the attacker has to guess both, the email AND the password.

    Having different emails also has the advantage that you know who leaked your email address to spammers. Then just create a filter for that email address.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 349.8K Banking & Borrowing
  • 252.6K Reduce Debt & Boost Income
  • 453K Spending & Discounts
  • 242.8K Work, Benefits & Business
  • 619.5K Mortgages, Homes & Bills
  • 176.4K Life & Family
  • 255.7K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.