ClearScore dark web monitoring

PlatinumChaos

ClearScore reckon they've found three of my passwords on the dark web. They only provide the first and last few characters and I can't identify any of them. Are they just making it up? I can only imagine that either they want me to think that they're doing an amazing job of helping to protect my data or these passwords are so old that they're now obsolete and the accounts are probably long since inactive. Just wondering what others' thoughts are. Thanks.

ceremony

PlatinumChaos said:

ClearScore reckon they've found three of my passwords on the dark web. They only provide the first and last few characters and I can't identify any of them. Are they just making it up? I can only imagine that either they want me to think that they're doing an amazing job of helping to protect my data or these passwords are so old that they're now obsolete and the accounts are probably long since inactive. Just wondering what others' thoughts are. Thanks.

ClearScore's darkweb monitoring is real. I can vouch for that because I work in IT security myself and I've investigated some of the 'password dumps' they've claimed to have found some of my stuff in.
You can verify using a free service such as:

https://haveibeenpwned.com/

They just look for 'dumps' with your email address listed in them. So yes, some of the accounts may well be old or absolute. In some cases the password is hashed so that it's not human readable, which would be why you don't recognize them. Hashing is used to give an extra layer of protection so if a malicious person gets access to the list of usernames and passwords they aren't immediately useful to them. But, hashing isn't perfect and sometimes it is possible to figure out what the hashed password is. So it's still worth changing any passwords for accounts that ClearScore alerts you to.

I personally wouldn't pay for the service. I just use rubbish passwords for forums and other sites I don't care about and then have hard to guess, frequently changed, unique passwords for online banking. But I do check the free, single-email account offering sometimes.

[Deleted User]

Yes it's real as on some of them they have found I can recognise the passwords from ones I regularly used in the past. Some others are random strings with no clue of the service it's linked to so I've no idea where to go to change them.  

PlatinumChaos

Thank you both for the insights. Yes, I can't identify any of the passwords as belonging to a particular account so I can't change them. I just hope they're so old that they're now obsolete and the accounts have been closed or the websites no longer exist. Since I can't link the passwords to anything currently really important (e.g. online banking), I'm hoping they were just for random forums or suchlike.

[Deleted User]

They will almost always never be anything important like online banking. Mine is for low key services like bitly and imgur which I've never used for years and LinkedIn which I'm sure I deleted my account for years ago. Others are just old forums and stuff I've used years ago.

PlatinumChaos

I've just looked for my email address on the haveibeenpwned site that ceremony kindly linked. I crops up twice. With the first website, I asked it for a password reset and it said my email address wasn't on their database, so that sounds okay. For the second, it was part of the massive 711 million email address Onliner Spambot Dump in 2017. Reading up on it, it seems that many of the email addresses were probably simply harvested for the purposes of spamming, which is annoying but relatively harmless. Otherwise, like the author of the article himself, there's no real way for me to find out where my address was harvested.