They should really accept a hash of your email/username to lookup. Then we can an idea of if we've been pwned without giving additional information if we haven't been.
I'm not sure how that would help. They would have to generate a matching hash on their end, giving them a lookup table to work backwards from hash to email address.
Now if they wanted to supply a list of hashes to the public, then you could check your own without knowing any of the other addresses used to generate the remaining hashes.
Yes, but they would already have your e-mail address anyway. Lookup by hash precludes the case where you're giving them information they didn't already have.
True. I was more referring to it being a confirmation that this is an email address that anyone cares about.
If I wanted to be truly malicious I'd have my online checker return a "Nope, you're all good" and then add that email address to the short list of accounts to go after.
Unless you use different usernames/email addresses for all the websites you sign up for, this website isn't any more or less random than any of the hundreds of websites you've punched your ID into (and of which some, more likely than not, has been compromised).
Turns out that the leaked "gmail" password was my old password used for unimportant websites and this was never used with the gmail-account itself. So apparently one of those unimportant websites was hacked and the email/password was then grabbed. No way to tell which site that was since haveibeenhacked.com does not include that information, but instead makes it appear that the actual gmail password is/was compromised.
Hey, that's a great idea! Try and use some indicator in the password you choose so that when your password is revealed you know who it is :) Probably hard to do in practice, but I'm going to keep that in mind next time I visit a site and use a throw-away password
Use a better email service. For example I use my own domain with all email going to me. Consequently I can use site1@my.domain for one site, site2@my.domain for another. Makes it real easy to see who has been sharing things.
I threw http://amihacked.org/ together yesterday to give people a way to find out their leaked passwords. It would be cool to figure out where these came from since it does appear to not be gmail accounts.
Some dark hat guy could use the emails collected on site like this for targeted phishing attacks. Now that I have entered my email there, this reveals that I'm aware of these certain security incidents (the site reported that my email and some personal information had been compromised).
Now if somebody would approach me on this topic, they might have a chance of fooling me to give some further details about myself.
The benefit from this kind of targeting would be to avoid hitting the spam filters. If they just spammed their message to random addresses, people would flag them as junk mail and good email providers would quickly filter them out.
People who know "pwned" are probably more resistant to phishing attacks than the average schmuck.
Also, a lot of the material entered into the site will be fake. This is not a good way to harvest genuine e-mail addresses.
Not only is it open to fake addresses, but it is open to deliberate spam-trap addresses: addresses whose only purpose is to detect spam. I can generate a fake address "nothanks@<mydomain>" and feed it to this site (or, generally, allow this address to be widely harvested).
Then, whenever an SMTP request comes in with a "RCPT to: nothanks@<mydomain>", I can drop the connection and ban the IP address for 7 days. Any use of that address is 100% spam; no legitimate sender knows this address.
If I were to run this scam, I would only add addresses that were checked and matched a known leak. This would both give me a known good address and also an idea of what kind of person you are. If you're the type to check your email address against known leaks then I would know exactly how to attack you.
This simply has emails from other lists that have been floating around. For example, the adobe set is from the adobe breach where emails were in the clear.
The dark hat guys already have this list. And likely some passwords, which this site doesn't ask for.
This means they could be very, very targeted with an email/social phishing attack to try and get a newer password or other account information by referencing the previously compromised site. It could help the bad guys establish trust. A bit tinfoily but well within the realm of possibilities if the lookups on this site are logged.
Look through your browser or password manager for all the accounts whose randomly generated passwords it remembers. If you're not already generating random passwords and having your browser remember them, now would be a good time to start, since you're finding and updating all your accounts anyway.
For the accounts you already have: also include "welcome", "password", and "log in"/"login"/"sign in". You might also search for mail containing your email address in the body.
Also skim through the top 1000 sites or so, to jog your memory if you have accounts with those services.
Interesting case of suggestion bias... when faced with such a website name, you are reluctant to give out your email which you would do when signing up to some other site. Except...
1) This site asks for the email address that you CARE about
2) It specifically has people self select for caring about being pwned
How is it more dangerous to alert people about their pwnage and encourage them to change their passwords? It's easier to attack someone who doesn't know they're being attacked.
I can change my password anyway. How would this website possibly know about all the pwnage going on in the world? It doesn't even give details as to what the databases are, until I provide my info.
For the record, I am not arguing against THIS particular site, which does seem legit based on the other tabs on the site and the kind of things it talks about, but still, these are general things to keep in mind.
Bad guys already have these email addresses. That is the point. And likely the bad guys already know which email addresses you care about. Or it doesn't matter.
Well for one thing you are providing your email address to a website, which might later sell it as a "high quality" i.e. personal email to receive SPAM.
By contrast, when I sign up to a service, I can start out using some throwaway email or a even mailinator.com email. Here, I have to put the ones I care to protect.
This is a bit like those services that say "enter your domain name and we'll check if it is registered" and then front-run you in registering it!
And mine is listed with a password that I used in combination with the Gmail address as a username, but never as the password to log into Gmail with. So it doesn't seem like this is a dump from Google, but rather from sites requiring email addresses to sign up with.
Doesn't raise any red flags for me. As someone else pointed out, it's trivial for someone to collect emails or find your email. Heck, this latest dump has 5 million of them...
E-mail addresses are not secrets and were never intended to act that way, so I don't care if they are harvested.
I operate several mailing lists that allow postings from non-subscribers, to addresses that are easily harvestable from the web. Yet, the "mean time between spams" is on the order of many months.
I also use my real e-mail address in the From: header of Usenet postings.
I simply don't have a problem with spam because of my mail server's terrific anti-spam setup.
The point is that the bad guys already have the stuff that he has put out there. Now you can see as well.