How to find out if your password has been stolen

How to find out if your password has been stolen

Summary: There are many public databases of breached accounts, the largest breach being that of Adobe.com, but no way to search across all of them. Until now.

SHARE:
TOPICS: Security
52

The announcement yesterday's of the discovery of a botnet command and control database of user credentials for Facebook, Twitter, Yahoo, ADP and others is just the latest in a trend going back several years. You can't trust Internet services to protect your passwords; you have to protect them yourself.

This new revelation is actually rather minor compared to many others from recent years for reasons explained by Webroot in a blog entry: the number (2 million credentials) is actually small compared to many of the others, with the king of the hill being the Adobe breach of as many as 150 million credentials.

Trustwave, the company that found the botnet and password database, isn't publishing it, but other databases are publicly available and you can search them. But there are two sites I have found that let you search across multiple databases.

Troy Hunt's Have I been pwned? consolidates the databases from five major breaches for a single search:

  1. 152,445,165 Adobe accounts
  2. 859,777 Stratfor accounts
  3. 532,659 Gawker accounts
  4. 453,427 Yahoo! accounts
  5. 37,103 Sony accounts

Enter your email address and haveibeenpwned.com searches all of them and reports back. One of my addresses was in the Adobe database, but I knew that already:

Adobe.breach

I changed the password a while ago and hadn't used it on other sites.

As Hunt explains in a blog entry announcing the site, he built it in large part as an exercise to in using certain Windows Azure technologies, but he believes in the service and wants to make the site as useful as is practical. He says he has plans to add new databases as they come available and new features such as a service to alert you in case your email address shows up in a database and the ability to search on a whole domain (such as '@zdnet.com').

The other site, Should I Change My Password?, is mostly a front-end for pay services. The site already has the email alert service, which they call Email Watchdog, and which appears to be free. But if you simply search for an address and it's in one of their databases they won't give you any detail, just the fact that it was in a database:

shouldichangemypassword

It seems odd that they "...can't tell you which breach your email address was compromised in" as they say in their FAQ. haveibeenpwned.com has no trouble providing this information, as it is stored in their database for each breached record. shouldichangemypassword.com only stores a hash of the password email address, the date of the last compromise and the number of times it was compromised (i.e., presumably, the number of databases in which it was found). This seems less useful. If I learn from haveibeenpwned.com that my Adobe account was breached then I only have to change that password.

Perhaps shouldichangemypassword.com (a service of Avalanche Technology Group) will give you this detail as part of one of their pay services which they push

Regardless of your status on any of these databases, the only good strategy is to have strong and separate passwords for all services you use. Remembering all that is not humanly possible, so you'll need a password manager. I use LastPass, others I know use 1Password and RoboForm, and there are many others. I hope to write more about password managers soon.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

52 comments
Log in or register to join the discussion
  • Adobe

    Yeah, I got the dreaded email from Adobe that my account info was compromised. I immediately changed my password, and a month later got a text from my bank (BOA) informing me they had suspended my debit card due to suspicious transactions.

    I cancelled the card immediately. I also tweeted Adobe thanking them for letting my card info get stolen, but never received a reply. Not surprised, I guess.

    My gmail account was the one affected. I guess that will be the next thing I cancel. Both sites you listed DO show that address as compromised.

    Thanks for the article concerning this!
    babyboomer57
    • Duh...

      ...and, you used a debit card online, why?!
      Techboy_z
      • And why shouldn't he?

        With good account management and a watchful eye on your transactions you should be able to catch almost anything funky.

        Besides its virtually impossible to do any financial transaction online without giving somebody your credit/debit information. Even PayPal isn't perfectly secure.
        rockfanMCE
      • Debit Card

        Mate if you are so clever tell people why they should not use their debit card online or just shut up.
        Mail Wstship
        • re: Debit Card

          > tell people why...

          I will tell you why.

          If your *credit* card info is stolen, they have access to your issuer's cash.

          If your *debit* card info is stolen, they have access to *your* cash.

          Either way it probably will get resolved in due time. But do you want to have no money while your bank investigates the transactions?

          Don't use a debit card online.
          none none
          • debit card online

            He is correct. If they have that info, they can EMPTY you checking account. If you use a credit card you have the credit card company that will cover your back and reimburse you and go after the offender.
            Donna Elliott
          • Uhh... If you have ALL of your operating budget in ONE account...

            ...that can be compromised by a silly hacking attempt, you have FAR larger problems than using a debit card online. The only account they can compromise is the one LINKED to the debit card. So if you have *multiple* accounts, i.e. something called a savings account or an alternate checking they can't touch it.
            Playdrv4me
          • Safety with a debit card

            have your debit card on an account separate from your main account Keep your debit card balance just over what you need.
            Papa_Bill
          • I agree.

            That is where a prepaid debit card that you load at some retail store comes in handy.
            pfyearwood
          • Google 'virtual credit cards'

            There is no reason to use a debit or credit card... Use a virtual card that lets you specify the spending limit and expiration of the card, and can only be used by one merchant. I use a virtual MasterCard for all my online transactions - it works well.
            slowgeezer
          • I agree with you

            No one should use the Debit Card for online transactions.
            telwah@...
    • Failed

      Hi :)
      I tried an email address that i know has been used to spam people and the "Have i been pwned" site said it was fine.

      At first i had been really happy that a couple of other addresses that i was wary of had actually managed to soemhow be safe but now i am not so sure they are!
      Regards from
      Tom :)
      Tom6
      • Not necessarilly

        They may have harvested your e-mail address from your facebook/twitter/google/MS/etc "friends". If that's the case all they have is your e-mail account and it wouldn't show up on one of the hacked account lists.
        DT2
  • I trust no company...

    ...whether they use strong encryption or not.

    Adobe must be stupid for using weak encryption for passwords and I despise criminals who hack into database. I don't think it really matter if I use passwords with more than 16 characters (low/upper-case letters and numbers). Some companies do not accept symbols and even my password is strong without them until all the passwords get translated to plain text from hashes in little or no time.
    Grayson Peddie
    • It is risky to do online banking

      Even if your password is not leaking, there is a simple software that can be used to take over your online section just before you are trying to log off your bank account, and then they can continue to move your money to other place.
      SmilingGuy
      • Really?

        And what simple software is that? Keylogger?
        paul2011
        • Keylogger?

          Methinks it is. My Ubuntu desktop does not get infected and I don't click in links in e-mails. A spammer once attempted to send me a phishing e-mail with an e-mail address of fraud(at)aexp.com but got blacklisted by Barracuda's realtime blackhole list. I am very tech-savvy and can be very paranoid.
          Grayson Peddie
  • Password manager

    Another password manager to mention is PasswordBox. Great service, syncs to all devices, offers password generator and makes it easy to manage 100+ passwords. I have an upgraded version for unlimited passwords, but the free version - while limited in storage space - includes all the features. Happily recommended.
    Lily Armstrong
  • ...and the rest?

    I thought the stolen passwords this week involved Facebook and Google..? I don't see any mention of checking for these sites on "Have I been pwned?" or in this article. Either way, thanks for writing it.. If a site does come up for the most recent passwords theft, please do let us know! :-)
    GzyOnline
    • not available yet

      I touch on this in the article: Trustwave found the database and wrote about it, but they didn't release the database or grant any other access to it. So nobody but Trustwave can yet say who is affected.

      Remember too that the new database is from a botnet, so everyone involved has already been pwned before their credentials got stolen
      larry@...