Have you been pwned?

01100010 01101001 01110100 01100110 01101100 01101
  • Total Posts : 26036
  • Joined: 2006/09/17 11:23:23
  • Location: Everett, WA USA
  • Status: offline
2018/10/19 11:47:23 (permalink)

Have you been pwned?

Here's a website that will tell if and how your email address has been stolen. I checked out the site before using it, and not just on Wikipedia. It's mentioned in several security-related articles, and is legit.
Now, I fully expected my email address to be floating out there in the wild because it appears unobfuscated on some web pages (necessary for my business) and is therefore susceptible to scrapers. But I was surprised to see that it appeared in 6 different hacked databases. Not only is my email address for sale, but also my physical address and net worth (not that that would impress anybody).
I've received probably a hundred spam emails whose subject included an actual password that I'd used in the past (with music site last.fm). It was an extortion scam that threatened to expose my porn habits if I didn't give them thousands of dollars in bitcoin. I didn't give it much thought, as I am not into online porn and even if I was, I am a single guy and self-employed so there's really no threat they could hang over me. But it was still unsettling to see a real password show up in my inbox.
Of course, if I did have a paid account with TeenCheerleaderSluts.com it would piss me off that somebody else was running up charges on my credit card.
Here's what Have I Been Pwned told me:

Breaches you were pwned in


Anti Public Combo List (unverified): In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I been pwned.
Compromised data: Email addresses, Passwords

Apollo: In July 2018, the sales engagement startup Apollo left a database containing billions of data points publicly exposed without a password. The data was discovered by security researcher Vinny Troia who subsequently sent a subset of the data containing 126 million unique email addresses to Have I Been Pwned. The data left exposed by Apollo was used in their "revenue acceleration platform" and included personal information such as names and email addresses as well as professional information including places of employment, the roles people hold and where they're located. Apollo stressed that the exposed data did not include sensitive information such as passwords, social security numbers or financial data.
Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Salutations, Social media profiles

Exactis: In June 2018, the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data. Security researcher Vinny Troia of Night Lion Security discovered the leak contained multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family structures and extensive profiling data. The data was collected as part of Exactis' service as a "compiler and aggregator of premium business & consumer data" which they then sell for profiling and marketing purposes. A small subset of the exposed fields were provided to Have I Been Pwned and contained 132 million unique email addresses.
Compromised data: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages

Last.fm: In March 2012, the music website Last.fm was hacked and 43 million user accounts were exposed. Whilst Last.fm knew of an incident back in 2012, the scale of the hack was not known until the data was released publicly in September 2016. The breach included 37 million unique email addresses, usernames and passwords stored as unsalted MD5 hashes.
Compromised data: Email addresses, Passwords, Usernames, Website activity

Modern Business Solutions: In October 2016, a large Mongo DB file containing tens of millions of accounts was shared publicly on Twitter (the file has since been removed). The database contained over 58M unique email addresses along with IP addresses, names, home addresses, genders, job titles, dates of birth and phone numbers. The data was subsequently attributed to "Modern Business Solutions", a company that provides data storage and database hosting solutions. They've yet to acknowledge the incident or explain how they came to be in possession of the data.
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Job titles, Names, Phone numbers, Physical addresses

NetProspex (spam list): In 2016, a list of over 33 million individuals in corporate America sourced from Dun & Bradstreet's NetProspex service was leaked online. D&B believe the targeted marketing data was lost by a customer who purchased it from them. It contained extensive personal and corporate information including names, email addresses, job titles and general information about the employer.
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses


All else is in doubt, so this is the truth I cling to. 

My Stuff

5 Replies Related Threads

    Max Output Level: -72 dBFS
    • Total Posts : 920
    • Joined: 2004/01/27 07:15:30
    • Location: Scotland
    • Status: offline
    Re: Have you been pwned? 2018/10/19 12:48:42 (permalink)
    I've had similar emails.
    From what I can work out, only one of the passwords was the first 8 characters of an old one I used with LinkedIn, which had been hacked at some point. The other passwords were ones I'd never used.
    They've obviously used some sort of a reverse lookup on the password hash to get the password.
    The key thing for me that it was bs, was that the scam email said they had footage of me via my web-cam. Up until recently, my laptop hasn't had a webcam. My current one does, but it's got a cover on it.
    What is worrying however, is that it's obvious some sites are only hashing the first 8 characters of my password, which kind of goes in the face of all the advice about having a longer password to make it harder to hack!

    Mark McLeod
    Cakewalk by BL | ASUS P8B75-V, Intel I5 3570 16GB RAM Win 10 64 + Win 7 64/32 SSD HD's, Scarlett 18i20 / 6i6 | ASUS ROG GL552VW 16GB RAM Win 10 64 SSD HD's, Scarlett 2i2 | Behringer Truth B2030A / Edirol MA-5A | Mackie MCU + C4 + XT | 2 x BCF2000, Korg NanoKontrol Studio
    Max Output Level: -82 dBFS
    • Total Posts : 404
    • Joined: 2015/01/17 16:16:46
    • Status: offline
    Re: Have you been pwned? 2018/10/19 21:28:22 (permalink)
    Apparently I've been Pwned on 1 breached site and found in 1 paste. Both seem to lead to an Everton FC  fan site that I haven't logged on to in years.
    I've never received any scam emails or even any spam in years. And I've got nothing to steal. 

    I'm off to see the Wibble, the wonderful Wibble of Wobble
    Max Output Level: -72 dBFS
    • Total Posts : 914
    • Joined: 2015/09/01 11:00:11
    • Location: Nova Scotia, Canada
    • Status: offline
    Re: Have you been pwned? 2018/10/19 22:17:53 (permalink)
    The key thing for me that it was bs, was that the scam email said they had footage of me via my web-cam. Up until recently, my laptop hasn't had a webcam. My current one does, but it's got a cover on it.

    I got an email like that a couple weeks ago. It sounds convincing, and scary.  But if they did get into my web cam they would only see nothing since it's always covered with black tape. And the built-in mic is disabled, so they wouldn't hear anything, either. 

    DAW: Cakewalk by Bandlab (latest version) - x64
    VST: Roland Sound Canvas VA
    Hardware: Roland MC50mkII Sequencer; Yamaha DGX-660 keyboard; Steinberg UR-44 Interface
    OS: Windows 10 Home 64-bit
    Max Output Level: -78 dBFS
    • Total Posts : 621
    • Joined: 2005/07/05 20:11:34
    • Location: North Texas
    • Status: offline
    Re: Have you been pwned? 2018/10/19 22:30:33 (permalink)
    I wonder how accurate it is as it shows one of my email addresses in 7 databases. However, most of them are unknown sites and I have never signed up for anything from them. Are we sure this is not just some marketing attempt to get people to use 1password?
    I know it is a garbage email address as it was being spoofed 20 years ago. If you all look in your spam folder you will likely see something that looks like was sent from me. But, I have never heard of or signed up or ... from any company named Apollo or Exactis or most of the others.

    -When the going gets weird, the weird turn pro.

    Sonar Platinum / Intel i7-4790K / AsRock Z97 / 32GB RAM / Nvidia GTX 1060 6GB / Behringer FCA610 / M-Audio Sport 2x4 / Win7 x64 Pro / WDC Black HDD's / EVO 850 SSD's / Alesis Q88 / Boss DS-330 / Korg nanoKontrol / Novation Launch Control / 14.5" Lava Lamp
    01100010 01101001 01110100 01100110 01101100 01101
    • Total Posts : 26036
    • Joined: 2006/09/17 11:23:23
    • Location: Everett, WA USA
    • Status: offline
    Re: Have you been pwned? 2018/10/23 23:43:42 (permalink)
    Your email address may have been passed along by a company you've actually had a legit relationship with. Your bank, credit card issuer and insurance company are probable offenders. Amazon sells your information, too. 

    All else is in doubt, so this is the truth I cling to. 

    My Stuff
    Jump to:
    © 2024 APG vNext Commercial Version 5.1