Over 1 billion login credentials leaked here’s how to see if you were compromised

By Darragh Murphy 10 June 2021

The ‘RockYou2021’ password leak exposed 8.4 billion private login entries

Update on Thursday, June 10: Password protection experts at cybersecurity company Specops Software reached out to Laptop Mag providing further details about the “RockYou2021” breached password leak. According to Specops’ research, the compilation of passwords leaked on the hacker forum is confirmed to be a combination of various words and phrases found on Wikipedia and other previously known leaked lists. This suggests the 100GB TXT file does not contain previously unknown breached passwords. Specops notes hackers could use any of the 8.4 billion words and phrases in a brute force malicious attack, but this should not pose a greater risk than before the leak. What follows is the original story.

A massive collection of passwords has leaked online, after a user posted 8.4 billion password entries onto a popular hacker forum. Exposed credentials could include private login information for Gmail, Facebook, Apple, Paypal, and more.

The forum user posted a 100GB TXT file and has dubbed the leak “RockYou2021,” which is a reference to the RockYou data breach in 2009 that exposed 32 million user passwords in a similar manner. The passwords are all up to 20 characters long, and can easily be searched within the file.

• How to do 2FA right
• PSA: Stop using your phone number for two-factor authentication
• The best cell phone deals in 2021

Spotted by cybersecurity news website CyberNews (via BGR), the report claims this is the largest collection of leaked passwords of all time. Initially, the leaker stated there were 82 billion passwords on the forum, but researchers have found there are only 8,459,060,239 unique entries.

The report does not state how the hacker received these passwords, and whether all of these password entries are real. However, with the number of password entries leaked in the billions, there is a good chance many online user’s login credentials are on the hacker forum.

Unfortunately, many users potentially use the same password for many different platforms, meaning everything from social media profiles to cryptocurrency accounts are at risk.

Check if your password is leaked

RockYou2021 potentially exposed billions of online user’s credentials, so it’s best to check if your personal data and password are part of the leak. If so, you’ll want to change your credentials.

To check to see if your password has been exposed in the leak, you can check reliable website Have I Been Pwned? to see if your email or phone is part of a data breach. CyberNews also set up a personal data leak checker and a leaked password checker.

The cybersecurity site states it is still uploading password entries from RockYou2021 to its database. If your password does not show up in the checker, be sure to check again later, as the password may not have been uploaded yet.

Having a password manager can help bolster your security. LastPass used to be the go-to for years thanks to its free-tier service, but there are now other contenders worth checking out.

It is also recommended users use two-factor authentication. Just be sure not to use your phone number, as that will lead to even more low-level hacks.

With billions of records compromised in data breaches, how do you know if your password has been . [+] stolen?

Passwords are a necessary evil as far as our increasingly connected lives are concerned. Yet with data breaches exposing more than 4 billion records, including passwords, during the first six months of 2019, they are also a weak link when it comes to security. There is a booming criminal trade across dark web markets in compromised login data. Which should come as no surprise as password reuse is rife, It was recently revealed that more than 44 million Microsoft account holders had been found using recycled passwords. This kind of login credential duplication is a gift for hackers who can then use one known, stolen, password against multiple different accounts with a good chance of gaining access to some of them. That chance is increased if you happen to be using one of the top 100 world’s worst passwords found within data breach credential databases. All of which begs the question: how do you know if any of your passwords have been stolen?

Check with Troy Hunt’s Have I Been Pwned (HIBP) site

Troy Hunt, a Microsoft regional director and MVP, created the Have I Been Pwned searchable data breach database in December 2013. With 150,000 visitors every day, three million email subscribers and details of more than 9 billion compromised accounts it is, by far, the biggest and most popular way to find out if your password has been stolen. You start by simply entering your email address or username, and within seconds details of any data breaches that your credentials were stolen in will appear. Don’t worry though, the passwords that correspond to your email address are not stored in the database so as not to add to the risk of further compromise. You can, however, also search for your actual passwords in the related “Pwned Passwords” service that Troy also operates. Thanks to the use of a mathematical property called k-anonymity and the help of Cloudflare, you don’t have to be concerned about entering your real password into the search box. You can read the technical explanations here, but be reassured that the search is safe and the password you search for cannot be connected to you. The same Pwned Passwords function can be used within the 1Password password manager. Talking of which.

Use the 1Password password manager

Using a password manager is recommended by numerous security experts as a way of not only storing passwords in a securely encrypted database, but also of generating truly random, complex and unique passwords for every site and service. However, there’s another reason you might want to use 1Password: it will also warn you if any of your passwords have been compromised. The Watchtower feature built into 1Password hooks into the Pwned Passwords search previously mentioned. Rather than having to manually enter every password you use in order to check if it has been stolen or not, Watchtower automates the process in the background. It gets updated whenever a new security breach is reported and added into the Have I Been Pwned database, immediately and automatically alerting you if your password has been found.

Use the Google Chrome web browser

Google has always been on the ball when it comes to security audits and password security. I have previously written about how the Google Chrome web browser had been updated so as to include a password checkup feature to check if your password had been compromised. That worked well for anyone who also used the Google Chrome password manager to save your passwords. But things have just got better, and the latest version of the browser, Chrome 79, will now warn you if your web passwords have been stolen without having to save them to the browser first. The new feature will warn you of the presence of a password in a breach compromise database of some 4 billion entries, as you start logging into a site. The feature is still being rolled out, but everyone should have access to it very soon. You can check by going to the browser settings under “Sync and Google Services.”

Keep your passwords unique, and keep them secure

The sad truth, despite all of the above, is that there is no bulletproof method of knowing for sure if one of your passwords has been compromised. While the methods mentioned will keep you as informed as it is possible to be, they cannot be relied upon to be 100% accurate. Why not? The simple answer is that they can only look for credentials that are in the databases they reference. Those databases can only be populated with known, validated, breach records that have found their way onto the dark web or otherwise been shared with the service operators. There will inevitably be a delay between a breach occurring, credentials being stolen, and them ending up in those databases. Assuming, that is, they are not kept out of the public eye by threat actors who may want to exploit them for their immediate gain, or perhaps compile them into a larger database to command a higher value at a later date.

by Sarah Katz , Tech Xplore

Back in 2009, threat actors hacked into the website servers of social app RockYou, accessing over 32 million user passwords stored in plaintext. Now, in what appears to be the largest data breach in history, attackers have compromised 262 times as many passwords. With 3.2 billion leaked passwords from multiple databases, this attack has been dubbed RockYou2021.

As only 4.7 billion users utilize the Internet, that means RockYou2021 could actually involve the passwords of nearly twice the global population. Therefore, users should immediately check to see whether their passwords were affected by this leak. Users can check for password compromise using the website Have I Been Pwned or the CyberNews personal data leak checker.

Threat actors can take advantage of the RockYou2021 password collection by combining 8.4 billion unique password variations with existing breach compilations of email addresses and usernames. The hackers could then use these credentials for dictionary and password spraying attacks against an unknowable number of online accounts.

So far, research suggests that all of the passwords involved in this leak have non-ASCII characters between 6-20 characters each, with white spaces removed.

If you believe that one or more of your passwords may have been compromised in the RockYou2021 breach, you can take mitigation steps by immediately changing your passwords for all of your online accounts. In fact, using a password manager can help you create strong, complex passwords that don’t have to be easy to remember. Furthermore, you can enable two-factor authentication (2FA) on all of your accounts.

Finally, as always, make sure to always closely examine all unsolicited spam emails, calls and text messages for potential phishing activity. Most importantly, never click on links or download any executables in messages that you weren’t expecting or from senders you don’t recognize.

What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches.

According to the post author, all passwords included in the leak are 6-20 characters long, with non-ASCII characters and white spaces removed. The same user also claims that the compilation contains 82 billion passwords. However, after running our own tests, the actual number turned out to be nearly ten times lower – at 8,459,060,239 unique entries:

The compilation itself has been dubbed ‘RockYou2021’ by the forum user, presumably in reference to the infamous RockYou data breach that occurred in 2009 and rockyou2021.txt filename containing all passwords, when threat actors hacked their way into the social app website’s servers and got their hands on more than 32 million user passwords stored in plain text.

An example of leaked passwords included in the RockYou2021 compilation:

With a collection that exceeds its 12-year-old namesake by more than 262 times, this leak is comparable to the Compilation of Many Breaches (COMB), the largest data breach compilation ever. Its 3.2 billion leaked passwords, along with passwords from multiple other leaked databases, are included in the RockYou2021 compilation that has been amassed by the person behind this collection over several years.

Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over. For that reason, users are recommended to immediately check if their passwords were included in the leak.

How to check if your password was leaked?

Updated on 10/06: We have now uploaded nearly 7.9 billion out of 8.4 billion entries in the RockYou2021 password list to our leak databases. To safely check whether your password is part of this gigantic leak, make sure to head over to the CyberNews personal data leak checker or our leaked password checker.

Note: We take our readers’ privacy extremely seriously. To protect your privacy and security, the data that you enter in the search field is hashed, and we use only this hash to perform a search in our database. We do not collect entered emails or passwords, nothing is logged when you perform a leak check.

Potential impact

By combining 8.4 billion unique password variations with other breach compilations that include usernames and email addresses, threat actors can use the RockYou2021 collection to mount password dictionary and password spraying attacks against untold numbers of online accounts.

Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if not billions.

What to do if your password was leaked?

If you suspect that one or more of your passwords may have been included in the RockYou2021.txt collection, we recommend taking the following steps in order to secure your data and avoid potential harm from threat actors:

• Use our personal data leak checker and leaked password checker to see if your data has been leaked in this or other breaches.
• If your data has been compromised, make sure to change your passwords across your online accounts. You can easily generate complex passwords with our strong password generator or consider using a password manager.
• Enable two-factor authentication (2FA) on all of your online accounts.
• Watch out for incoming spam emails, unsolicited texts, and phishing messages. Don’t click on anything that seems suspicious, including emails and texts from senders you don’t recognize.

More from CyberNews:

Protect yourself online with best VPN services in 2021

Host your website online securely with best web hosting services in 2021

Find out with Avast Hack Check

Just enter your email and we’ll check to see if any accounts linked to it have been compromised.

How it works

A website you use gets hacked.

Your login details are leaked online.

We find it and alert you immediately.

What can hackers do with your data?

How to secure your passwords?

Take control of your personal info

You may also be wondering…

Every year, billions of login details from hundreds of websites are taken in hacker attacks. These stolen email addresses, passwords, and other account details are then exposed on the dark web or sold on the black market, where criminals pay to gain access to your sensitive data. Companies or organizations you do business with can also leak or publish their users’ sensitive information by accident.

If criminals get a hold of one of your accounts, they can potentially impersonate you, message your contacts, access your cloud storage, steal your money, and even jump to your other accounts. That’s why we take password safety so seriously.

Sadly, the most common sign you’ve been hacked is often nothing. While companies will often announce when they’ve been hacked or suffered a leak, they usually don’t do it right away — sometimes months can pass before they come public with that knowledge, and in that time, hackers could be doing anything with the stolen data. They also won’t typically tell their customers whose data was specifically lost in each leak: they just expect that everyone who uses their service should change their passwords.

That said, there are two ways to tell for sure if you’ve been hacked: one is to suddenly find yourself the victim of identity theft, which is less than ideal. The second, more preferred method, is to use a service like Avast Hack Check, which collects data from all around the internet to identify if your details have been posted online or were subject to any leaks.

Avast Hack Check notifies you automatically if your password is compromised, so you can secure your accounts before anyone can use your stolen passwords. As the world’s largest consumer security company, we can securely check if any of your login details appear in our database of password breaches, then find out if your account are at risk, and therefore help keep your accounts safe — and you can trust us not to share your email address with anyone, or leak passwords ourselves, obviously.

What else can you do? Try our free strong password generator, to create less hackable passwords or do it yourself with our DIY strong password guide. Brush up on your phishing scam-spotting skills so you don’t get tricked by fakes.

See, when details like this are leaked, the data that’s lost is almost always encrypted: which means that hackers have to un-encrypt the data in order for it to be useful. This is why it’s often faster and more profitable to simply sell the encrypted data for a quick paycheck, rather than steal anything themselves. Even if they do decide to decrypt the data, any strong passwords could take years — or even decades — to be decrypted. So if you’ve got a strong password, you could actually get “hacked” and be fine for a long time.

That said: if you have a weak password, things get bad. A simple password — or worse, a common password like “123456”, can be decrypted in seconds. With this and your email, they can access any account that uses that email/password combination, pilfering your data, stealing your identity, and ransacking your digital life. Just another reason to make sure every account has a unique password.

A villainous hacker can do a lot with a simple email address.

• They can try to “brute force” their way into any number of online accounts by using a list of commonly used passwords, giving them access to your digital life if yours isn’t strong and unique.
• They can add your email to a spam mailing list to earn a quick buck.
• They can set up a fake social media account for you and trick your friends or family into downloading malware, or giving them cash or information.
• They can send you phishing emails to trick you into downloading malware that could steal your data, or hold it ransom for money.
• Or they could sell it to other hackers on the dark web who’ll do all those things instead.

If Avast HackCheck comes back with a positive result, here are the next steps for what to do:

1. Don’t panic. You have everything you need to come to grips with the situation.
2. Go to the email account you just checked and open the email report we’ll send you. It’ll contain dates and passwords that have been leaked.
3. Check the passwords that have been leaked. If you’re still using the same password for the same account, change it immediately. Do this for every leaked password and account. If hackers have changed your password for you in an attempt to lock you out, contact the site for help.
4. Double-check that any of the hacked accounts don’t have anything important linked or saved to them, like a credit card number. If they do, contact the appropriate authorities.
5. If you feel inclined, you can also immediately report any cybercrime you’ve encountered to the authorities.

• John Grennan
• February 16, 2021

Earlier this month it was revealed that hackers now have access to over 3 billion emails and passwords. This is being called the largest data breach of all time and actually consists of a combination of smaller data breaches that have occurred over the past several years. Named the Compilation of All Breaches, or COMB and odds are that your email and password are included.

To test this I checked both my private Gmail account and my business IT.ie account using the free tool, Have I Been Pawned. What I found was that my private Gmail address had been compromised in several breaches, however, luckily my business Outlook account has not been compromised. Pawned is a great tool and lists any data breach where your credentials were compromised.

In this post, I will look at some of the ways you can mitigate against a data breach of your credentials.

Use the Underpants Rule

The underpants rule is straightforward and involves only 3 easy to follow steps that are good practice for both password protection and underwear, in general. So, treat your passwords like your underpants.

Change them often – Set a policy in place whereby passwords must be changed every 30, 60 or 90 days. By doing this you are not preventing a compromise but given that most people won’t know for months or even years that their credentials have been compromised, it narrows the window whereby the compromise could be of harm to you or your organisation.

Don’t share them with anyone – It isn’t always good to share and just as you shouldn’t share your underwear, never share your passwords.

Don’t leave them lying around – Don’t write your password on a post-it note and leave it stuck to your screen or under your keyboard.

Creating Strong Passwords

You might think “Dave1” or “Siobhan29” is a secure password. It’s not. Contrary to popular opinion, adding special characters like *%%EDITORCONTENT%%amp;@!_ alone will not help you very much either.

Here are some essential tips for creating a strong, unguessable password:

• Include letters (lower and upper case), numbers, and symbols. Turn Dave1 into @[email protected]#$ instead.
• Make it 12 characters, minimum.
• STOP USING YOUR LOVED ONES OR PET’S NAMES.

Use a Password Manager

Creating complex passwords, as shown above, do create their own problems for you as you can’t easily remember them and makes it more likely that you’ll note them somewhere that itself can be seen or compromised. A password manager is a great tool that allows you to both create and store your complex passwords safely and securely. I’ve been using LastPass via the Chrome extension (also works with Edge) for a few years now and honestly don’t know how I could work efficiently without it. Plans start from free, and all your logins are stored in the tools vault. When signing up to new online accounts it both suggests and stores your complex passwords and allows for seamless logins to the various sites you are connected too. There are plenty of good password managers available from free so do a bit a research and pick one that works for you.

Protect your Devices

Whether it’s your laptop, desktop, phone or any device that has your login credentials, NEVER LEAVE IT UNSECURED. Did you know that all you have to do on an open device is open chrome://settings/passwords in the address bar and your login credential are there for the world to see? Most devices now have a mix of PIN and biometric security locks to allow access, so make sure that at least one is enabled and ensure that your device locks after a maximum of 5 minutes of inactivity.

While I hate to say it, hackers are pretty clever and are always coming up with new ways to compromise your data. On top of that many hacks and data breaches are state-sponsored. There is no sure-fire 100% guarantee against a hack or credentials compromise, but by employing a robust password policy, utilising a password manager and a bit of common sense, you can greatly mitigate against a compromise.

Share:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on Pinterest (Opens in new window)

Data breaches are almost always catastrophic events for privacy and security. Not only can millions of people end up with their personal data exposed, but these breaches can also spiral even further out of control once hackers start testing leaked passwords and email addresses on other platforms.

This is the reason why we always tell readers to never, ever recycle their passwords under any circumstances. Once your email address and password get leaked in a data breach, you can bet that hackers will try the same combination out on other websites to see if it works. Tap or click here to see how to create stronger passwords.

Thankfully, one cybersecurity researcher is keeping a tally of some of the biggest data breaches in internet history. In his online database, he’s categorized more than 11 billion stolen records. To help victims protect themselves, he’s letting you check to see if your data has been “pwned.” Here’s how you can check for yourself.

Here’s the backstory

Data breaches can be catastrophic in terms of the damage they wreak, and many times, people don’t even know that their information is affected. This is because most of the leaked data that’s used gets sold on shady Dark Web marketplaces where hackers can buy them for pennies on the dollar.

And once the data is in a hacker’s hands, they’ll usually try the username and password combination elsewhere to gain more leverage or money from their victims.

Your daily dose of tech smarts

Learn the tech tips and tricks only the pros know.

But in the face of so many dangerous cybersecurity threats, one man continues to document and expose these hackers’ efforts in action. Security researcher Troy Hunt is the owner and operator of HaveIBeenPwned, a free service that will tell you whether or not your information has been exposed in a data breach (or sold on the Dark Web)

Here’s how his service works: Enter your email address in the search bar and hit the button labeled “pwned?” The website then gets to work alerting you of any data breaches your information may have been a part of — right down to the specific incidents.

Huge data breach on multiple platforms

According to reports from Bleeping Computer, 14 separate databases of stolen data went up for sale on the Dark Web last summer. The platforms these entries belong to are varied in function and scope and run the gamut from online food delivery to fashion.

Of the 14, only three have been confirmed to have actually been hacked thus far. But assuming the worst, in this case, is a proactive way to protect your information.

These are the platforms listed in the breach:

• DarkThrone
• Efun
• Fluke
• Footters
• HomeChef
• JamesDelivery
• KitchHike
• KreditPlus
• Minted
• Playwings
• Revelo
• Tokopedia
• Yotepresto
• Zoosk

If you signed up for any of these platforms, you might want to check out HaveIBeenPwned to be safe. You might also want to check its database as a precaution as part of your regular security checkup.

To see if your data was affected, click here to visit HaveIBeenPwned. This will take you to Hunt’s website, where you can enter your email address to check if your account has been included in any recent breaches.

If you’ve been affected by any data breach whatsoever, you should immediately change your email password. If you share that password with any other online accounts, hackers have a perfect opportunity to attack you across the web.

You may also want to consider setting up two-factor authentication for all of your most frequently used accounts. Tap or click here to see how to set up 2FA.

In the end, it’s up to you to take security into your own hands and frequently change your passwords. While heroes like Hunt are out there keeping people informed, they’re few and far between, and relying on them completely can give a false sense of security. If you’re proactive, you’ll be doing more to defend your data than waiting for the next big breach.

BILLIONS of email addresses and passwords have been leaked on a popular hacking forum online. Here’s how to check if your Gmail, Outlook, Hotmail or other email addies have been affected.

Billions of email addresses and passwords have been leaked in a massive data breach (Image: GETTY)

We use your sign-up to provide content in ways you’ve consented to and to improve our understanding of you. This may include adverts from us and 3rd parties based on our understanding. You can unsubscribe at any time. More info

More than three billion email addresses and passwords are now in the hands of hackers. As reported by CyberNews, some 3.2billion cleartext emails and password pairs have been leaked on a popular hacking forum online. This latest leak aggregates past leaks from Netflix, LinkedIn, Bitcoin and more.

Related articles

So, these passwords aren’t necessarily the ones needed to login to a corresponding email account. Just emails and logins used to access services such as Netflix that were caught up in other leaks.

However, if this password and email combo is used across a variety of different services (i.e to login to email inboxes and access online shopping portals) then it could give affected users a major headache.

The study does not specifically mention whether accounts from email providers such as Hotmail, Outlook, Yahoo Mail or more are among those affected.

But Express.co.uk used a tool online to check whether any of our personal addresses were caught in in the breach, and found one Gmail addie that was affected.

This latest leak is believed to be the largest ever compilation of email addresses and passwords to be leaked online.

The previous largest breach was the Breach Compilation of 2017 which saw 1.4billion credentials leaked online.

However, this latest leak – known as the ‘Compilation of Many Breaches’ (COMB) – is over twice the size of the 2017 data cache.

Gmail: Google demonstrate how to block an email address

Like what you see?

Our tech email sends the biggest new releases, reviews and hacks straight to your inbox.

Discover ways to make the most of your gadgets, and get a rundown of the best money-saving offers to help you get your hands on the must-have items of the moment.

Speaking about COMB leak, CyberNews said it wasn’t a new breach but a compilation of previous ones.

They said: “This does not appear to be a new breach, but rather the largest compilation of multiple breaches”

CyberNews went onto add: “At the moment, it is unclear what previously leaked databases are collected in this breach. Samples seen by CyberNews contained emails and passwords for domains from around the world.”

If you are worried whether your email address has been caught up in the breach then head to CyberNews’s personal data leak checker by clicking here.

On this site you can enter in your email address and see if any login details have been exposed.

The website is able to alert the holders of over 15million breached accounts if their credentials have been compromised.

Billions of emails and passwords have been leaked, here’s how to keep your accounts safe (Image: GETTY)

Trending

CyberNews said the potential impact of this latest breach is “unprecedented”, especially if any affected users use the same password for their email for other online services.

While it isn’t best practice to do so, some people do tend to reuse passwords as it can be easier to remember.

If you have been impacted by this latest breach, and also use the affected password for other online accounts then we’d advise you to change both swiftly.

Enabling two-factor authentication (2FA) when websites allow it also helps add an extra layer of protection to your accounts.

CyberNews said: “The impact to consumers and businesses of this new breach may be unprecedented. Because the majority of people reuse their passwords and usernames across multiple accounts, credential stuffing attacks is the biggest threat.

“If users use the same passwords for their LinkedIn or Netflix as they do their Gmail accounts, attackers can pivot to other more important accounts.”

They went on to add: “Users are normally recommended to change their passwords on a regular basis, and to use unique passwords for every account. Doing so – creating and remembering unique passwords – can be quite challenging, and we recommend users get password managers to help them create strong passwords.

“And, of course, users should add multi-factor authentication, like Google Authenticator, on their more sensitive accounts. That way, even if an attacker has their username and password, they won’t be able to get into their accounts.”

Welcome to the Linux Mint forums!

• Unanswered topics
• Active topics
• Search

Over 1 Billion Login Credentials Leaked

Re: Over 1 Billion Login Credentials Leaked

Post by Pepi » Sun Jan 20, 2019 1:04 pm

Re: Over 1 Billion Login Credentials Leaked

Post by Pepi » Sun Jan 20, 2019 1:12 pm

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm » Sun Jan 20, 2019 1:45 pm

Re: Over 1 Billion Login Credentials Leaked

Post by redlined » Sun Jan 20, 2019 1:56 pm

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm » Sun Jan 20, 2019 2:08 pm

Re: Over 1 Billion Login Credentials Leaked

Post by redlined » Sun Jan 20, 2019 2:11 pm

Make your own mind out about whether it’s a trustworthy service or not – I’m satisfied that it is and it returns correct info for my email address (i.e. it was included in the data sold on the darknet after the Mint forum hack of 2016)

yah, I trust the fella, and his project (especially appreciating the verifications he does before listing) and want to say I first learned of the site some year or two ago- if I recall correctly was led there by a story in NewYorkTimes to which I was a subscriber at the time. I did confirm some email(s) were databased but haven’t been back there in well over a year and do see some more sites I need to delete or change account for

For any wanting to check for info “safely” consider using k-Anonymity:
. anonymity/

Re: Over 1 Billion Login Credentials Leaked

Post by redlined » Sun Jan 20, 2019 2:22 pm

I found another site which, beside Have I been Pwned, lists some other resources as well:
. en-hacked/

My question is if you have used these services and do you find them legit and trustworthy?

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm » Sun Jan 20, 2019 3:02 pm

Re: Over 1 Billion Login Credentials Leaked

Post by redlined » Sun Jan 20, 2019 3:43 pm

best/safest bet is to never use same password for more than one account/persona space. Another option is use unique email, which some email providers make real easy allowing for anything before the @ with your custom address after the @ to get it to you. Making it easy to identify both the source of breach (e.g. well I only used that email addy here. and then blacklist the breached email address used to make the online account.

A quick check with k-anon using this service will further remove potential doubts in the moral character of HIBP website:
. anonymity/

Re: Over 1 Billion Login Credentials Leaked

Post by Faust » Mon Jan 21, 2019 4:04 am

@rene – Thanks for that feedback .

As mentioned above , I’ll start a new thread about Bitwarden shortly
. I’ve already taken this thread OT –

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm » Mon Jan 21, 2019 8:38 am

Re: Over 1 Billion Login Credentials Leaked

Post by philotux » Mon Jan 21, 2019 10:56 am

@rene – Thanks for that feedback .

As mentioned above , I’ll start a new thread about Bitwarden shortly
. I’ve already taken this thread OT –

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm » Mon Jan 21, 2019 11:05 am

Re: Over 1 Billion Login Credentials Leaked

Post by rene » Mon Jan 21, 2019 2:05 pm

Let me in that case comment.

For Bitwarden every thing I looked at seemed solid; note that it is in this context to be noted that Bitwarden does not have your passwords even when you use their servers to store them. They have your encrypted password database; are fundamentally unable to retrieve your passwords for you when you forget/lose your master password. This is clearly important for judging needed level of trust.

Lastpass, a very trustworthy and very widely used password manager, is no different in that sense but where the two do in my views significantly differ is Bitwarden being open source; being able to be independently verified, both to in fact correctly adhere to that system, and as to the encryption itself. Don’t get me wrong, Lastpass is absolutely trustworthy, and shenanigans are as or more easily found with a network sniffer than through source code review, but still. Fundamentally I would say this kind of thing needs to be open source.

I.e., if I’d choose between Lastpass and Bitwarden, latter it would be, even though former will undoubtedly have more and better plugins available.

But. Bitwarden being open source for me personally still fell a little short simply due to the used web technologies. The server is C# which is a nice enough language generally (if on Linux a bit of a mess) and/but the desktop application is a lot of Javascript. Moreover not just Javascript sec but Javascript using to me unfamiliar “Elektron” and “Angular” frameworks. I expect that if I were to invest a bit it’d not be too much of a problem to become familiar but for me investing in anything concerning web technologies tends to feel like work of the “Shall I go into the office or off myself today?” variety. Choices, choices, .

Given that I had a fairly solid preference for keeping things local anyway this meant that Bitwarden’s for me main competitor KeePassXC won out. It’s also open source (C++) and although Bitwarden can be used locally that’s not its core structure; with Bitwarden you’d just use a locally installed server. To in fact use KeePassXC you do need to be a bit of an open source masochist but, hey, whaddaya know.