There have been enough data breaches at this point that I'm sure all my info has been exposed multiple times (addresses, SSN, telephone number, email, etc). My email is in over a dozen breaches listed on the been pwned site. I've gotten legal letters about breaches from colleges I applied to, job boards I used, and other places that definitely have a good amount of my past personal information. And that's not even counting the "legal" big data /analytics collected from past social media, Internet browsing, and whatever else.
I now use strong passwords stored in bitwarden to try to at least keep on top of that one piece. I'm sure there are unfortunately random old accounts on services I don't use anymore with compromised passwords out there.
Not really sure what if anything can be done at this point. I wish my info wasn't out there but it is.
I used per-account email with alias services and password managers.
Also started migrating old accounts in free time.
Now its pretty easy to tell the source of leak by email addresses as well as sources of spam.
---
Per-account alias might sound much, but using sieve filtering [1] is amazing, and you can get a comprehensive filtering solution going with 'envelope to' (the actual address receiving the email) + 'header to' (the recipient address you see, sometimes filtering rules don't filter for BCC or sometimes recipients are alias instead of your actual email) that are more comprehensive than normal filtering rules to sort your emails into folders.
Amusingly, I've managed to recover old accounts from emails that contains my old passwords with demands for crypto payment, it just provided me enough help to recall old variations of my passwords.
+1 for Bitwarden. It is literally the best solution out there. Been getting to increase uptake in personal circles with (very) limited success. The wife keeps trying to convince me that the ship has sailed in trying to protect info online. She's probably right.
Now that I'm not only using a Macbook and iPhone, I've been looking for cross-platform solutions.
For a week I've been using KeePassXC + Syncthing between four devices. Syncthing is also syncing my Obsidian vaults which has replaced Apple-only Notes.app.
Bitwarden is definitely more polished, and Syncthing is definitely (much) more fiddly than using Bitwarden's and Obsidian's ($5/mo) native syncing tools.
But I like the idea of having the same syncing solution across all apps on all devices. Curious if anybody can recommend this setup or if collisions will make it unbearable.
I have used this setup for 6 years or so with KeePassXC and it's fine. Just being mindful of not editing stuff on other devices before the first one has had the chance to sync has been enough to avoid pretty much all sync conflicts. I have only had to resolve those a few times so far, iirc my android client was misconfigured at the time or something.
I still recommend Bitwarden for password management for any "laypeople" since it will just work. Also worth noting that the basic functionality is free.
This is the same setup I used for years with no issues, both KeePassXC and multiple Obsidian vaults, along with some other random files and folders. Syncthing is pretty much rock solid. Now I have the KeePassXC database stored on my NAS which is even simpler.
If you have a nas, I highly recommend you set up a VPN back to your network. It's been a bit of a game changer for me. I don't fiddle around with Dropbox or gdrive anymore, it's just on my nas and it just works. I was even mounting /home from it but that was a bit of overkill and still caused some hassles when I was completely offline- like on an airplane. Vpn has other advantages as well like no longer really having to worry about sketchy wifi networks. It felt annoying and like overkill at first, but I'm never going back to relying on any sync apps again.
I use a similar setup, but with Onedrive instead of Syncthing (and, before that, Dropbox).
In the almost 10 years I've been running this setup, I think I hit a conflict one single time. I don't quite remember the details, but I think I accidentally edited something in the mobile app, and before saving, edited something else in the desktop app or vice-versa. So it was pretty much my fault.
Other than that, literally never had an issue. Password managers are by their nature mostly reads, and very occasional writes, so it's very hard to put yourself in a situation where conflicts happen, even if you don't pay attention to it. I've made an identical setup for my (fairly savvy but non-technical) fiancee, and she's never hit an issue either. I had to insist a bit for her to get on board, but years later she actually loves using KeePass. She's thanked me multiple times for how convenient it is not having to remember passwords anymore!
One consideration is that Bitwarden seems to not work fully in an offline state the same way your setup would. I constantly try to edit or add a password while offline and can't.
I think this somewhat negates the collision situation though.
No matter how you sync, a Keepass file is a file. I can't be logged out. It will still be on my phone if my house burns down. Every device it's synced to is an additional backup copy.
The Bitwarden client will sometimes log you out if something happens on the server side, which has the potential to make worst case recovery from annoying to impossible. The circular dependency of having my cloud backup password in the vault made me nervous.
Yes, you can back your vault up, but it's a manual step and likely to be forgotten.
I use a similar service, I always wonder what sort of risk having one point of failure has though. I know 2FA helps, but a particularly motivated person with access to you physical still may be able to get both, espically if it for an investigation of some sort.
I switched from Bitwarden to Proton pass (because we got Proton family) and I find to be equally good. Ineven find sharing credentials a bit easier as it does not require organizations, you can just share with individuals.
Bitwarden Families plan is $40 a year and supports up to 6 users. It has TOTP built-in, is open source[1] and has been audited multiple times[2].
The individual plan is $10 a year. I've been a happy user for many years. I converted the last business I was at to exclusively using Bitwarden for Business as well.
I don’t know the “correct” answer, but here’s my answer as someone whose TOTP are split across a YubiKey and Bitwarden: I store TOTP in Bitwarden when the 2FA is required and I just want it to shut up. My Vault is already secured with a passphrase and a YubiKey, both of which are required in sequence, and to actually use a cred once the Vault is authenticated, requires a PIN code (assuming the Vault has been unlocked during this run of the browser, otherwise it requires a master password again).
At that point, frankly, I am gaining nearly nothing from external TOTP for most services. If you have access to my Vault, and were able to fill my password from it, I am already so far beyond pwned that it’s not even worth thinking about. My primary goal is now to get the website to stop moaning at me about how badly I need to configure TOTP (and maybe won’t let me use the service until I do). If it’s truly so critical I MUST have another level of auth after my Vault, it needs to be a physical security key anyway.
I was begging every site ever to let me use TOTP a decade ago, and it was still rare. Oh the irony that I now mostly want sites to stop bugging me for multiple factors again.
I self-host through Vaultwarden but I think I miss this. Besides, I feel like paying these guys anyway just for the great product. We use 1Password at $dayjob and it's so primitive by comparison.
The moment you put TOTP in Bitwarden it is no longer a 'second factor'. Pretty bad security advice to be honest. Better to use hardware tokens or a secure phone (with enclave) instead (never SMS though).
In most cases a true second factor isn't really what any involved party cares about.
My bank (I mean, they use SMS, but pretend they use TOTP) just care about not having to spend money on support because I used "password1!" as my password for every account and lose all my money.
I just want to log in to my bank.
If I've got a long, random, unique, securely-stored password, I don't actually care about having a second factor, I'm just enabling TOTP so that I don't have to copy/paste codes from my email or phone.
If I only store passwords in Bitwarden, not TOTP tokens, then I don't have to pay for it. So, it's an argument for spending less money while being more secure.
I convinced my wife to start using a password manager, too (Bitwarden). Now she stores all of her very guessable, short, similar passwords in a manager. Sigh.
Addresses? Most of the time addresses are a matter of public record. I have used https://www.fastpeoplesearch.com/ a couple of times to search for people's addresses and it really works. One day a close friend excitedly told me she bought a new house and I told her the address before she told me about it.
Telephone number? There used to be phone books. And I still instinctively think they should be public.
I think the headline is a bit vague, it includes passwords as well. Does anyone know if Troy's HIBP'd site reveals the passwords to verified users? I'd like to know if my current or what generation of passwords has been breached to evaluate if I have a current or past problem with my devices.
Addresses can lead you to public land and mortgage records, and phone numbers can lead you to names and addressed. I assume everyone can easily find that out about me once they know my name/phone number.
I'm in a similar situation, just make sure your credit is frozen with the 3 major US companies. I had someone steal like $50 of cable TV with my info in another state and it was a major pain to get off of my credit report.
Even better "please give us all the things which could be used by a foreign power to blackmail you, or apply pressure to relatives or other close contacts" and then poorly secure that database.
Those are the same guys who told us we must give them backdoor keys to every encryption algorithm, because nothing can go wrong with it and otherwise terrorists win.
I feel like only in the US is credit monitoring something sold as an optional service.
I got a confirmation mail from System76, because apparently they feel the need to validate my credit card can’t be used without my approval, but my back does this by default…
> The data breach compromised highly sensitive 127-page Standard Form 86 (SF 86) (Questionnaire for National Security Positions).[8][18] SF-86 forms contain information about family members, college roommates, foreign contacts, and psychological information. Initially, OPM stated that family members' names were not compromised,[18] but the OPM subsequently confirmed that investigators had "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel, and those for whom a federal background investigation was conducted, may have been exfiltrated."
To confirm, data/info leaks happened on the server/application side. How does a solution like Bitwarden on the client side helps with this situation?
As per my understanding the only possible threat it saves against is someone trying to brute force for your password against the application. And may be ease the cognitive burden of remembering different passwords.
I use unique email addresses per domain name, and I believe IHaveBeenPwned shows me at 39 unique email addresses breached! (So many that seeing which ones have been breached would now cost me $22 / month... IHaveBeenPwned is starting to feel like an extortion racket of its own..)
If you're using the same domain for each of your email address, HIBP has a domain-wide search feature which is free (but you need to register to validate your domain)
I've registered (years and years ago) and I get emails saying how many, but to see which emails they want lots of money.
(If I'm wrong their interface is very confusing and I cannot find the free access.)
Specifically it says this:
> Insufficient subscription. Only subscription-free breaches will be returned for this domain.
So I'm able to see 37 email addresses on my domain have been breaches, but I can't see which without paying $22 / month - https://haveibeenpwned.com/Subscription
> Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists). Only results for subscription-free breaches are shown below, upgrade your subscription to run a complete domain search. If you believe you're seeing this message in error, make sure you're signing in to the dashboard with the correct email address (check your latest receipt if you're unsure).
Right to be removed/purged and maximum retention policy. One place I'm aware of purges accounts that have been inactive 18month. Historical billing info is offline and "gapped"
Even if you weren't breached, the sophistication is getting higher too. New hires get emails starting literally day one because email formats follow a pattern and they posted their new job on linkedin (or something).
I bet now some corporations actually want to be exposed, have data breach. If you have not been in the news, it means you have not made it yet (not popular enough to be a target worth writing about).
I generally don't give my real address or real phone number to anyone who doesn't legally need it. I use a virtual address as the billing address on my credit cards and for registering for things that don't need to know where I sleep.
The government can have at my real info, but private companies have bad data security.
Right. Having some data leaked isn't really a boolean, leaked/unleaked. It's a list of leaks, and the implicit map betweenyl your datapoints, whether by intra or interprovider mapping
For example a forum might leak a map between your mail and a password; Implicitly your affinity for that forum's topic is also now on the public record, additionally if your posts were public but under a pseudonym, that might be now known by a sufficiently motivated attacker.
Finally this may be linked with other public datasources like your public tweets or public state records, or even other leaks.
This is why the meme about all ssn's being leaked or about a list of all valid phone numbers is so asinine.
On the plus side, Troy can save a lot of DB space now. Instead of storing which emails have been compromised at this point he can replace that with just
This seems to include details from a Spotify data breach in or before early 2020 that, to my knowledge, was never reported on. They did have other, similar issues that year.
Reporting from the time seems to all be about one or multiple leaks/attacks involving:
- Credential stuffing with data from other breaches
- A leak of data (including email addresses) to "certain business partners" between April 9, 2020 and November 12, 2020.
On April 2, 2020 somebody logged in to my Spotify account (which had a very weak password) from a US IP address. This account used an email address only ever used to sign up to Spotify years earlier, and the account had been unused for years by that point. I changed the password minutes later. A few hours after that Spotify also sent an automatic password reset because of "suspicious activity". At no point have I ever been notified by Spotify that my data had been leaked, though it obviously had, and now said email finally shows up on HIBP.
I respect Troy Hunt's work. I searched for my email address on https://haveibeenpwned.com/, and my email was in the latest breach data set. But the site does not give me any way to take action. haveibeenpwned knows what passwords were breached, the people who breached the data knows what passwords were breached, but there does not seem to be any way for _me_, the person affected, to know what password were breached. The takeaway message is basically, "Yeah, you're at risk. Use good password practices."
There is no perfect solution. Obviously, we don't want to give everybody an easy form where you can enter an email address and see all of the password it found. But I'm not going to reset 500+ password because one of them might have been compromised. It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
> there does not seem to be any way for _me_, the person affected, to know what password were breached
You should be using a unique randomly-generated password for each website. That way, one breach doesn't lead to multiple accounts getting hijacked AND you'll know which passwords were breached solely based on the website list. The only passwords I still keep in my head are:
1. The password to my password manager
2. The password to my gmail account
3. The passwords for my full disk encryption
All of those passwords are unique and not used anywhere else. Everything else is in my password manager with a unique randomly generated password for each account. And for extra protection, I enable 2fa on any site that supports u2f/webauthn.
I used to reuse the same password for everything, and that lead to a pretty miserable month where suddenly ALL of my accounts were compromised. I'd log in to one account and see pizzas I never ordered. Then I'd open uber and see a ride actively in-progress on the other side of the country. It was not fun.
Also if possible, use a unique email address for each site. I know that's not feasible for most people, and some sites (e.g. LinkedIn) are structured so that email addresses become linked, but it does provide useful isolation.
Yes! Me too. Not adding anything here except a confirmation on the above approach. You kind of need your email password as a "break glass" scenario. But mostly, you just need your password manager.
> It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
If you read the instructions, you will discover https://haveibeenpwned.com/Passwords which will let you enter a password and securely check if it has been published in a breach.
If it has, it is either a simple password that multiple people are using, or a complex secure password that can make you pretty confident it is your password that has been published.
1Password just does the same thing for all of your passwords - it doesn’t check against your account name either. That information isn’t stored so they can’t become a new source of breached accounts (as explained at the site).
The problem with breaches like the latest data set is that there's no source on where the breach came from, it's an aggregate from multiple breaches. They can't tell you that info because it's not in the initial data set.
At one point I responded to a haveibeenpwned notice by immediately having the user reset a password.
I've got over 200 users in a domain search (edit: for this particular incident), and nearly all of them were in previous credential breaches that were probably stuffed into this one. I'm not going to put them through a forced annoyance given how likely it is the breached password is not their current one, and I'm urging people to start moving in this direction unless you obtain a more concrete piece of advice.
You can check against the API with just the first characters of your hashed password (SHA-1 or NTLM), for example: https://api.pwnedpasswords.com/range/21BD1 or you can download the entire dataset.
I remember when I was searching the file for some passwords my friends and family use, it took me a while to work out that number too. There are some passwords that many people seem to independently come up with and think must be reasonably secure. I suppose they are to the most basic of attacks.
I was going to provide my passwords to any random person on the internet, Troy Hunt might be close to the top of the list, but I think your sentiment is sensible.
I remember searching the dataset being fairly straight forward. It's been a while since I've done it, but I think I just downloaded the text file and then grepped it for hashes of my passwords, but I see people doing much more useful things:
HaveIBeenPwned has been around for ages and it does not send your password to the server - you can check it with the browser console. It hashes it, sends a range of the hash to the server, server replies with a list of hashes that match that range and it's checked locally for a match.
Still, I would not trust that. The password could be leaked through other means, for example by setting a timer, and exfiltrating fragments of it across future requests.
The website loads some external fonts and spits out many warnings in the console by default. Does not instill confidence in the truly paranoid hacker.
> Passwords are protected with an anonymity model, so we never see them (it's processed in the browser itself), but if you're wary, just check old ones you may suspect.
That could mean one might be able to disconnect from the internet while checking.
The above post https://news.ycombinator.com/item?id=45840724 links to 71.3 KiB of data; since it's a 5-nybble prefix (20 bits) we may easily estimate a size of 71.3 GiB assuming that's a representative sample. Not unfeasible nowadays, but it seems you do have to make separate requests and would presumably be rate-limited on them.
If you only download the hash pages corresponding to passwords you hold, even supposing that everything else is fully compromised, an attacker would have to reverse a couple thousand SHA-1 hashes, dodge hash collisions, and brute-force with the results (yes, yes: arson, murder and jaywalking) to pwn you.
One possible solution could be to give you an option to send the affected password as a list to the mail address you specify, then only people with access to that mail address will see them
> But the site does not give me any way to take action.
It gives you as much information as you should be given. Any more information would just be spreading around the hacked dataset.
It does give you an awful lot of information about the specific hacks that exposed your information, and what was the content of that exposure. You may have been owned, but the way you were owned doesn't really matter e.g. I don't care that my firstname.lastname@gmail.com was exposed as being me. I may not care that my username@yahoo.com account was exposed as being username at archive.org. If that's it, I can keep using them. But a lot of hacks are a lot worse, and you might have to rearrange things or close them down. haveibeenpwned gives you enough information to make all those decisions.
Also, your second paragraph seems to imply that the site doesn't tell you if passwords were compromised for an email address. It definitely does by identifying the hack and describing its extent. You don't need the actual password to know that you need to change it. Likely, the hacked site forced you to change it anyway.
The downside to having many vanity urls and giving out a unique email address to each website you visit is that you cannot use haveibeenpwned without paying (despite being a single human). I have no idea how many email addresses I've given out over the years, probably hundreds across at least 6 or 7 domains, and they want to charge me a monthly fee to see which of those have been pwned.
I understand they gotta make a buck, but I find it interesting this is the first real negative to running a unique email address per company/site I work with.
The domain search feature on haveibeenpwned is/was free. I registered my domain on haveibeenpwned back in 2017 and I got two emails about breaches, one in 2020 and another in 2022. I did not pay.
It tells you that an address in your domain has been included in a breach. It doesn't tell you which address was included. That's what the OP and I are opining about.
It does. I just checked mine today. I can see exactly which individual email addresses in my domain where exposed and in which data leak. I have never paid for it.
Interesting. I'd love to see where you're seeing that. I'll go poke at the site a little more.
Edit: When I try to do a domain search I get told:
> Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists).
Yep, if you have the good fortune of having many breaches while using companname@example.org, the service requires that either you pay up or you have to guess and check.
Have I been pwned will tell me if the associated password for that site leaked. I create unique passwords per site, but lets say my mastercard login gets pwned -- that'd be one I want to change the password for right away.
I might not get an email if someone gets that account info.
In practice, anything that high-profile will be plastered all over every tech news site, twitter, reddit, probably even the news. It would be difficult for MasterCard/Visa to have dataleaks, even just email/pass, fly under the radar (I imagine...)
Oracle tried to cover up a data leak, and it didn't go great. Oracle touches nowhere near as many every-day people as MasterCard does
I'm in the same boat. I track all of the unique addresses I use (via my password manager) so I guess I could just check them all against HiBP's database. Kind of a pain in the ass, though.
I use Bitwarden with a Vaultwarden server so I have some familiarity. Bitwarden checks new passwords against HiBP. I'm not aware of functionality where it can retroactively check old email addresses or passwords to see if they're included in a breach.
Ahh, okay. I assume that's a part of the Bitwarden offering, presumably happening server-side. I'm just using their official client w/ a Vaultwarden server.
It's not the email address itself that I care about, and that's not the service that the site provides. It tells you for which email addresses a related password has been pwned.
I don't understand... The password is the secret, right? If your mastercard login ends up in some breach, your password is protecting. You without or without vanish urls, if you have strong passwords you'll be fine.
Harvesting potential targets is one part of it i.e. establishing someone was using an email address is the entry point. There's a lot of emails, so associating them to any particular website is right near the start. Establishing that they're active increases their value further.
The people responding to Troy here for example are technically doing that: they clearly monitor the email or still use it, so addresses which respond to up in value.
I have those things? Did you miss the part where I have multiple vanity URLs and hundreds of email addresses? Of course I have a paid mail provider and catch all. The problem is the cost of haveibeenpwned is too much for me as an individual.
I have the more typical one email used with hundreds of passwords on many websites. haveibeenpwned is also useless for me, it will tell me that my email was compromised but not which sites or passwords. I guess I could check each password individually, hope each password is globally unique to me, and then try to match it back to the website where I used it so I can change the password.
My data was exposed in one of the Facebook leaks and it turned out I had an old email on my Facebook account with a domain I had since let lapse and abandoned. Someone else registered the domain and tried to take over my Facebook account by sending a password reset request using it. Luckily I had 2FA and I guess Facebook's fraud alerts picked it up so It wasn't successful.
I guess what I want to say is beware that even something as innocuous as an email being leaked can cause problems, and make sure you delete any unused addresses from your accounts!
One of the drawbacks of using a custom domain for personal email is you essentially have to pay for it for life, otherwise anyone can just buy your old email address if the domain expires and start receiving mail, resetting accounts... I think some folks don't fully consider this consequence when setting up a fun vanity email address or similar etc, especially now both iCloud and gmail have made it so trivial to link a custom domain.
Conversely, if yahoo/google ever stop offering free email, I'll probably end up paying them much higher prices to keep going for a bit until I can transition.
If either ever stop period, especially one day to the next, FML...
Speaking for myself, the "blast radius" of my email address is some 600+ accounts... (just looking in my password manager). The chances of me sitting down and closing every single one are non-existent. Many won't even have the luxury of having diligently tracked their login accounts in a password manager either.
Just having a family, kids, bills, schools, jobs, credit cards, banks, investments, insurance, shopping etc etc - the number of accounts many of us pick up can easily get into the hundreds.
Which is incredible because it means they paid to get the domain and try to access that account. I can't imagine why anyone would care that much about your Facebook (assuming you're not someone who's especially influential) and yet here we are
> we run on Azure SQL Hyperscale, which we maxed out at 80 cores for almost two weeks
the data challenge is interesting here. there's clearly a lot of data - but really its just emails and passwords you need to keep track of. SQL feels like overkill that will be too slow and cost you too much. are there better solutions?
15 billion records of email+password, assume ~40bytes thats roughly 600GB
should be searchable with a an off-the-shelf server.
of course, im oversimplifying the problem. but I'm not clear why any solution to insert new records would take 2 weeks...
> I'm not clear why any solution to insert new records would take 2 weeks...
The article mentions some of the challenges, like 1.9e9 sha1 hashes. And 1.9e9 row updates performing poorly in-place, so they created a separate table for the results. Then they got rate limited by email providers when they wanted to tell people about their pwnage
Thought the same thing, and agree completely with jiggawatts. Troy does very well off the back of this relationship, and on that note I hate how confusing the marketing language of "Microsoft Regional Director and MVP" is.
Definitely the wrong technology, and was almost certainly picked only because Troy Hunt is a "Microsoft Regional Director and MVP".
Many other technologies scale better for this kind of workload. Heck, you could ask ChatGPT to write a short C# CLI tool to process the data on one machine, you don't even need a huge box.
This kind of thing comes up here regularly on HN for problems such as duplicate password detection, leaked password filtering, etc...
After previous brainstorming sessions the general consensus was that it's really hard to beat a binary file that contains the sorted SHA hashes. I.e.: if you have 1 billion records to search and you're using a 20-byte SHA1 hash, then create a file that is exactly 20 billion bytes in size. Lookup is (naively) just binary search, but you can do even better by guessing where in the file a hash is likely to be by utilising the essentially perfectly random distribution of hashes. I.e.: a hash with a first byte value of "25" is almost certainly going to be 10% of the way into the file, etc...
It's possible to create a small (~1 MB) lookup table that can guarantee lookups into the main file with only one I/O operation of a fixed size, such as 64 KB.
Sorting the data is a tiny bit fiddly, because it won't fit into memory for any reasonably interesting data size. There's tricks to this, such as splitting the data into 65,536 chunks based on the first two bytes, then sorting the chunks using a very ordinary array sort function from the standard library.
On blob storage this is super cheap to implement and host, about 50x cheaper than Azure SQL Hyperscale, even if it is scaled down to the minimum CPU count.
Anyone have thoughts on Bitwarden / 1Password / Proton Pass?
Proton Pass feels too new for me but eagerly awaiting good feedbacks / reviews. However, "don't put all your eggs in one basket" might apply here.
Went with Bitwarden instead of 1Password since its open source, and I imagine (in my uninformed opinion) that a larger userbase by being free means more issues might be encountered and ironed out.
Interestingly, the HIBP data seems to have an expiration date. My email address from the Dropbox data breach [0] is now shown as having no recorded breaches, although it did back in 2016 after HIBP acquired that dataset.
Post should've been titled "1.3 billion passwords were exposed", because, even though the number is slightly smaller, it actually represents something much more important.
I switched to using masked emails with Fastmail primarily so I could see who sold my data. The potential security benefit was not really a driver. Having 1Password be able to generate a unique email makes it a no-brainer these days. For those services that require a username that is not your email, they can usually be used without the domain part. Works really well.
I even wrote a tiny little local only web app that I can use to generate a masked email on my phone, so when I need an email for an in person thing I can just show them my brand new weird email directly on my phone.
Not really any places where things get sold, but opt-in in the background for newsletters is bad in certain sectors. Ticket platforms are terrible. I like to use a new email for every event and boy does that lead to new round of clicking opt-out until I can deactivate the email after the event has concluded.
Cynicism is everywhere these days but these events really don't register for me anymore. Companies aren't punished by the government for these leaks and they aren't punished by consumers either. What incentive is there to reduce this data collection in the first place or to lock down your databases?
Even if someone's security is awful as the consumer and their account gets hacked because of these leaks, what are the actual consequences of that? Oh bummer, they need to reset their password and make a few phone calls to their bank to reverse the fraudulent charges then life goes on. Techies view that as unacceptable but most don't really care.
I don't care for most things, but banking is one place I've been bitten pretty hard without even getting hacked. Not going to extremes to protect it, just gonna make sure it's decent.
If there's no meaningful reward or punishment for keeping or leaking PII, companies won't do anything about it. They'll keep collecting sensitive inf unless they're educated or forced not to collect unnecessary PII.
Not just this but the lack of diligence by companies that allow accounts to be created, bills to go unpaid & then sent to collection agencies is something that needs to change.
Speaking as someone who has had companies give away my PII and then other companies open accounts with it without contacting me until bills are due.
None of this should be the fault of innocent individuals.
I totally respect Troy and the work he's doing, but I still can't justify to myself the risk of typing my passwords into his website because that would be the very first time that I would use any of those in places other than the ones where I normally use them.
Is there a way around this?
Edit: to answer my own question, I should read a bit more rather than click on the first link, the answer is here:
From what HIBP tells me (from an email address; I am not about to put any site's password in there, I don't care that they don't know who I am or what it's for):
> During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources. Comprised of email addresses and passwords from previous data breaches, these lists are used by attackers to compromise other, unrelated accounts of victims who have reused their passwords. The data also included 1.3 billion unique passwords, which are now searchable in Pwned Passwords.
(Edit: this is also directly linked in TFA. Well, I guess the site was still somewhat successfully advertised here...)
So, this doesn't seem to comprise new information, and doesn't imply that your email has been associated with your password by the hackers.
Although they probably do have passwords for a couple of services I don't use any more, which I have not reused.
I think we should stop seeing email address as a secret or something that can be "stolen". Password? who is still storing passwords on their servers, instead of a hash?
A lot of companies and services are storing unsalted hashes of passwords. Which is not much better than storing plain-text passwords.
It's becoming less and even languages with a "strong legacy body" like PHP have sane defaults nowadays, but I do see them around when I do consultancy or security reports.
"Never fix something that aint broken" also means that after several years or a decade or more, your "back then best security practices" are now rediculously outdated and insecure. That Drupal setup from 2011 at apiv1docs.example.com could very well have unsalted hashes now. The PoC KPI dashboard that long gone freelancer built in flask 8 years ago? probably unsalted hashes. And so on.
Given enough time, hashes are reversible via brute force.
If the attacker steals the entire password table undetected, they have a large amount of time to generate soft collisions. After all they don’t need to hack any particular account, just some 50% of the accounts.
The time can be increased by some coefficient via salting, but the principles remain the same.
For password hashing, only short-output or broken hash functions have practical collision concerns. The odds of any random collision with a 256-bit hash, and not with a specific hash, is 50% at 2^128 inputs. Salting is a defense against precomputation attacks like rainbow tables and masking password reuse. Attackers crack password dumps by trying known password combinations, previously compromised passwords, brute force up to a certain length, etc. and using the hashing algorithm to compare the output.
When you have days like this, 2-10 billion and you want to search it, what are the cheapest options? Reindexing could be slow, be search should be reasonably quick. It would be really expensive to do this all in, say, Elastic, right? Especially if you had a bunch of columns?
The bit at the end about email deliverability was also interesting:
Notifying our subscribers is another problem... in terms of not ending up on a reputation naughty list or having mail throttled by the receiving server .... Not such a biggy for sending breach notices, but a major problem for people trying to sign into their dashboard who can no longer receive the email with the "magic" link.
And this observation he got from someone:
the strategy I've found to best work with large email delivery is to look at the average number of emails you've sent over the last 30 days each time you want to ramp up, and then increase that volume by around 50% per day until you've worked your way through the queue
This is also known as "warming a domain" in the email world. A large rush of emails from an email server is an indicator of a hack or takeover, so anti-spam software may flag an IP address that surges in activity.
Another commenter mentions ProtonMail, but somewhat unadvertised is with a paid Proton sub (I forget which tier), you also get access to SimpleLogin. It's a service which lets you create new email aliases with your domain that just send them to another email you own. (Also lets you send emails as that alias, so the other end doesn't see your real address.)
I use it with Vault/Bitwarden, which lets me generate email addresses of format `<uuid>@my.domain.com` when I create new login info for services.
I misphrased my query; I already run my own mail server and am using a unique e-mail address for every service. I'm wondering if there's a provider with a common domain name shared between lots of users that still allows such a large number of aliases. That would let me use a fake name for anything that doesn't need my real identity, and wouldn't reveal my identity in the case of a breach. Has any e-mail provider found a way to implement this while preventing abuse?
I’ve always had a bit of a chip on my shoulder about HIBP’s switch to charging for domain searches. It felt a bit like those travel visa scalpers who charge 50 CURRENCY_UNIT to file an otherwise gratis form on your behalf.
Law enforcement should provide this kind of service as a public good. They don’t, but if you do instead, I don’t think it’s cool to unilaterally privatize the service and turn it into a commercial one.
I voted with my feet but this post feels like a good enough place to soapbox a bit!
Why are we still using passwords? Why can’t all login be done with asymmetric keys: your public keys are stored on the server, your private keys on the device. Carry a backup pair on your USB and treat it as a key to your house. Any of them got lost? Just delete the respective public key from the service.
I have never seen a website where I can sign up without a password and using only email and passkey. Is there one? All websites treat passkeys as an “add-on” to the passwords of the last century. Totally backwards thinking.
> However, none of the other passwords associated with my address were familiar.
Could at least some of those cracked passwords be hash collisions for really weak choices of hash? I once looked up an email of mine on a database leak, and found an actual outdated password except for random typos that I suspect hashed the same.
We also wouldn't be having an issue with password leaks as I expect it would be simpler to move on to passkeys (or something else) than implementing a standard way of password rotation...
They're hard to explain to users, the implementations want to lock people to specific devices and phones, you can't tell someone a passkey nor type it in easily over a serial link or between two devices which don't have electronic connectivity.
Passkeys essentially solve this, however they are not backwards compatible. If they were backwards compatible (e.g. an automated way to change passwords) then you might as well just enable Passkey as a replacement. Thats the conundrum.
The scale of infostealer malware is really staggering. I'd have naively assumed that OSes were getting locked down so much by default these days that local malware was less of an issue.
Is there any real drawback to just never giving your real name or address to service providers to minimise the chance of identity theft? Most likely it’s against terms of service, but other than account suspension are you likely to suffer any legal consequences?
The only way to fix the ToS issue you raised is through regulation protecting it.
Unfortunately we're going the other direction, with efforts like verified ID gaining traction in some parts of the world.
It's ironic because in most cases anonymity (or allowing an alternate identity that has its own built-up reputation) would offer real protection, while the verification systems are arguably security theatre.
I don't care what technical genius is built into your architecture, as soon as you force a user to plug their ID information into it, they've forked over control along with any agency to protect their own safety.
The ad tech companies can associate any fake identity with your real identity. So no, there is no problem. Good thing that all ad tech companies are fully on the up-and-up and have never been compromised to spread malware.
I have really started to use the 'Hide my email' feature from iCloud. It's been so nice. If an email gets pwned, which often happens from a service I stopped using many moons ago, then I just deactivate or delete the email address. I imagine many other services provide this feature as well, but it's what's most convenient for me at this time.
Not sure I trust the longevity of some of them, though. I do use https://temp-mail.org/en/ or other similar services for some logins for some services I'm not afraid to lose access to, though (especially for places likely to spam me).
Can anyone enlighten me why an exposed email address is an issue?
I get it if its some kinda admin@foo.com but my private mail, why would I care? Its not like they have my password?
> Oh - and 1.3 billion unique passwords, 625 million of which we'd never seen before either.
It's not just email addresses. It's address + password combos.
But also, how did 2 billion email addresses get exposed? Assuming I give an email address to a company (and only that company) if someone gets access to that email addresss they either got it from me or that company. Knowing the company has sold, lost, or poorly protected my email address tells me they are maybe not worth working with in the future.
> But also, how did 2 billion email addresses get exposed?
The list contains emails which have been part of some other breaches. In my domain I have 2 emails that were exposed that weren't my normal email address. One of them was a typo that I used sign up for one service which was later breached. The other one was something someone used to register to service that I have never used & that service was later breached. Those emails have never been used for anything else as far as I'm aware.
Of course judging from what posted there are likely some other services as well which were breached but wasn't noticed/published until now.
Yea a combo is more problemtic, I could see why thats an issue. Most important stuff in my life has 2FA with my phone thankfully. My banking password got breached like 3 years ago and i still didnt change it... nothing ever happened. I am guessing tech companies that could have huge negative influence on your life should have additional security measures in place, like not allowing a login from a different country unless some kinda mobile code is provided or stuff like that. I'm pretty naive with all that tbh.
Until they figure out the password to that email and then take over everything else in your life. They are not collecting email address because they are useless.
Could leave to massive impersonation attempts. All the folks here on HN are probably very tech savvy, so we’ll likely have a strong password + 2FA. But mom and pops that just got their email addresses leaked? Probably not. So they might start just trying out a rainbow table of common passwords and getting access to peoples emails. Once you’re there getting to home banking and other privileged resources is not hard.
It’s not the email address itself that’s important, it’s that the email address is a key identifying users in data breaches. The email addresses are presumably linked to breaches of pii or passwords etc.
I think, at this point, we should just assume that our emails are out there. Can't put the candy back in the piñata.
My main email addy is an OG mac.com address. I registered it about five minutes after Steve announced it. My wife got her first name, but I suspect that Chris Espinosa already had chris@mac.com.
In any case, it was compromised back when Network Solutions sold their database to spammers (or some other scumbags sold their database), and it's been feral, ever since. Basically, most of this century.
I've survived it. I maintain Inbox Zero, frequently.
One of the saving graces, is that mac.com has "aged out," so most of the spammers switched over to icloud.com, and that means I can just set up a rule to bin anything that comes into icloud.com.
Troy Hunt has been running Have I Been Pwned for years. He even uses the k-anonymity model to allow you to search if a password has been pwned without giving him the password if you don't trust him.
I get your general point, but he's been a leader in this space and walking the walk for a decade. I'm not even into security stuff or anything particularly related to this, and I still recognized his name in the OP domain.
More importantly, since HIBP sells monitoring services to 1Password, if they were maliciously collecting this data they would be immediately sued to oblivion.
I have a throwaway email adresses for every website that requires signup. And a new password for every signup. Using Fastemail and a password manager. When emails adresses/passwords leak, I know which one I have to replace.
I checked a few of my passwords and a few random ideas. It turns out that I'm not the only one who finds the Star wars drone names a good inspiration for a password, but the rest were okay. Proud that I found a password which leaked in only one breech. Whoever has used "feromancer" as a pass, congrats, you might be unique among a big part of humanity.
There have been enough data breaches at this point that I'm sure all my info has been exposed multiple times (addresses, SSN, telephone number, email, etc). My email is in over a dozen breaches listed on the been pwned site. I've gotten legal letters about breaches from colleges I applied to, job boards I used, and other places that definitely have a good amount of my past personal information. And that's not even counting the "legal" big data /analytics collected from past social media, Internet browsing, and whatever else.
I now use strong passwords stored in bitwarden to try to at least keep on top of that one piece. I'm sure there are unfortunately random old accounts on services I don't use anymore with compromised passwords out there.
Not really sure what if anything can be done at this point. I wish my info wasn't out there but it is.
I used per-account email with alias services and password managers.
Also started migrating old accounts in free time.
Now its pretty easy to tell the source of leak by email addresses as well as sources of spam.
---
Per-account alias might sound much, but using sieve filtering [1] is amazing, and you can get a comprehensive filtering solution going with 'envelope to' (the actual address receiving the email) + 'header to' (the recipient address you see, sometimes filtering rules don't filter for BCC or sometimes recipients are alias instead of your actual email) that are more comprehensive than normal filtering rules to sort your emails into folders.
[1]: https://datatracker.ietf.org/doc/html/rfc5228
---
Amusingly, I've managed to recover old accounts from emails that contains my old passwords with demands for crypto payment, it just provided me enough help to recall old variations of my passwords.
(the keyboard smash username is apropos)
> Per-account alias might sound much
Not only does this not sound too much, this is a feature Apple offers called Hide My Email: https://support.apple.com/en-us/102548
+1 for Bitwarden. It is literally the best solution out there. Been getting to increase uptake in personal circles with (very) limited success. The wife keeps trying to convince me that the ship has sailed in trying to protect info online. She's probably right.
Now that I'm not only using a Macbook and iPhone, I've been looking for cross-platform solutions.
For a week I've been using KeePassXC + Syncthing between four devices. Syncthing is also syncing my Obsidian vaults which has replaced Apple-only Notes.app.
Bitwarden is definitely more polished, and Syncthing is definitely (much) more fiddly than using Bitwarden's and Obsidian's ($5/mo) native syncing tools.
But I like the idea of having the same syncing solution across all apps on all devices. Curious if anybody can recommend this setup or if collisions will make it unbearable.
I have used this setup for 6 years or so with KeePassXC and it's fine. Just being mindful of not editing stuff on other devices before the first one has had the chance to sync has been enough to avoid pretty much all sync conflicts. I have only had to resolve those a few times so far, iirc my android client was misconfigured at the time or something.
I still recommend Bitwarden for password management for any "laypeople" since it will just work. Also worth noting that the basic functionality is free.
This is the same setup I used for years with no issues, both KeePassXC and multiple Obsidian vaults, along with some other random files and folders. Syncthing is pretty much rock solid. Now I have the KeePassXC database stored on my NAS which is even simpler.
The cool thing with KeePass is that each client is also a local backup. It's pretty neat.
If you have a nas, I highly recommend you set up a VPN back to your network. It's been a bit of a game changer for me. I don't fiddle around with Dropbox or gdrive anymore, it's just on my nas and it just works. I was even mounting /home from it but that was a bit of overkill and still caused some hassles when I was completely offline- like on an airplane. Vpn has other advantages as well like no longer really having to worry about sketchy wifi networks. It felt annoying and like overkill at first, but I'm never going back to relying on any sync apps again.
You can throw a keepass vault on OneDrive or Dropbox and it works just fine everywhere. Not fiddly at all except Linux and OneDrive support.
I use a similar setup, but with Onedrive instead of Syncthing (and, before that, Dropbox).
In the almost 10 years I've been running this setup, I think I hit a conflict one single time. I don't quite remember the details, but I think I accidentally edited something in the mobile app, and before saving, edited something else in the desktop app or vice-versa. So it was pretty much my fault.
Other than that, literally never had an issue. Password managers are by their nature mostly reads, and very occasional writes, so it's very hard to put yourself in a situation where conflicts happen, even if you don't pay attention to it. I've made an identical setup for my (fairly savvy but non-technical) fiancee, and she's never hit an issue either. I had to insist a bit for her to get on board, but years later she actually loves using KeePass. She's thanked me multiple times for how convenient it is not having to remember passwords anymore!
One consideration is that Bitwarden seems to not work fully in an offline state the same way your setup would. I constantly try to edit or add a password while offline and can't. I think this somewhat negates the collision situation though.
Not sure about Obsidian sync, but for Bitwarden you can self-host Vaultwarden.
I originally started using Bitwarden to achieve sync across Mac, Windows, and Linux machines, along with all major browser platforms. It's been great!
Which device can you not use bitwarden on?
strongbox is a reasonable app for iOS and you can set it up for sftp to your main self hosted server.
> Now that I'm not only using a Macbook and iPhone, I've been looking for cross-platform solutions.
1password works in all the places, it's just not open source.
Why not just run a vaultwarden instance at that point?
No matter how you sync, a Keepass file is a file. I can't be logged out. It will still be on my phone if my house burns down. Every device it's synced to is an additional backup copy.
The Bitwarden client will sometimes log you out if something happens on the server side, which has the potential to make worst case recovery from annoying to impossible. The circular dependency of having my cloud backup password in the vault made me nervous.
Yes, you can back your vault up, but it's a manual step and likely to be forgotten.
[dead]
I use a similar service, I always wonder what sort of risk having one point of failure has though. I know 2FA helps, but a particularly motivated person with access to you physical still may be able to get both, espically if it for an investigation of some sort.
Can anyone with experience with 1Password and Bitwarden share their opinions on each.
I've been on 1Password for years and am wondering if I'm missing anything.
I switched from Bitwarden to Proton pass (because we got Proton family) and I find to be equally good. Ineven find sharing credentials a bit easier as it does not require organizations, you can just share with individuals.
Proton also has a separate 2fa totp app.
Bitwarden Families plan is $40 a year and supports up to 6 users. It has TOTP built-in, is open source[1] and has been audited multiple times[2].
The individual plan is $10 a year. I've been a happy user for many years. I converted the last business I was at to exclusively using Bitwarden for Business as well.
[1] https://github.com/bitwarden/
[2] https://bitwarden.com/help/is-bitwarden-audited/
Bitwarden supports TOTP too, even though it's not entirely obvious from the UI.
TOTP inside a password manager doesn't make much sense to me. What's the point of two factor auth if both factors are stored together?
I don’t know the “correct” answer, but here’s my answer as someone whose TOTP are split across a YubiKey and Bitwarden: I store TOTP in Bitwarden when the 2FA is required and I just want it to shut up. My Vault is already secured with a passphrase and a YubiKey, both of which are required in sequence, and to actually use a cred once the Vault is authenticated, requires a PIN code (assuming the Vault has been unlocked during this run of the browser, otherwise it requires a master password again).
At that point, frankly, I am gaining nearly nothing from external TOTP for most services. If you have access to my Vault, and were able to fill my password from it, I am already so far beyond pwned that it’s not even worth thinking about. My primary goal is now to get the website to stop moaning at me about how badly I need to configure TOTP (and maybe won’t let me use the service until I do). If it’s truly so critical I MUST have another level of auth after my Vault, it needs to be a physical security key anyway.
I was begging every site ever to let me use TOTP a decade ago, and it was still rare. Oh the irony that I now mostly want sites to stop bugging me for multiple factors again.
Bingo. You need to use a different totp.
[dead]
> Bitwarden
Best when paid for so you can do 2FA with TOTP codes!
I self-host through Vaultwarden but I think I miss this. Besides, I feel like paying these guys anyway just for the great product. We use 1Password at $dayjob and it's so primitive by comparison.
What is lacking in 1Password by comparison? I pay for a family plan but maybe I should switch next year.
TOTP works with vaultwarden.
1Password supports TOTP?
Really? I find it to be the complete opposite.
The moment you put TOTP in Bitwarden it is no longer a 'second factor'. Pretty bad security advice to be honest. Better to use hardware tokens or a secure phone (with enclave) instead (never SMS though).
In most cases a true second factor isn't really what any involved party cares about.
My bank (I mean, they use SMS, but pretend they use TOTP) just care about not having to spend money on support because I used "password1!" as my password for every account and lose all my money.
I just want to log in to my bank.
If I've got a long, random, unique, securely-stored password, I don't actually care about having a second factor, I'm just enabling TOTP so that I don't have to copy/paste codes from my email or phone.
I think it’s mostly nice for places that require TOTP but don’t actually rate carrying around/plugging in a yubikey for.
It costs $10/year, so there's really no reason to not pay for it.
I have two reasons not to pay for it: 1) Aegis is free. 2) I rather not have my second factor be stored in the same database as my first factor.
You can just not store the TOTP tokens in Bitwarden? I don’t see how this is an argument against.
If I only store passwords in Bitwarden, not TOTP tokens, then I don't have to pay for it. So, it's an argument for spending less money while being more secure.
I’ve never paid and Bitwarden does 2FA/TOTP for me?
Is this sarcasm?
I convinced my wife to start using a password manager, too (Bitwarden). Now she stores all of her very guessable, short, similar passwords in a manager. Sigh.
So happy to not have to remember whether the [firstname][lastname][number] password ended with a 4 or 5
Addresses? Most of the time addresses are a matter of public record. I have used https://www.fastpeoplesearch.com/ a couple of times to search for people's addresses and it really works. One day a close friend excitedly told me she bought a new house and I told her the address before she told me about it.
Telephone number? There used to be phone books. And I still instinctively think they should be public.
I think the headline is a bit vague, it includes passwords as well. Does anyone know if Troy's HIBP'd site reveals the passwords to verified users? I'd like to know if my current or what generation of passwords has been breached to evaluate if I have a current or past problem with my devices.
They do not want to have such a list as it makes them a target.
What they do have is a searchable password list not connected to any usernames.
*searchable list of password hashes
Addresses can lead you to public land and mortgage records, and phone numbers can lead you to names and addressed. I assume everyone can easily find that out about me once they know my name/phone number.
> what if anything can be done at this point
I'm in a similar situation, just make sure your credit is frozen with the 3 major US companies. I had someone steal like $50 of cable TV with my info in another state and it was a major pain to get off of my credit report.
I was in the military. China stole my freaking DNA profile. I've given up on worrying about this stuff.
Gonna be a very weird day for you when China's clone army invades us.
If nothing else, I guess one should at least be kinda proud that of all stolen DNAs, yours is the one they end up making a clone army out of.
5,000,000 Kulahans invading America would not be very effective thus I have defeated China myself, no thanks are necessary.
Even better "please give us all the things which could be used by a foreign power to blackmail you, or apply pressure to relatives or other close contacts" and then poorly secure that database.
Those are the same guys who told us we must give them backdoor keys to every encryption algorithm, because nothing can go wrong with it and otherwise terrorists win.
The number of years I got "free credit monitoring" I can pass it down to my children . . .
I feel like only in the US is credit monitoring something sold as an optional service.
I got a confirmation mail from System76, because apparently they feel the need to validate my credit card can’t be used without my approval, but my back does this by default…
Credit monitoring has nothing to do with Credit Cards.
Most banks in America indeed do offer (for free) the option to be notified for each transactions if you want.
Wow! Didn't hear about this. What test did you get done? I'm hoping it wasn't whole genome or exome?
It wasn't an actual DNA test, but the military takes blood samples of every recruit. I'm referring to this hack:
https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
edit: the relevant text is below
> The data breach compromised highly sensitive 127-page Standard Form 86 (SF 86) (Questionnaire for National Security Positions).[8][18] SF-86 forms contain information about family members, college roommates, foreign contacts, and psychological information. Initially, OPM stated that family members' names were not compromised,[18] but the OPM subsequently confirmed that investigators had "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel, and those for whom a federal background investigation was conducted, may have been exfiltrated."
DNA, blood type, fingerprints, and anything else on your background checks...
They even got my kids social security numbers.
To confirm, data/info leaks happened on the server/application side. How does a solution like Bitwarden on the client side helps with this situation?
As per my understanding the only possible threat it saves against is someone trying to brute force for your password against the application. And may be ease the cognitive burden of remembering different passwords.
I use unique email addresses per domain name, and I believe IHaveBeenPwned shows me at 39 unique email addresses breached! (So many that seeing which ones have been breached would now cost me $22 / month... IHaveBeenPwned is starting to feel like an extortion racket of its own..)
If you're using the same domain for each of your email address, HIBP has a domain-wide search feature which is free (but you need to register to validate your domain)
I've registered (years and years ago) and I get emails saying how many, but to see which emails they want lots of money.
(If I'm wrong their interface is very confusing and I cannot find the free access.)
Specifically it says this:
> Insufficient subscription. Only subscription-free breaches will be returned for this domain.
So I'm able to see 37 email addresses on my domain have been breaches, but I can't see which without paying $22 / month - https://haveibeenpwned.com/Subscription
> Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists). Only results for subscription-free breaches are shown below, upgrade your subscription to run a complete domain search. If you believe you're seeing this message in error, make sure you're signing in to the dashboard with the correct email address (check your latest receipt if you're unsure).
I feel you. The aggregate email breach list just feels like a rainbow table at this point.
Right to be removed/purged and maximum retention policy. One place I'm aware of purges accounts that have been inactive 18month. Historical billing info is offline and "gapped"
freeze your credit at the three major companaies.
Even if you weren't breached, the sophistication is getting higher too. New hires get emails starting literally day one because email formats follow a pattern and they posted their new job on linkedin (or something).
I bet now some corporations actually want to be exposed, have data breach. If you have not been in the news, it means you have not made it yet (not popular enough to be a target worth writing about).
I generally don't give my real address or real phone number to anyone who doesn't legally need it. I use a virtual address as the billing address on my credit cards and for registering for things that don't need to know where I sleep.
The government can have at my real info, but private companies have bad data security.
[dead]
So by this point, if anyone does anything naughty online they could just pin it on an hacker using their identity, no?
Right. Having some data leaked isn't really a boolean, leaked/unleaked. It's a list of leaks, and the implicit map betweenyl your datapoints, whether by intra or interprovider mapping
For example a forum might leak a map between your mail and a password; Implicitly your affinity for that forum's topic is also now on the public record, additionally if your posts were public but under a pseudonym, that might be now known by a sufficiently motivated attacker.
Finally this may be linked with other public datasources like your public tweets or public state records, or even other leaks.
This is why the meme about all ssn's being leaked or about a list of all valid phone numbers is so asinine.
On the plus side, Troy can save a lot of DB space now. Instead of storing which emails have been compromised at this point he can replace that with just
Not necessarily. Both my main addresses still come back clean after years in use.
The one I use for random crap has 9 hits though.
This seems to include details from a Spotify data breach in or before early 2020 that, to my knowledge, was never reported on. They did have other, similar issues that year.
Reporting from the time seems to all be about one or multiple leaks/attacks involving:
- Credential stuffing with data from other breaches
- A leak of data (including email addresses) to "certain business partners" between April 9, 2020 and November 12, 2020.
On April 2, 2020 somebody logged in to my Spotify account (which had a very weak password) from a US IP address. This account used an email address only ever used to sign up to Spotify years earlier, and the account had been unused for years by that point. I changed the password minutes later. A few hours after that Spotify also sent an automatic password reset because of "suspicious activity". At no point have I ever been notified by Spotify that my data had been leaked, though it obviously had, and now said email finally shows up on HIBP.
I respect Troy Hunt's work. I searched for my email address on https://haveibeenpwned.com/, and my email was in the latest breach data set. But the site does not give me any way to take action. haveibeenpwned knows what passwords were breached, the people who breached the data knows what passwords were breached, but there does not seem to be any way for _me_, the person affected, to know what password were breached. The takeaway message is basically, "Yeah, you're at risk. Use good password practices."
There is no perfect solution. Obviously, we don't want to give everybody an easy form where you can enter an email address and see all of the password it found. But I'm not going to reset 500+ password because one of them might have been compromised. It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
> there does not seem to be any way for _me_, the person affected, to know what password were breached
You should be using a unique randomly-generated password for each website. That way, one breach doesn't lead to multiple accounts getting hijacked AND you'll know which passwords were breached solely based on the website list. The only passwords I still keep in my head are:
All of those passwords are unique and not used anywhere else. Everything else is in my password manager with a unique randomly generated password for each account. And for extra protection, I enable 2fa on any site that supports u2f/webauthn.I used to reuse the same password for everything, and that lead to a pretty miserable month where suddenly ALL of my accounts were compromised. I'd log in to one account and see pizzas I never ordered. Then I'd open uber and see a ride actively in-progress on the other side of the country. It was not fun.
Also if possible, use a unique email address for each site. I know that's not feasible for most people, and some sites (e.g. LinkedIn) are structured so that email addresses become linked, but it does provide useful isolation.
Yes! Me too. Not adding anything here except a confirmation on the above approach. You kind of need your email password as a "break glass" scenario. But mostly, you just need your password manager.
> It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
Yes.
If you read the instructions, you will discover https://haveibeenpwned.com/Passwords which will let you enter a password and securely check if it has been published in a breach.
If it has, it is either a simple password that multiple people are using, or a complex secure password that can make you pretty confident it is your password that has been published.
1Password just does the same thing for all of your passwords - it doesn’t check against your account name either. That information isn’t stored so they can’t become a new source of breached accounts (as explained at the site).
The problem with breaches like the latest data set is that there's no source on where the breach came from, it's an aggregate from multiple breaches. They can't tell you that info because it's not in the initial data set.
At one point I responded to a haveibeenpwned notice by immediately having the user reset a password.
I've got over 200 users in a domain search (edit: for this particular incident), and nearly all of them were in previous credential breaches that were probably stuffed into this one. I'm not going to put them through a forced annoyance given how likely it is the breached password is not their current one, and I'm urging people to start moving in this direction unless you obtain a more concrete piece of advice.
Same here: reset on first beach (ROFB), but on subsequent ones only if it is no collection, eg a new infostealer breach.
https://haveibeenpwned.com/Passwords
Right, I'm going to put my password into some website. You people will believe anything.
You can check against the API with just the first characters of your hashed password (SHA-1 or NTLM), for example: https://api.pwnedpasswords.com/range/21BD1 or you can download the entire dataset.
How can you download the entire dataset?
You can download the entire dataset using curl (will be 40+ GB)
It's not that I couldn't have written that oneliner, it's that I assumed you'd get blocked very quickly.
It is officially recommended by the Troy Hunt: https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader/i...
Several open source tools can be found on GitHub, but here’s the “official” one https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader
Second line I already notice:
> 000F6468C6E4D09C0C239A4C2769501B3DD:5894
... Does the 5894 mean what I think it does?
I remember when I was searching the file for some passwords my friends and family use, it took me a while to work out that number too. There are some passwords that many people seem to independently come up with and think must be reasonably secure. I suppose they are to the most basic of attacks.
5894 means that the password appeared 5894 times in the dataset.
5894 is not the password associated with the hash.
Yes, it did mean what I thought, then.
But I guess some passwords appear far more often than that in the dataset.
Some passwords are far more commonly used than others; that isn't surprising.
I was going to provide my passwords to any random person on the internet, Troy Hunt might be close to the top of the list, but I think your sentiment is sensible.
I remember searching the dataset being fairly straight forward. It's been a while since I've done it, but I think I just downloaded the text file and then grepped it for hashes of my passwords, but I see people doing much more useful things:
https://medium.com/analytics-vidhya/creating-a-local-version...
HaveIBeenPwned has been around for ages and it does not send your password to the server - you can check it with the browser console. It hashes it, sends a range of the hash to the server, server replies with a list of hashes that match that range and it's checked locally for a match.
Still, I would not trust that. The password could be leaked through other means, for example by setting a timer, and exfiltrating fragments of it across future requests.
The website loads some external fonts and spits out many warnings in the console by default. Does not instill confidence in the truly paranoid hacker.
You can hash yourself and check against the api with 5 lines of python
That level of care is warranted, but you'll find that you are given the tools to audit and it will pass.
You can check it yourself by looking up the hash prefix and searching for your hashed password.
Man, there's a ton of non-obvious ways they could exfiltrate that. I'm not going to read their code.
> Passwords are protected with an anonymity model, so we never see them (it's processed in the browser itself), but if you're wary, just check old ones you may suspect.
That could mean one might be able to disconnect from the internet while checking.
No, it doesn't mean that, that's ridiculous. How would that work? Magic?
Download all the hashes first - not practical.
The above post https://news.ycombinator.com/item?id=45840724 links to 71.3 KiB of data; since it's a 5-nybble prefix (20 bits) we may easily estimate a size of 71.3 GiB assuming that's a representative sample. Not unfeasible nowadays, but it seems you do have to make separate requests and would presumably be rate-limited on them.
If you only download the hash pages corresponding to passwords you hold, even supposing that everything else is fully compromised, an attacker would have to reverse a couple thousand SHA-1 hashes, dodge hash collisions, and brute-force with the results (yes, yes: arson, murder and jaywalking) to pwn you.
I was trying random phrases just out of curiosity, and couldn't help but chuckle when it said "epsteinfiles" wasn't found :-)
my password: 2,408
password: 46,628,605
your password: 609
good password: 22
long password: 2
secure password: 317
safe password: 29
bad password: 86
this password sucks: 1
i hate this website: 16
username: 83,569
my username: 4
your username: 1
let me login: 0
admin: 41,072,830
abcdef: 873,564
abcdef1: 147,103
abcdef!: 4,109
abcdef1!: 1,401
123456: 179,863,340
hunter2: 50,474
correct horse battery staple: 384
Correct Horse Battery Staple: 19
to be or not to be: 709
all your base are belong to us: 1
Password2020: 109,729
Edit:
louvre: 7,219
> all your base are belong to us: 1
Only 1, really?
Because of the spaces.
Without spaces, it's 681.
One possible solution could be to give you an option to send the affected password as a list to the mail address you specify, then only people with access to that mail address will see them
Hash of the affected password? People share these things and don't always run their own mail servers.
That would be a great idea!
Yeah and I am confused by his new setup private vs business. I got that mail too but can simply not see what addresses were affected by that breach.
> But the site does not give me any way to take action.
It gives you as much information as you should be given. Any more information would just be spreading around the hacked dataset.
It does give you an awful lot of information about the specific hacks that exposed your information, and what was the content of that exposure. You may have been owned, but the way you were owned doesn't really matter e.g. I don't care that my firstname.lastname@gmail.com was exposed as being me. I may not care that my username@yahoo.com account was exposed as being username at archive.org. If that's it, I can keep using them. But a lot of hacks are a lot worse, and you might have to rearrange things or close them down. haveibeenpwned gives you enough information to make all those decisions.
Also, your second paragraph seems to imply that the site doesn't tell you if passwords were compromised for an email address. It definitely does by identifying the hack and describing its extent. You don't need the actual password to know that you need to change it. Likely, the hacked site forced you to change it anyway.
What? You expect the guy to tell you your password? Lol, lmao even.
I know roughly what passwords were exposed because either I remember it, or the date of the leak or the associated email.
I know simple passwords are almost public and that leaks of say linkedin will be properly hashed, while a vb forum from 2006 might not be.
The downside to having many vanity urls and giving out a unique email address to each website you visit is that you cannot use haveibeenpwned without paying (despite being a single human). I have no idea how many email addresses I've given out over the years, probably hundreds across at least 6 or 7 domains, and they want to charge me a monthly fee to see which of those have been pwned.
I understand they gotta make a buck, but I find it interesting this is the first real negative to running a unique email address per company/site I work with.
The domain search feature on haveibeenpwned is/was free. I registered my domain on haveibeenpwned back in 2017 and I got two emails about breaches, one in 2020 and another in 2022. I did not pay.
I wasn’t aware of this feature, but can confirm. Just tried and it is free.
Log into dashboard, under business there is a domains tab. Enter your domain there and verify ownership. Didn’t ask for payment.
I have 15 pwned email addresses. It's free for under 10.
But I can't find the old list of what address was affected where. I only see my own address.
It tells you that an address in your domain has been included in a breach. It doesn't tell you which address was included. That's what the OP and I are opining about.
It does. I just checked mine today. I can see exactly which individual email addresses in my domain where exposed and in which data leak. I have never paid for it.
Interesting. I'd love to see where you're seeing that. I'll go poke at the site a little more.
Edit: When I try to do a domain search I get told:
> Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists).
My domain has 11 breached addresses.
I log in. Click on Business -> Domains. Then click on the looking glass under "Actions" on my domain. I can there see all my addresses an Pwned Sites.
But I think you are right, because I only have 3 breached addresses under my domain (I do see the 10 addresses wording under subscriptions)
Yep, if you have the good fortune of having many breaches while using companname@example.org, the service requires that either you pay up or you have to guess and check.
I understand, but it's frustrating.
It is only free if you have fewer than 10 pwned addresses.
Isn’t the idea that you don’t need haveibeenpowned since you’ll see mails coming in and then know your details have leaked?
For ID fraud, more than an email address has to be leaked.
Have I been pwned will tell me if the associated password for that site leaked. I create unique passwords per site, but lets say my mastercard login gets pwned -- that'd be one I want to change the password for right away.
I might not get an email if someone gets that account info.
In theory, I agree.
In practice, anything that high-profile will be plastered all over every tech news site, twitter, reddit, probably even the news. It would be difficult for MasterCard/Visa to have dataleaks, even just email/pass, fly under the radar (I imagine...)
Oracle tried to cover up a data leak, and it didn't go great. Oracle touches nowhere near as many every-day people as MasterCard does
I'm in the same boat. I track all of the unique addresses I use (via my password manager) so I guess I could just check them all against HiBP's database. Kind of a pain in the ass, though.
enpass.io does this automatically if you selected the option.
My password manager (Bitwarden) does that automatically.
I use Bitwarden with a Vaultwarden server so I have some familiarity. Bitwarden checks new passwords against HiBP. I'm not aware of functionality where it can retroactively check old email addresses or passwords to see if they're included in a breach.
It's under Reports: https://bitwarden.com/help/reports/
Ahh, okay. I assume that's a part of the Bitwarden offering, presumably happening server-side. I'm just using their official client w/ a Vaultwarden server.
It is also available in the Vaultwarden web interface (which is just a rebranded Bitwarden web interface).
Just assume they have all been exposed.
Email addresses are not secrets under any stretch of the meaning of that word.
It's not the email address itself that I care about, and that's not the service that the site provides. It tells you for which email addresses a related password has been pwned.
I don't understand... The password is the secret, right? If your mastercard login ends up in some breach, your password is protecting. You without or without vanish urls, if you have strong passwords you'll be fine.
Cybercrime has a logistics pipeline.
Harvesting potential targets is one part of it i.e. establishing someone was using an email address is the entry point. There's a lot of emails, so associating them to any particular website is right near the start. Establishing that they're active increases their value further.
The people responding to Troy here for example are technically doing that: they clearly monitor the email or still use it, so addresses which respond to up in value.
You need a domain, and possibly a paid mail provider with catch all support.
So cost was always part of this strategy
I have those things? Did you miss the part where I have multiple vanity URLs and hundreds of email addresses? Of course I have a paid mail provider and catch all. The problem is the cost of haveibeenpwned is too much for me as an individual.
I have the more typical one email used with hundreds of passwords on many websites. haveibeenpwned is also useless for me, it will tell me that my email was compromised but not which sites or passwords. I guess I could check each password individually, hope each password is globally unique to me, and then try to match it back to the website where I used it so I can change the password.
My data was exposed in one of the Facebook leaks and it turned out I had an old email on my Facebook account with a domain I had since let lapse and abandoned. Someone else registered the domain and tried to take over my Facebook account by sending a password reset request using it. Luckily I had 2FA and I guess Facebook's fraud alerts picked it up so It wasn't successful.
I guess what I want to say is beware that even something as innocuous as an email being leaked can cause problems, and make sure you delete any unused addresses from your accounts!
One of the drawbacks of using a custom domain for personal email is you essentially have to pay for it for life, otherwise anyone can just buy your old email address if the domain expires and start receiving mail, resetting accounts... I think some folks don't fully consider this consequence when setting up a fun vanity email address or similar etc, especially now both iCloud and gmail have made it so trivial to link a custom domain.
Conversely, if yahoo/google ever stop offering free email, I'll probably end up paying them much higher prices to keep going for a bit until I can transition.
If either ever stop period, especially one day to the next, FML...
Accounts can most often be closed or deleted permanently when one wants to stop or move. Some can change your address.
Speaking for myself, the "blast radius" of my email address is some 600+ accounts... (just looking in my password manager). The chances of me sitting down and closing every single one are non-existent. Many won't even have the luxury of having diligently tracked their login accounts in a password manager either.
Just having a family, kids, bills, schools, jobs, credit cards, banks, investments, insurance, shopping etc etc - the number of accounts many of us pick up can easily get into the hundreds.
What a lot of work to capture one account.
I can think of a lot of ways that would be worth it.
* blackmail the account owner
* make up an illness, create a donation page and get all their friends to donate
* find all connections over a certain age and disguise a phishing vector as literally anything!
* so many more
A real FB account with real friends who trust it (and are rich) is worth a lot
Which is incredible because it means they paid to get the domain and try to access that account. I can't imagine why anyone would care that much about your Facebook (assuming you're not someone who's especially influential) and yet here we are
> we run on Azure SQL Hyperscale, which we maxed out at 80 cores for almost two weeks
the data challenge is interesting here. there's clearly a lot of data - but really its just emails and passwords you need to keep track of. SQL feels like overkill that will be too slow and cost you too much. are there better solutions?
15 billion records of email+password, assume ~40bytes thats roughly 600GB
should be searchable with a an off-the-shelf server.
of course, im oversimplifying the problem. but I'm not clear why any solution to insert new records would take 2 weeks...
> I'm not clear why any solution to insert new records would take 2 weeks...
The article mentions some of the challenges, like 1.9e9 sha1 hashes. And 1.9e9 row updates performing poorly in-place, so they created a separate table for the results. Then they got rate limited by email providers when they wanted to tell people about their pwnage
Thought the same thing, and agree completely with jiggawatts. Troy does very well off the back of this relationship, and on that note I hate how confusing the marketing language of "Microsoft Regional Director and MVP" is.
> we run on Azure SQL Hyperscale
Definitely the wrong technology, and was almost certainly picked only because Troy Hunt is a "Microsoft Regional Director and MVP".
Many other technologies scale better for this kind of workload. Heck, you could ask ChatGPT to write a short C# CLI tool to process the data on one machine, you don't even need a huge box.
This kind of thing comes up here regularly on HN for problems such as duplicate password detection, leaked password filtering, etc...
After previous brainstorming sessions the general consensus was that it's really hard to beat a binary file that contains the sorted SHA hashes. I.e.: if you have 1 billion records to search and you're using a 20-byte SHA1 hash, then create a file that is exactly 20 billion bytes in size. Lookup is (naively) just binary search, but you can do even better by guessing where in the file a hash is likely to be by utilising the essentially perfectly random distribution of hashes. I.e.: a hash with a first byte value of "25" is almost certainly going to be 10% of the way into the file, etc...
It's possible to create a small (~1 MB) lookup table that can guarantee lookups into the main file with only one I/O operation of a fixed size, such as 64 KB.
Sorting the data is a tiny bit fiddly, because it won't fit into memory for any reasonably interesting data size. There's tricks to this, such as splitting the data into 65,536 chunks based on the first two bytes, then sorting the chunks using a very ordinary array sort function from the standard library.
On blob storage this is super cheap to implement and host, about 50x cheaper than Azure SQL Hyperscale, even if it is scaled down to the minimum CPU count.
Anyone have thoughts on Bitwarden / 1Password / Proton Pass?
Proton Pass feels too new for me but eagerly awaiting good feedbacks / reviews. However, "don't put all your eggs in one basket" might apply here.
Went with Bitwarden instead of 1Password since its open source, and I imagine (in my uninformed opinion) that a larger userbase by being free means more issues might be encountered and ironed out.
1Password is awesome.
I haven't really looked at anything else but I found >2 years ago the UI of BitWarden to be ordinary. And it was more awkward to manage a company.
Went with 1Password in the end, and that you get a free Family account with a Business account is great.
Your position on how BitWarden is open source should contribute to any decision you make though.
Interestingly, the HIBP data seems to have an expiration date. My email address from the Dropbox data breach [0] is now shown as having no recorded breaches, although it did back in 2016 after HIBP acquired that dataset.
[0] https://haveibeenpwned.com/breach/Dropbox
Post should've been titled "1.3 billion passwords were exposed", because, even though the number is slightly smaller, it actually represents something much more important.
The number of passwords is probably smaller. ;)
~1.3e9 passwords, ~1.9e9 (account, password) tuples, if I understood
I switched to using masked emails with Fastmail primarily so I could see who sold my data. The potential security benefit was not really a driver. Having 1Password be able to generate a unique email makes it a no-brainer these days. For those services that require a username that is not your email, they can usually be used without the domain part. Works really well.
I even wrote a tiny little local only web app that I can use to generate a masked email on my phone, so when I need an email for an in person thing I can just show them my brand new weird email directly on my phone.
Any interesting finds on companies that tried to sell your data?
Not really any places where things get sold, but opt-in in the background for newsletters is bad in certain sectors. Ticket platforms are terrible. I like to use a new email for every event and boy does that lead to new round of clicking opt-out until I can deactivate the email after the event has concluded.
I just learned that FastMail provides an iOS shortcut to "Create Masked Email".
Just be careful, you must press Save after or else you'll lose it.
Cynicism is everywhere these days but these events really don't register for me anymore. Companies aren't punished by the government for these leaks and they aren't punished by consumers either. What incentive is there to reduce this data collection in the first place or to lock down your databases?
Even if someone's security is awful as the consumer and their account gets hacked because of these leaks, what are the actual consequences of that? Oh bummer, they need to reset their password and make a few phone calls to their bank to reverse the fraudulent charges then life goes on. Techies view that as unacceptable but most don't really care.
I don't care for most things, but banking is one place I've been bitten pretty hard without even getting hacked. Not going to extremes to protect it, just gonna make sure it's decent.
If there's no meaningful reward or punishment for keeping or leaking PII, companies won't do anything about it. They'll keep collecting sensitive inf unless they're educated or forced not to collect unnecessary PII.
Not just this but the lack of diligence by companies that allow accounts to be created, bills to go unpaid & then sent to collection agencies is something that needs to change.
Speaking as someone who has had companies give away my PII and then other companies open accounts with it without contacting me until bills are due.
None of this should be the fault of innocent individuals.
We need to make storing customer data and recommendation algorithms a liability.
I totally respect Troy and the work he's doing, but I still can't justify to myself the risk of typing my passwords into his website because that would be the very first time that I would use any of those in places other than the ones where I normally use them.
Is there a way around this?
Edit: to answer my own question, I should read a bit more rather than click on the first link, the answer is here:
https://haveibeenpwned.com/API/v3?ref=troyhunt.com#PwnedPass...
Which uses:
https://en.wikipedia.org/wiki/K-anonymity
DM me your passwords Ill do it for you
From what HIBP tells me (from an email address; I am not about to put any site's password in there, I don't care that they don't know who I am or what it's for):
> During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources. Comprised of email addresses and passwords from previous data breaches, these lists are used by attackers to compromise other, unrelated accounts of victims who have reused their passwords. The data also included 1.3 billion unique passwords, which are now searchable in Pwned Passwords.
(Edit: this is also directly linked in TFA. Well, I guess the site was still somewhat successfully advertised here...)
So, this doesn't seem to comprise new information, and doesn't imply that your email has been associated with your password by the hackers.
Although they probably do have passwords for a couple of services I don't use any more, which I have not reused.
I think we should stop seeing email address as a secret or something that can be "stolen". Password? who is still storing passwords on their servers, instead of a hash?
A lot of companies and services are storing unsalted hashes of passwords. Which is not much better than storing plain-text passwords.
It's becoming less and even languages with a "strong legacy body" like PHP have sane defaults nowadays, but I do see them around when I do consultancy or security reports.
"Never fix something that aint broken" also means that after several years or a decade or more, your "back then best security practices" are now rediculously outdated and insecure. That Drupal setup from 2011 at apiv1docs.example.com could very well have unsalted hashes now. The PoC KPI dashboard that long gone freelancer built in flask 8 years ago? probably unsalted hashes. And so on.
Given enough time, hashes are reversible via brute force.
If the attacker steals the entire password table undetected, they have a large amount of time to generate soft collisions. After all they don’t need to hack any particular account, just some 50% of the accounts.
The time can be increased by some coefficient via salting, but the principles remain the same.
For password hashing, only short-output or broken hash functions have practical collision concerns. The odds of any random collision with a 256-bit hash, and not with a specific hash, is 50% at 2^128 inputs. Salting is a defense against precomputation attacks like rainbow tables and masking password reuse. Attackers crack password dumps by trying known password combinations, previously compromised passwords, brute force up to a certain length, etc. and using the hashing algorithm to compare the output.
When you have days like this, 2-10 billion and you want to search it, what are the cheapest options? Reindexing could be slow, be search should be reasonably quick. It would be really expensive to do this all in, say, Elastic, right? Especially if you had a bunch of columns?
The bit at the end about email deliverability was also interesting:
Notifying our subscribers is another problem... in terms of not ending up on a reputation naughty list or having mail throttled by the receiving server .... Not such a biggy for sending breach notices, but a major problem for people trying to sign into their dashboard who can no longer receive the email with the "magic" link.
And this observation he got from someone:
the strategy I've found to best work with large email delivery is to look at the average number of emails you've sent over the last 30 days each time you want to ramp up, and then increase that volume by around 50% per day until you've worked your way through the queue
This is also known as "warming a domain" in the email world. A large rush of emails from an email server is an indicator of a hack or takeover, so anti-spam software may flag an IP address that surges in activity.
Are there any email services which allow basically unlimited aliases with long, random names?
I'm using my own domain right now, but that can only uncover who has leaked my data; does not provide additional privacy.
Another commenter mentions ProtonMail, but somewhat unadvertised is with a paid Proton sub (I forget which tier), you also get access to SimpleLogin. It's a service which lets you create new email aliases with your domain that just send them to another email you own. (Also lets you send emails as that alias, so the other end doesn't see your real address.)
I use it with Vault/Bitwarden, which lets me generate email addresses of format `<uuid>@my.domain.com` when I create new login info for services.
Use a catch-all inbox. Fastmail supports them well in its web interface. I use unique addresses for every organisation.
I know you can set up "catch-all" email with a custom domain through Proton Mail.
I don't think there's any limit on gmail + codes.
https://simplelogin.io/
proton unlimited, i think. mail plus doesn't seem to do it, which kinda sucks.
duckduckgo's free email aliases. Can use it as a front-end and keep your existing domain
I misphrased my query; I already run my own mail server and am using a unique e-mail address for every service. I'm wondering if there's a provider with a common domain name shared between lots of users that still allows such a large number of aliases. That would let me use a fake name for anything that doesn't need my real identity, and wouldn't reveal my identity in the case of a breach. Has any e-mail provider found a way to implement this while preventing abuse?
check simple login. they were both by Proton, but you can use them without the parent.
I’ve always had a bit of a chip on my shoulder about HIBP’s switch to charging for domain searches. It felt a bit like those travel visa scalpers who charge 50 CURRENCY_UNIT to file an otherwise gratis form on your behalf.
Law enforcement should provide this kind of service as a public good. They don’t, but if you do instead, I don’t think it’s cool to unilaterally privatize the service and turn it into a commercial one.
I voted with my feet but this post feels like a good enough place to soapbox a bit!
Giving out fake information is the only solution. Real name is only for the government and your employer.
Why are we still using passwords? Why can’t all login be done with asymmetric keys: your public keys are stored on the server, your private keys on the device. Carry a backup pair on your USB and treat it as a key to your house. Any of them got lost? Just delete the respective public key from the service.
That's passkeys. Google and Microsoft are pushing in that direction.
I have never seen a website where I can sign up without a password and using only email and passkey. Is there one? All websites treat passkeys as an “add-on” to the passwords of the last century. Totally backwards thinking.
> However, none of the other passwords associated with my address were familiar.
Could at least some of those cracked passwords be hash collisions for really weak choices of hash? I once looked up an email of mine on a database leak, and found an actual outdated password except for random typos that I suspect hashed the same.
Amidst all of these pwnings, we still don't have a standard way to update our passwords from our password managers automatically.
if we could have standardization like that, we wouldn't need passwords
We also wouldn't be having an issue with password leaks as I expect it would be simpler to move on to passkeys (or something else) than implementing a standard way of password rotation...
Except passkeys are an opaque, awful solution.
They're hard to explain to users, the implementations want to lock people to specific devices and phones, you can't tell someone a passkey nor type it in easily over a serial link or between two devices which don't have electronic connectivity.
[flagged]
If there was a standard, do you know how long it would take to get adopted across the interwebs.
10 years.
Passkeys essentially solve this, however they are not backwards compatible. If they were backwards compatible (e.g. an automated way to change passwords) then you might as well just enable Passkey as a replacement. Thats the conundrum.
I feel like we missed the chance to have a standard http resource for this stuff.
yes!
It's a shame, IMO, that the Basic Auth never got updated or superceded by something with a better UX and with modern security.
The scale of infostealer malware is really staggering. I'd have naively assumed that OSes were getting locked down so much by default these days that local malware was less of an issue.
Is there any real drawback to just never giving your real name or address to service providers to minimise the chance of identity theft? Most likely it’s against terms of service, but other than account suspension are you likely to suffer any legal consequences?
Anonimity on the Internet is going out of vogue.
The only way to fix the ToS issue you raised is through regulation protecting it.
Unfortunately we're going the other direction, with efforts like verified ID gaining traction in some parts of the world.
It's ironic because in most cases anonymity (or allowing an alternate identity that has its own built-up reputation) would offer real protection, while the verification systems are arguably security theatre.
I don't care what technical genius is built into your architecture, as soon as you force a user to plug their ID information into it, they've forked over control along with any agency to protect their own safety.
The ad tech companies can associate any fake identity with your real identity. So no, there is no problem. Good thing that all ad tech companies are fully on the up-and-up and have never been compromised to spread malware.
Service providers generally use your name and address to validate your billing method.
If you can pay by some method that doesn’t require name or address then go ahead and use a fake name.
Depending on the service, the billing data may be in its own database outside of the user tables.
I mean, for some services, likes banks / credit cards, it's required..
For others, I try to stay anonymous / aliased where possible.
Do some research on passwords, in particular read Bruce Schneier's stance on passwords.
I'm guessing this is total, not an alert that something happened last night that exposed 2 billion email addresses.
Amusingly, hunter2 is listed with over 50.000 breaches.
It boggles my mind that most email providers don't have a way to generate aliases for sign ups. Looks like proton and fastmail support it.
This explains why my outlook/hotmail account had a 2fa prompt from a country I've never been in a few days ago.
Checked my password on https://haveibeenpwned.com/Passwords :-
_Great_.What about "pass-codes"? Weren't they supposed replace passwords?
I have really started to use the 'Hide my email' feature from iCloud. It's been so nice. If an email gets pwned, which often happens from a service I stopped using many moons ago, then I just deactivate or delete the email address. I imagine many other services provide this feature as well, but it's what's most convenient for me at this time.
Can anyone recommend a good third party service that provides similar functionality and a great user experience?
For those of us who don't want to entrust this to Apple and who'd like to use our own domain?
There are several options to choose from, but most data brokers will know that small custom domains go back to a certain or small group of people.
That being said, this is a good list:
https://www.reddit.com/r/privacy/comments/108wzvg/what_is_th...
Not sure I trust the longevity of some of them, though. I do use https://temp-mail.org/en/ or other similar services for some logins for some services I'm not afraid to lose access to, though (especially for places likely to spam me).
Can anyone enlighten me why an exposed email address is an issue? I get it if its some kinda admin@foo.com but my private mail, why would I care? Its not like they have my password?
> Oh - and 1.3 billion unique passwords, 625 million of which we'd never seen before either.
It's not just email addresses. It's address + password combos.
But also, how did 2 billion email addresses get exposed? Assuming I give an email address to a company (and only that company) if someone gets access to that email addresss they either got it from me or that company. Knowing the company has sold, lost, or poorly protected my email address tells me they are maybe not worth working with in the future.
> But also, how did 2 billion email addresses get exposed?
The list contains emails which have been part of some other breaches. In my domain I have 2 emails that were exposed that weren't my normal email address. One of them was a typo that I used sign up for one service which was later breached. The other one was something someone used to register to service that I have never used & that service was later breached. Those emails have never been used for anything else as far as I'm aware.
Of course judging from what posted there are likely some other services as well which were breached but wasn't noticed/published until now.
Yea a combo is more problemtic, I could see why thats an issue. Most important stuff in my life has 2FA with my phone thankfully. My banking password got breached like 3 years ago and i still didnt change it... nothing ever happened. I am guessing tech companies that could have huge negative influence on your life should have additional security measures in place, like not allowing a login from a different country unless some kinda mobile code is provided or stuff like that. I'm pretty naive with all that tbh.
Until they figure out the password to that email and then take over everything else in your life. They are not collecting email address because they are useless.
Could leave to massive impersonation attempts. All the folks here on HN are probably very tech savvy, so we’ll likely have a strong password + 2FA. But mom and pops that just got their email addresses leaked? Probably not. So they might start just trying out a rainbow table of common passwords and getting access to peoples emails. Once you’re there getting to home banking and other privileged resources is not hard.
It’s not the email address itself that’s important, it’s that the email address is a key identifying users in data breaches. The email addresses are presumably linked to breaches of pii or passwords etc.
One reason is spam. The other is that in many cases passwords are leaked too.
Yeah, I agree. I consider them like public keys or IPs.
Troy Hunt’s brand is to exaggerate secret risk.
I think, at this point, we should just assume that our emails are out there. Can't put the candy back in the piñata.
My main email addy is an OG mac.com address. I registered it about five minutes after Steve announced it. My wife got her first name, but I suspect that Chris Espinosa already had chris@mac.com.
In any case, it was compromised back when Network Solutions sold their database to spammers (or some other scumbags sold their database), and it's been feral, ever since. Basically, most of this century.
I've survived it. I maintain Inbox Zero, frequently.
One of the saving graces, is that mac.com has "aged out," so most of the spammers switched over to icloud.com, and that means I can just set up a rule to bin anything that comes into icloud.com.
It's honestly very hard to even care at that scale.
-Setup a website with article that 3 billion emails were exposed -Offer a form to check if your email was leaked -start getting confirmed emails list
Troy Hunt has been running Have I Been Pwned for years. He even uses the k-anonymity model to allow you to search if a password has been pwned without giving him the password if you don't trust him.
I get your general point, but he's been a leader in this space and walking the walk for a decade. I'm not even into security stuff or anything particularly related to this, and I still recognized his name in the OP domain.
More importantly, since HIBP sells monitoring services to 1Password, if they were maliciously collecting this data they would be immediately sued to oblivion.
I have a throwaway email adresses for every website that requires signup. And a new password for every signup. Using Fastemail and a password manager. When emails adresses/passwords leak, I know which one I have to replace.
I checked a few of my passwords and a few random ideas. It turns out that I'm not the only one who finds the Star wars drone names a good inspiration for a password, but the rest were okay. Proud that I found a password which leaked in only one breech. Whoever has used "feromancer" as a pass, congrats, you might be unique among a big part of humanity.
Another ad for have i been owned? ... How much does it cost to advertise on hackernews?
[dead]