Make sure you sign yourself up for something like https://haveibeenpwned.com if you haven't already. Sometimes being timely in responding to leaks can make a big difference on any further leaks.
Also, LastPass uses a similar site, plus it's specific knowledge of your passwords (last time it was changed), to let you know if a password has been compromised.
Not sure if 1Password does as well, but it seems like a fairly obvious feature to add.
1Password has a "Watchtower" feature that "identifies websites that are vulnerable to Heartbleed". Also under Security Audit are sections for Weak Passwords, Duplicate Passwords, and groupings of password ages (3+ years old, 1-3 years old, 6-12 months old for me). It does not appear to keep track of leaks/hacks.
The problem with this feature seems to be that it thinks if the site reissues its certificate it means all passwords there were compromised. Which leads it to mark all old passwords as vulnerable, even if no breaches were actually reported for the site.
The certificate/password link is a guess since on their website they say to change the password starting with date that matches the date of certificate reissuance.
This seems to be related to Hearbleed, also it lists a site that didn't reissue certificate after Heartbleed as vulnerable too, and so for passwords there, seems to be regardless of age.
I am a long-time 1password user and have a lot of old passwords, so for me like 90% of passwords are listed as compromised, which I'm pretty sure is not the case.
Can't upvote hard enough. Also, it is shocking how bad security is for all these games I've played over the years. The publishers seem to be the source of the vast majority of these leaks I've been caught in.
Thankfully the notification emails from this service are prompt and helpful (not to mention totally free).
Ironically, https://haveibeenpwned.com certificate is signed by StarCom, which is the same as WoSign https://news.ycombinator.com/item?id=12411870 which means it basically trusts a known scammer to provide its security and one should not be giving this site any information you don't want to see in public.
I think it should hash entered email client-side in JS to be more trustworthy.
I am a bit worried about giving my various email addresses to some random site.
I'm not sure how much I can trust the results of a site that claims an email address I only use for one site has been breached on sites and services I've never been to. However it's calculating if what you enter into the form appears in the leaked content sure gives a lot of false positives.
Which I suppose forces more awareness, but it doesn't instill a lot of confidence.
Why do I see my username as breached on a service I never signed up to?
When you search for a username that is not an email address, you may see that name appear against breaches of sites you never signed up to. Usually this is simply due to someone else electing to use the same username as you usually do. Even when your username appears very unique, the simple fact that there are several billion internet users worldwide means there's a strong probability that most usernames have been used by other individuals at one time or another.
A false positive from your perspective doesn't mean your email address isn't actually being used to sign up for things.
My primary personal email address is routinely used by a small handful of other real people (all strangers) for all sorts of things - college applications, car insurance, some address books think it belongs to a cousin who gets included in a lot of group threads about reunions and full of photos. I've found the families more difficult to unsubscribe from than the services, name+email associations spread like a virus. I routinely get alarming/misleading "Someone has your password!" security alerts from Google after someone tries to list my email as a backup account.
These little strings we use to identify ourselves can be typed by anyone, anywhere, bot or human. I wouldn't worry too much about false positives.
It's not that I'm worried, it's that it's a distraction. When the margin of error is high enough, it becomes less signal and more noise, which leads to either panic (spending all your time managing access credentials) or complacency (ignoring the indicators).
Its worth pointing out that other people can use your email address to create accounts. It's just a string of characters to type in.
They might not even know it's yours, like if your email is davidsmith@gmail and they fat-finger davidrsmith@gmail--boom, "you" now have an account.
Good services use double-opt-in to ensure that every account is actually tied to a correct and working email address. But not every service does this.
And even services that do use double opt-in would create a row in their database to note that a confirm email was sent out. If they never scrub those invite rows, "your" email address would still be in the DB when it's exfiltrated, even if the confirmation process was never completed.
Fun fact: Have I Been Pwned neither salts nor hashes the creds which it stores on its website, potentially making itself an interesting target for hackers[0]
