The blog post says that the breach was notified to users, but as some comments here and the post itself are complaining, it doesn't contain any actionable info.
The official message is that "if you had been doing things right, you don't have to worry". No sh_t Sherlock! But I also worry about my dark past when I was young and ignorant and used weak passwords, before starting to do things "right"... (on the other hand, given the amount of money I paid for HIBP, this is of course just unwarranted entitlement on my side, so I'm just talking half-seriously).
I tried to do a trivial grep match on my list of sites, but the regex ended up being a bit long given that hostnames can have lots of variations and it's not so trivial to match them with the format used in the breach. So I've put it all in a Gist in case it is useful for other people:
> Get a password manager, use strong and unique passwords
That's more like the overall "mission" of Have I Been Pwned, convince people to do that. It's not a particular actionable suggestion that receivers of the alert email can perform (because, albeit here we're discussing the blog post, actually this has been emailed as a Breach Alert to all HIBP subscribers)
To be fair, this promises to be a service that alerts you when your accounts get compromised, and that's 100% what they have done. But in past similar emails, they also contained actionable advise, such as "go to example.com and change your password", which here is missing, so I guess users are left wondering what they can do apart from either ignoring the breach or changing absolutely all their passwords just in case any of them was leaked, or munging on their own the provided TXT listings (which most won't do).
"Use strong and unique passwords" is a good practice, but it's not really actionable in response to these breaches.
How many normies without password managers remember every site where they created an account in the last five years? Even if they start using strong and unique passwords now, they won't go back and change passwords in services they've forgotten.
All I know from Cit0Day is that my account was breached in one or more of 23000+ sites. I can't tell which one(s), so it's not actionable.
Troy runs haveibeenpwned as a free public service, so it's not right to ask him to do more than he already has. But to be actionable, each email in the Cit0Day dump could be associated to the individual sites so users would know where they'd been pwned.
I use unique email addresses for every website, so I can confirm that this breach includes a new leak from an address created on October 2019.
In my case it was just from a guest order at some random restaurant; nothing critical.
Oddly, I didn't see the website in the list of files in the leak. So the file list might not be "complete", in the sense that grepping it won't be 100% accurate.
Just FYI.
EDIT: As always, thank you Troy for running HIBP. You're a hero.
How do you know which site needs a password reset? I'm in the same boat, but apart from downloading this entire leak somehow, I don't know which site I need to reset.
I don't know why this was flagged. Sure, somebody could be asking about doing this because they want everybody else's data. On the other hand, that's why Troy Hunt did it, so that doesn't seem to be a problem in and of itself. Plus, the most obvious reason to ask this question is the actual reason stated. I'd like to be able to do that, too, frankly.
I'll answer the question, though: Not unless you know how to find it.
Looked up my domain, it seems to be old data breaches. I have been using unique email aliases for all websites for at least 5 years and the emails there predate that, and were on previous data breaches.
It's not just old breaches. I do similar things, and got anew address reported. Unfortunately, the new address is one I actually use for a bunch of things, so now I have to go through the site lists.
Edit: I looked through email at the services I signed up for with this address, and searched though the list; I'm fairly sure it's the account for a local game club :(
It could have been breached recently that's true. But not for a website I currently use. I switched off those old emails and I am currently only using aliases (I know it's not very helpful without a list of websites I use).
The other thing I do is that I monitor failed smtp connection attempts to my mail server, particularly when they use one of these unique email aliases. That gives me advanced notice that the website has been breached, and I have quite a few that are not on HIBP's radar.
They are saying that all of the leaked data has been leaked in the past in other breaches. And because every account has a unique address, this suggests that it doesn't contain newly leaked information.
Tangential, but something I think about every time breaches or password managers come up is this: what if every time I log into a service, i do it through password reset? that way I never have to even store the passwords, and it changes with the frequency of use. The more I use a given service, the less likely I am to be impacted by a password dataset being released. Basically the magic link that Slack uses, but with a few extra steps.
What would be some security pros and cons of this approach? And ultimately, [how] can e-mail be removed as the single point of failure?
A few services do that, for example Liberapay [1]. It's also not much different from how other social sign-in methods work (Facebook, Google, GitHub), only you already have your email on file. I guess the main drawback is the email delivery delay, which is much slower than an HTTP workflow.
There's no way to know which site the e-mail was coming from, but you could at least grep[2] your password database (depends on how diligent you are with entering urls), and check the top leaked sites manually[1].
Note, that the first list published by Troy is truncated, so it's not full.
I was planning on an automated check on my passwords via my password manager to see which one have been stolen. Since my passwords are mostly (I may have missed changing some after the linkedin breach) unique these days I thought I could probably figure out which one was stolen as a result.
Apart from downloading the breach and parsing it myself, where can I actually see the password used for my email? I obviously control that email, so there shouldn't be any harm in getting the password delivered there.
I want to know if the password used was fake or real.
because it advertises the hacker's services and monetizes that hacker without that hacker actually having to go through the trouble of weaponizing the data themselves for monetization?
because it advertises the breach for sale on a dark net marketplace as people instinctively go look for it? except for people indoctrinated to believe dark net is "scary" instead of just like Amazon because they never looked.
The official message is that "if you had been doing things right, you don't have to worry". No sh_t Sherlock! But I also worry about my dark past when I was young and ignorant and used weak passwords, before starting to do things "right"... (on the other hand, given the amount of money I paid for HIBP, this is of course just unwarranted entitlement on my side, so I'm just talking half-seriously).
I tried to do a trivial grep match on my list of sites, but the regex ended up being a bit long given that hostnames can have lots of variations and it's not so trivial to match them with the format used in the breach. So I've put it all in a Gist in case it is useful for other people:
https://gist.github.com/j1elo/50088d6f4587c09fea07b1ccf94ad7...