37

Entering my email at https://haveibeenpwned.com/, I was told that I have been pwned. I am in http://pastebin.com/SCLNRHJQ

I already tried

  • to find out my password by simply md5-hashing all my passwords I could think off and comparing them to the hash in pass
  • to check whether someone could easily crack my password by putting the hash into some online md5 "rainbow table service" myself.
  • to find the breached web site by searching my mail for registration notifications received on the registration date given in joined_on
  • to find email received from any mail address in the list.
  • to send an email to the first in the list, asking him whether he knows which site it is and/or whether he possibly is the owner of that site.

All of these loose ends came up blank.

I could only deduce that it has to be a really small LEGO-themed website, but that's it.

So I have changed all my passwords of my most-used accounts, especially the email accounts. The many old and sleeping accounts I don't know that I have, they are out of reach.

What else can I do?

R15
  • 2,943
  • 1
  • 12
  • 21
Alexander
  • 2,143
  • 2
  • 17
  • 22
  • 2
    Looking at the paste there's references made to LEGO in a number of the usernames which supports your small LEGO-themed website theory – GreatSeaSpider Dec 15 '15 at 09:40
  • 3
    That's a great page for collecting email addresses! – pipe Dec 15 '15 at 16:30
  • 8
    @pipe Pages like that is one of the reasons I have my own domain and generate addresses as needed. I have entered an address on that page and did not use it anywhere else. So if the addresses entered through that page are abused, I will know. – kasperd Dec 15 '15 at 16:34
  • 5
    @kasperd People with gmail accounts don't need their own domain. I frequently use the trick of telling sites my address is _____+@gmail.com. For instance, john.doe@gmail.com could sign up as john.doe+se@gmail.com, and all emails would go to his Inbox just fine. I – Monty Harder Dec 15 '15 at 23:20
  • 1
    @MontyHarder That convention was widely used several years before Gmail was launched. The problem is that anybody who wants to abuse the address can just strip off the part you added and abuse the base address in order for you to not be able to track the abuse. However if I tell you that `kasperd@sdfzk.16.dec.2015.kasperd.net` is one of my email addresses, then you cannot immediately deduce another one of my addresses. – kasperd Dec 15 '15 at 23:39
  • @kasperd but if you find a SQL database dump in pastebin, the extra part will not be stripped. So in this case, this could have helped me. – Alexander Dec 16 '15 at 00:02
  • @Alexander But not all such leaks contain email addresses in the first place. And not all such leaks are published. If the leak had been abused to brute force passwords and send spam rather than publish, then the extra information could have been stripped before the address was used for spam. With the addresses I use on my own domain, there is never that uncertainty. I don't have to worry whether a spammer might strip out part of the address and send me spam that I cannot track or block, because if they strip out that part, they will be left with a non-existing address. – kasperd Dec 16 '15 at 00:13
  • 4
    This was _probably_ http://www.wallofbricks.com/ , which is run by one dwalton76, and which domain name was registered a week before his first login... – Michael Hampton Dec 16 '15 at 01:18
  • 1
    @MichaelHampton Yes, it is, *and* the passwords are UNSALTED MD5, *and* those who crack my password get access to possibly two or three dozen low-impact lego sites like that, all registered around that time frame (but not on that date). Thank you for your suggestion, you hit the bull's eye. I will now change the password on all these sites that I find in my email history. – Alexander Dec 16 '15 at 09:01
  • @Alexander How hard it will be to break a password hash depends on both the password and the hashing algorithm. If your password was strong enough, then a brute force on the MD5 hash will not succeed. But it is still a good idea to change your password on all sites where you have been using that password. – kasperd Dec 16 '15 at 11:46

4 Answers4

27

The first rule is to clean up your act: use a password manager and have unique, long and random password for EACH and ALL your important services (email, google, etc.) and change all your passwords.

Then check if there are some mysterious transactions made on your accounts (not specifically bank accounts, mind you: anything that could be accessed using the email that was compromised). That should give you a good indication if the possible risk of being breached was realized.

Finally, take each possibly compromised account and think of how it could lead to a continuing issue: could some information extracted from that account be used in the future ? If yes, is there any action you might take to reduce the consequences ? Is the risk you're running worth the price you're going to pay to mitigate it ? If you can't mitigate it, can you ensure it ? Is it even worth insuring ?

Stephane
  • 18,607
  • 3
  • 62
  • 70
10

@Stephane makes good points in his answer.

On top of those points, you should also enable two factor authentication wherever it is supported, and especially for your email accounts and for places where you might have stored payment information.

In terms of the out-of-reach accounts, you might be able to get information about some of them by looking at your browser cookies, or the saved passwords from your browser. Modern browsers all have similar options. If you have it enabled, Chrome can sync passwords online so you could look there, and if you are on Windows, IE uses the Credential Manager, accessible from the control panel.

Mike Goodwin
  • 2,161
  • 1
  • 12
  • 13
2

Changing passwords and checking that no unusual activity has taken place is pretty much all you can do. Even if you manage to discover which site leaked the hash, there's nothing they can do now. Note that:

  1. It may take months between the leak and the moment someone cracks your password hash and attempts to attack. Observing no unusual activity doesn't mean you're safe, passwords still need to be changed.
  2. Even if your password is associated with a particular login (e-mail), it is unsafe to use with any login from now on. Once your password is revealed, it will be added to password lists which may be used in attacks on any site in the future. Hackers do this because many people tend to reuse passwords.

Hashing your passwords and trying to find the hash online is a useless test, since you don't know which salt was used when your password was hashed.

Dmitry Grigoryev
  • 10,122
  • 1
  • 26
  • 56
  • 1
    Regarding your last sentence: Nope, it is not useless. I tried out which obstacles an attacker may have to take. If the site owner uses salts at all, I am safer than without, because I may hope that no rainbow table entries exist for now. If they use not salt at all, on the other hand, and I can crack my password in a matter of seconds using available online resources, this is far worse of a problem. – Alexander Dec 15 '15 at 12:07
  • 2
    Not really - as Dmitry said, it can be months between a breach and a dump. It could be that they worked out how to access on a regular basis, and only dumped when the hole was fixed. They could have been attacking your password for months. It's unlikely, but even so, your best option is to consider than the password used is compromised. Given that dump, the most logical per-user salts would be the other columns in the database, which could be incorporated into a cracker easily. – Matthew Dec 15 '15 at 12:26
  • @Alexander, you're right, this check rules out the extreme cases. I meant to say that it's not surprising you didn't find a match using this primitive technique. – Dmitry Grigoryev Dec 15 '15 at 12:30
  • @Alexander Still, why take the chance? Generate a new, strong password or passphrase, update the _one_ thing you used it on (because you _did_ use it for only one thing, _right?_), and toss it in your password manager. No big deal. – Blacklight Shining Dec 16 '15 at 10:29
  • @BlacklightShining Well, now that I know which site it is, I do update my passwords at all affected sites. But yesterday I didn't know which site, and I didn't know which password... – Alexander Dec 16 '15 at 10:32
0

I would pay particular attention to financial services. e.g. any banking facility or payment methods. I recommend getting a new credit/debit card if you have ever used one online as you don't appear to know exactly what accounts or services you have used.

aj-
  • 1
  • 1