I know that my main email account has been compromised in the past, and used for sending Spam, because my hosting provider disabled my email account and hosting account until I had an opportunity to change my password.
I know that all my websites are under continuous automated password guessing attack, although I was never breached.
And today I checked my email accounts against the breach database at ‘;–have i been pwned? For those of you not familiar with “L33T speak” (leet speak = elite speak or hacker jargon) the word “pwned” means owned, as in “have I been owned?” You should check your email accounts too. At least you will know which accounts really need a new password.
I was able to scan my entire email domain and find out which email accounts had been affected. In the cases below, the actual password for the email account was not breached, but the user name (email address) and password combination for the particular web resource was. This is why I have urged my readers not to reuse passwords over and over on dozens of websites. Because if you are breached at one place, you are breached everyplace. And never reuse your email password anywhere else ever.
The results of my test are below:
Breaches I was pwned in:
A “breach” is an incident where a site’s data has been illegally accessed by hackers and then released publicly. Review the types of data that were compromised (email addresses, passwords, credit cards etc.) and take appropriate action, such as changing passwords.
DaniWeb: In late 2015, the technology and social site DaniWeb suffered a data breach. The attack resulted in the disclosure of 1.1 million accounts including email and IP addresses which were also accompanied by salted MD5 hashes of passwords. However, DaniWeb have advised that “the breached password hashes and salts are incorrect” and that they have since switched to new infrastructure and software.
Compromised data: Email addresses, IP addresses, Passwords
Forbes: In February 2014, the Forbes website succumbed to an attack that leaked over 1 million user accounts. The attack was attributed to the Syrian Electronic Army, allegedly as retribution for a perceived “Hate of Syria”. The attack not only leaked user credentials, but also resulted in the posting of fake news stories to forbes.com.
Compromised data: Email addresses, Passwords, User website URLs, Usernames
LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.
Compromised data: Email addresses, Passwords
QuinStreet: In approximately late 2015, the maker of “performance marketing products” QuinStreet had a number of their online assets compromised. The attack impacted 28 separate sites, predominantly technology forums such as flashkit.com, codeguru.com and webdeveloper.com (view a full list of sites). QuinStreet advised that impacted users have been notified and passwords reset. The data contained details on over 4.9 million people and included email addresses, dates of birth and salted MD5 hashes.
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
River City Media Spam List (spam list): In January 2017, a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation. Once de-duplicated, there were 393 million unique email addresses within the exposed data.
Compromised data: Email addresses, IP addresses, Names, Physical addresses