Have I Been Breached?

Yes, I have.  A “breach” is an computer security incident where a website’s data has been illegally accessed by cyber-attackers and released publicly.

I know that my main email account has been compromised in the past, and used for sending Spam, because my hosting provider disabled my email account and hosting account until I had an opportunity to change my password.

I know that all my websites are under continuous automated password guessing attack, although I was never breached.

And today I checked my email accounts against the breach database at ‘;–have i been pwned?  For those of you not familiar with “L33T speak” (leet speak = elite speak or hacker jargon) the word “pwned” means owned, as in “have I been owned?”  You should check your email accounts too.  At least you will know which accounts really need a new password.

I was able to scan my entire email domain and find out which email accounts had been affected. In the cases below, the actual password for the email account was not breached, but the user name (email address) and password combination for the particular web resource was.  This is why I have urged my readers not to reuse passwords over and over on dozens of websites. Because if you are breached at one place, you are breached everyplace.  And never reuse your email password anywhere else ever.

The results of my test are below:

Breaches I was pwned in:

A “breach” is an incident where a site’s data has been illegally accessed by hackers and then released publicly. Review the types of data that were compromised (email addresses, passwords, credit cards etc.) and take appropriate action, such as changing passwords.


DaniWeb: In late 2015, the technology and social site DaniWeb suffered a data breach. The attack resulted in the disclosure of 1.1 million accounts including email and IP addresses which were also accompanied by salted MD5 hashes of passwords. However, DaniWeb have advised that “the breached password hashes and salts are incorrect” and that they have since switched to new infrastructure and software.

Compromised data: Email addresses, IP addresses, Passwords

Forbes: In February 2014, the Forbes website succumbed to an attack that leaked over 1 million user accounts. The attack was attributed to the Syrian Electronic Army, allegedly as retribution for a perceived “Hate of Syria”. The attack not only leaked user credentials, but also resulted in the posting of fake news stories to forbes.com.

Compromised data: Email addresses, Passwords, User website URLs, Usernames

LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.

Compromised data: Email addresses, Passwords

QuinStreet: In approximately late 2015, the maker of “performance marketing products” QuinStreet had a number of their online assets compromised. The attack impacted 28 separate sites, predominantly technology forums such as flashkit.com, codeguru.com and webdeveloper.com (view a full list of sites). QuinStreet advised that impacted users have been notified and passwords reset. The data contained details on over 4.9 million people and included email addresses, dates of birth and salted MD5 hashes.

Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity

River City Media Spam List (spam list): In January 2017, a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation. Once de-duplicated, there were 393 million unique email addresses within the exposed data.

Compromised data: Email addresses, IP addresses, Names, Physical addresses

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment