Email or username:

Password:

Forgot your password?
Have I Been Pwned's posts Post Back to profile
Have I Been Pwned

New breach: Internet Archive had 31M records breached last month including email address, screen name and bcrypt password hash. 54% were already in @haveibeenpwned. Read more: bleepingcomputer.com/news/secu

9 October at 22:41 | Open on infosec.exchange
12 comments
@pndc

@haveibeenpwned You sent me a mail telling me that an address in my single-user domain was involved in this breach. Thing is, I'm not a HIBP subscriber.

The link in the email took me to a page which wanted me to subscribe to a service which costs hundreds of dollars per year to see the details because apparently you think I am an ISP because your data is extremely dirty as it contains loads of invalid addresses generated by spammers using dictionary attacks.

So I forwarded the email to abuse@sendgrid.com pointing out it was spam. Because if you're bulk-sending mail to non-customers trying to get them to pay money, that's spam.

@haveibeenpwned You sent me a mail telling me that an address in my single-user domain was involved in this breach. Thing is, I'm not a HIBP subscriber.

The link in the email took me to a page which wanted me to subscribe to a service which costs hundreds of dollars per year to see the details because apparently you think I am an ISP because your data is extremely dirty as it contains loads of invalid addresses generated by spammers using dictionary attacks.

9 October at 23:02 | Open on social.treehouse.systems
asteriske

@pndc @haveibeenpwned

I think you're mistaken, while HIBP has a paid service it will provide data on affected domains for free. Source: I monitor my domain for free at HIBP.

9 October at 23:22 | Open on hachyderm.io
@pndc

@asteriske @haveibeenpwned It is free until spammers have poisoned their database with more than a handful of invalid addresses at your domain when trying to guess a valid address. And then the next time you get an email notification of a breach and click through, you will encounter a paywall instead of the details of the breach.

9 October at 23:36 | Open on social.treehouse.systems
varx/tech

@pndc It's very likely that you actually signed up for (free) monitoring some years ago and simply forgot about it.

I also have a single-user domain with a catchall address and signed up for free monitoring, and yes, I did bump up over the threshold into paid monitoring at some point. But I'm still the one who asked to be notified. Pretty sure that's what happened for you!

If you only have one real address at that domain, just subscribe for updates for that one address, and unsubscribe from the domain-wide ones. Then you should never see that email again.

@pndc It's very likely that you actually signed up for (free) monitoring some years ago and simply forgot about it.

I also have a single-user domain with a catchall address and signed up for free monitoring, and yes, I did bump up over the threshold into paid monitoring at some point. But I'm still the one who asked to be notified. Pretty sure that's what happened for you!

9 October at 23:40 | Open on infosec.exchange
SpaceLifeForm

@haveibeenpwned

Even if you change yout password, assuming you can with the DDoS, you will have to change it again.

Until the breach is fully hunted down, the exfil could occur again.

10 October at 1:04 | Open on infosec.exchange
Erik Uden πŸ‘
Steven D Rowe πŸ‡¨πŸ‡¦β€‹

@haveibeenpwned I'm there too. Fed up of these breaches. The LinkedIn one of some years ago was the worst.

10 October at 4:49 | Open on mstdn.ca
shadowwwind

@haveibeenpwned that's just a email alias for me

Strangly the password didn't get flagged by hibp

10 October at 5:26 | Open on fosstodon.org
Jason πŸ‘€

@haveibeenpwned 14.26M new emails in the HIBP database? My, that’s a big one…

10 October at 7:04 | Open on mastodon.social
Go Up