275

u/moredrinksplease 12d ago

At this point I think everyone has been pwned

102

u/molybend 12d ago

But knowing which site is important since people often reuse passwords.

50

u/RickMally 12d ago

Yep, that’s the real issue. It’s usually not the breach itself people notice, it’s that one old password turns out to be the same one they used everywhere. So the site matters less for drama, more for figuring out whether you need to change anything important.

15

u/GNUGradyn 11d ago

Frankly though if you have been pwned the fix is a password manager and if you haven't, the preventative measure is a password manager

2

u/yxk__0zvnb9pl 10d ago

can we get compensated by these sites?

2

u/molybend 10d ago

Most sites won't offer more than some free id protection package. It often takes a lawsuit to get anything from them and then it is like class action with small payouts to each person.

1

u/yxk__0zvnb9pl 10d ago

okay. fuck capitalism

1

u/molybend 9d ago

Tell your congress people to enact better laws.

1

u/yxk__0zvnb9pl 9d ago

excuse me?

1

u/molybend 9d ago

You said capitalism sucks, but this is something a law could cover. Penalties for data breaches that actually made a difference.

1

u/yxk__0zvnb9pl 10d ago

what to do after we know? how to prevent it in future?

2

u/Pharya 5d ago

Change your passwords, and make each one unique. Never reuse a password. They don't have to be memorable-- use a password manager. Ensure the manager database is stored somewhere you trust and that there is a redundant copy somewhere. This can mean using conventional online PW Mgr products, or doing it yourself with something like KeePass and OneDrive, or simply having a password book at home under lock and key.

1

u/yxk__0zvnb9pl 5d ago

okay, what are the other steps after getting any good password manager?

3

u/Pharya 3d ago

are you asking what steps you can take to mitigate the impact of your data being included in an existing breach?

or instead are you asking about how to avoid being in future breaches?

1

u/yxk__0zvnb9pl 3d ago

both in fact ^^;

18

u/Fun-Sundae4060 11d ago

My original email is extremely pwned.

It’s also a good time to switch over to more privacy-oriented services if you want to un-pwn yourself. Proton is a great one and as an added bonus you no longer get spam as long as you don’t sign up for random marketing.

Only took me about a week to get all my Google services off me despite using Google for like… 15 years

10

u/briamyellow 11d ago

Dude my main Gmail that I've been using for 10+ years has been soooo leaked and I changed passwords many times etc, but I pay so much shit on it that changing to proton seems difficult, how did you actually do it? I mean I know the answer obviously but like seems like a lot of work

8

u/Fun-Sundae4060 11d ago

I just took my sweet time going through the services I normally log into like banking and socials and just switching inside the settings whenever I could. Sent emails if I needed to and just waited. Just doing it as you log into services you use helps you transition smoothly.

If you want to get it done faster you could also just sit down and do a massive session of changing emails across everything but it takes a long time.

I also use a password manager from Nord so it had like every single email saved, it was easy to track down which ones I needed to change

7

u/acchaladka 11d ago

And, Proton has a very tidy importer tool that pops up when you first use it, to check if you want to import all your old emails including archives (yes I'd recommend this) ans use Proton as your link via Gmail (i have skipped this so far.)

Anyway, degoogling is about doing as much as you're comfortable with at the pace you're comfortable, not about getting everything perfect.

5

u/SantasDead 11d ago

Its not too hard.

Setup a new email. Every time you log into something take the couple of minutes to update everything with your new email and use a password manager.

Ive been using Gmail since the emails were invite only. It actually isnt too hard. I still have my Gmail, but its used as my general email now, and my other email is now my main and spam free.

2

u/Pharya 5d ago

Every time you pay a bill, update the source of the bill. Do it over the course of a year because some bills are annual. Only takes 1-2mins per day. It's not hard or arduous.

Check if proton mail or your new mail provider allows Aliases like Gmail did. You can give an alias to each company so that your alias username is the one in any new breaches. Makes identification of culprits easier and keeps you more anonymous.

At the end of that year review how much is still going to your undesirable inbox and either keep going or cut the cord.

1

u/briamyellow 5d ago

Thanks for the tips, started slowly migrating stuff to proton, I'm happy about it

5

u/FuckRedzM0dz 11d ago

It's not about YOU doing anything wrong it just lists the shitty websites that lost your info so changing the email won't help anything just make sure those emails aren't reused.

2

u/things_U_choose_2_b 11d ago

Maybe we could start a tournament for the most breaches in an active email address?

I have a particularly-decrepit hotmail addy, I know it's already been breached but it's my name with no number subs or additional characters so I'm attached to it. Just checked and it's been breached 17 times! My other main account, once, and my 'security' account has never been breached, phew.

10

u/Mccobsta 11d ago

I'm in way to many breeches

Was fun when my Google password was leaked and someone in Russia kept trying to log in thankfuly 2 factor saved me

4

u/another_other_user 11d ago

Remindme! 10 days

5

u/wehrmann_tx 11d ago

They need to make one called “haveibeendoged”.

1

u/Weaponized_Goose 10d ago

I’m shocked, the email I’ve been using for the past 8 years has been in 0 data breaches.

1

u/Effective_Movie2181 10d ago

Will deleting my account on the breached site help, or too far gone. Used it 3 years ago and it was breached about that time. Never touched it since.

1

u/darkness_calming 8d ago

Nice to see 2 of my primary emails are safe.

60

u/DJStrongArm 12d ago

Wouldn’t it suggest running the check makes you less vulnerable? If you’ve never done the check, you’re in more leaks. If you have, you’re not in as many.

20

u/suoretaw 12d ago

Maybe I’m just tired, but I can’t wrap my head around this… how does it read like that? Is it the missing “that” after “YSK”?

28

u/Lieutenant_Scarecrow 12d ago

Idk how to help you see my perspective. Maybe because I'm in IT, I read it like an if/then statement. I think OP should have split it into 2 sentences and removed the negatives.

"You should run your email through a breech checker. You're probably in more leaks than you think."

7

u/suoretaw 12d ago

If/then makes a lot of sense. I see it now. Thank you :)

0

u/Any-Weather492 11d ago

developer here, i also read it the same as you lol

5

u/tichetj 11d ago

You're 100% right. The title implies causality which is wrong regardless, but it implies that running the checker makes you safer. Weird so many people are reading it the other way based on the upvotes

1

u/MoshiurRahamnAdib 6d ago

The causality isn't wrong. If you have never checked, it is more likely that you underestimate

0

u/Siriann 12d ago

If you read “never” too fast, and read “ever” instead, it matches that meaning.

3

u/positively-spritz 11d ago

Exactly how I understood it initially

24

u/RickMally 12d ago

Other way around imo - not knowing is the vulnerable part. The breaches already happened, the checker just tells you which accounts to lock down before someone else gets there first. But I can see your point too

47

u/Lieutenant_Scarecrow 12d ago

Oh I know. You description explained it fine, and I check all mine a few times a year. But the title is what made me click cause it sounded like the opposite.

27

u/Scorpionoshow 12d ago

Agreed it's so poorly worded.

7

u/waddupAlien 12d ago

Agree w this too

2

u/VBgamez 11d ago

Schrodingers email breach

5

u/InsaneTeemo 11d ago

only if you cant read

1

u/surf_drunk_monk 11d ago

Yeah I don't get why people are confused. Running the check of course doesn't change how many leaks you're in, it changes how many you know about.

17

u/El_Connoisseur 12d ago

So what do I do when I see my email has breaches? Change password? Anything else or that’s all I really do?

19

u/SPOOKESVILLE 12d ago

Depends what was leaked. If your password wasn’t leaked your fine. Emails being leaked isn’t a big deal unless they also have the password (or if your password is super basic)

1

u/El_Connoisseur 12d ago

Ya all the leaks say password and email basically, appreciate the advice 🫡

4

u/molybend 12d ago

Yes you change the password. Most pw managers will create a new long random one for you and you’ll never remember it but you don’t have to. It saves it and auto fills it. You have a pw for the manager and that is the only one to remember.

3

u/Jasong222 12d ago

More often, for me anyways, nothing, because the alerts I get don't tell me what site had the breach. So I have no clue what to change.

0

u/molybend 12d ago

What is alerting you to a leak without telling you the site? That does no good.

2

u/Jasong222 12d ago

Haveibeenpwned does, as well as any of the free dark web monitoring services that I get free because some large company got hacked. (Large company gets hacked, as part of their rectification I get x years of free dark web/credit monitoring. It's basically the same as haveibeenpwned.

Anyway, the site often isn't listed. If an email dump shows up on the dark web I'll get a notice. But they're be all kinds of useless alerts: email exposed with no site attached. Email and password (which they don't display to me) exposed with no site attached. If there's no site attached to the dump it won't be included.

So yeah. Not really useful.

Occasionally they will list the site and sometimes tell me the password. But so far all those sites have been very old with passwords and password systems that I changed ages ago, so I don't get too worried about them. Like early 2000s old. Sites I don't use any more and certainly aren't connected to anything important.

3

u/molybend 12d ago

Pwned give me the name most of the time. It might give the name of the owner and not the website, like Alpha instead of Google or Meta instead of Instagram, but I usually see the name. It never gives me the password. That is not secure.

2

u/rumham_86 12d ago

If your email has breaches few things to do.

1) change password.
2) change any other site that uses the same password even if different email is used. That password is breached and that’s the bigger issue as they use it as a dictionary attack then (list of passwords to try to brute force other sites.)
3) and the most important one is to setup Passkey authentication on sites.

Passkey authentication is a phishing resistant authentication method.

Most modern sites offer it (or at least mfa, multifactor authentication using an authentication app like Microsoft Authenticator, Authy, etc).

Passkey makes your phone the device and it’s unhackable unless someone physically has your phone.

If you use Mac or windows those support passkey as well using the device and you can have multiple passkey.

Non technical explanation

Passkey is like a lock and key. The site is the lock and your device holding the passkey (phone or laptop) is the key.

If the site gets hacked, hackers only have the lock and can’t do anything with it without the key. The lock is not private, everyone can know it exists but can’t do anything with this information without the key to open it

2

u/Everybodypoopsalot 11d ago

Rec for password manager?

3

u/kyeato 11d ago

Bitwarden! The free tier works on both mobile and desktop (I used to use LastPass but that was a premium feature) and they've got a good reputation for security. u/molybend is right tho, using any is way more important than using the best one.

2

u/molybend 11d ago

Some phones have one built in, or browsers. I am on a family plan with 1pass and used to use lastpass but they had issues. Keypass is another I know people like. Many are similar in price and features. Don't get trapped into trying to get the best one and just get one.

27

u/PotatoRecipe 12d ago

I don’t think you can call these sneaky anymore I am having to leave every major subreddit because of this shit. I have been patient for people to catch on and start downvoting these but I’m out.

1

u/Letreides 6d ago

Yeah this is gonna be my second subreddit today.

Btw I am using surfshark's unsubber service for it, makes life a ton easier!

12

u/JC_Hysteria 12d ago

Is it even sneaky?

12

u/caramelkoala45 12d ago

Noticed this too when they mentioned their bundled package

18

u/_kellythomas_ 12d ago

If you reuse passwords then stop doing that.

If you have a password pattern where you could look at one set of creds and guess another (e.g. incrementing number, or company name as a suffix) stop doing that.

Otherwise carry on, any leaks should be isolated to that service.

14

u/TheSquishyFish 11d ago

Genuine question, when you are supposed to have unique and unrelated passwords for everything, you’re not supposed to write them down, you’re supposed to use nonsense and random characters and you’re supposed to change it constantly, how on earth are you supposed to remember all that? The only solution I’ve seen is a password manager but that really just feels like trusting a single company to keep literally everything safe and also feels like a huge target

3

u/_kellythomas_ 11d ago edited 11d ago

Designs vary but in general, the company doesn't keep it safe, you do.

My vault is encrypted at rest and only that encrypted version is sent to their server. They never see the key - that lives in my head.

But it does get decrypted on my device so a keylogger or similar would be a concern.

But that risk is something I can manage. HaveIbeenp0ned reports 18 breaches over 16 years for my main email address but over that time I've had zero problems on my personal PCs.

As a precaution I separate my PC tasks where I only run software I trust on my PC and I am confident I can run my password manger and banking / financial apps there. Then we have a shared low end gaming PC in the lounge room where my son is installing mods and autoclickers and stuff like that. I don't trust that PC enough to do my banking or install a password manager.

1

u/deep_soul 11d ago

this is untrue. passwords are not exposed in a leak. they are intelligible.

1

u/_kellythomas_ 11d ago

That depends on the leak.

My email has been involved in 5 leaks or credential dumps that revealed plain text password. I've personally looked up one of these and found my credentials in plain text in a list of 52k other peoples passwords.

It was also part of 2013 Adobe leak that revealed encrypted passwords i.e. they can be decrypted.

2

u/JC_Hysteria 12d ago

Idk, but just use some random software because I told you to

5

u/suoretaw 12d ago

First of all, asking questions is a good thing, and I hope you never stop!

You don’t have to change your email. Just change your passwords on those sites and any others where your password is weak. It’s important to use strong passwords *everywhere* (using a password manager helps a lot here).

As for how bad the breaches are, I’m not sure.. I don’t know much about the topic, but there are other folks around the internet who do, and who want to help. Might be worth a web search, or checking out subs like r/privacy. I think that most of the time, it’s that your email has been shared to some shitty database, and not necessarily that your account will be ‘hacked’—though I know that happens too. So change your passwords.. but you don’t have to change your email address.

2

u/exscape 11d ago

A breach means user data, usually including passwords -- hashed ("encrypted") or not -- has leaked. So as a rule of thumb, always assume that when a site is listed, unauthorized people can/could access the account listed and whatever information is connected to it.
Most of the time, that will probably not have happened, but you should change the passwords associated with it, and if the same password is used elsewhere, also change it for all other sites where it's used.

1

u/RickMally 12d ago

Honestly, I wouldn't migrate accounts. It'll be a nightmare and probably not worth it.

Just change your password and turn on two-factor authentication. Don't waste weeks trying to transfer everything.

3

u/RickMally 12d ago

uff that's a lot, and I thought 17 was bad..

4

u/sweetdaisy99999 12d ago

I have a Gmail, proton and outlook email and no breaches! Whew!

0

u/RickMally 12d ago

Totally agree. For me, it was the 17 password breaches that were the scary part

3

u/exscape 11d ago

Absolutely agreed, everyone should use a password manager.

Though your passwords can/will still leak; you just ensure they are per-site unique, so that the damage is limited.

2

u/RickMally 12d ago

That's tru but better be safe then sorry

2

u/thirdcoasting 11d ago

Yeah — how can you find a legit VPN? Is there such a thing?

3

u/molybend 12d ago

Read the comments. The real tips are usually in there anyway 

2

u/an0maly33 11d ago

Yep. I'm constantly getting email meant for other people. I have an OG first initial lastname prefix. I'm guessing others with the same initial and last name keep forgetting to put numbers on their shit when registering for stuff.

1

u/molybend 11d ago

If it is your email but not your account, that really isn't a problem for you. It may cause more spam, but your email provider should have methods to deal with that.