“The mother of all breaches”-Malwarebytes Offering Free Identity Scan

[uc50ic4more]

I don't think that does a very good job of scanning for a breach. If I run that I get zero hits. But if I run the Google tool to scan the dark web I get two hits.

There is very likely a difference between some given email address appearing in a list of accounts from a specific breach and some given email address "appearing on the dark web". The "dark web" is akin to "the seedy side of town" and has similarly vague identifiable boundaries (Making is equally vague as to what "scanning" it means exactly: There isn't a search engine for these Onion addresses, and they tend to come and go rapidly). I just ran the scan at both and Google's results had a throwaway address of mine listed as part of some aggregate lists and general appearances unaffiliated with a specific breach. haveibeenpwned, on the other hand, listed each breach and its date.
Probably smart to use both.

 

[alarmguy]

For passwords I've used BitWarden for years for the same reason: With desktop applications and browser plugins it is too simple and easy to pass up. But I am really considering going with an offline alternative whose main database file I could (encrypt and) store/sync through a cloud service or even a self-hosted sync service.

I do not believe that any of the malicious parties who gain access to user data would ever expend the near-infinite amount of time and other resources necessary to even begin thinking about decrypting anything: They are after low-hanging fruit for direct use and raw numbers ("100 bazillion-jillion records in this archive!!!") for selling. If there is a service of any sort that encrypts your data using a **key of yours, be that a keyfile or pass phrase or anything else** then you could probably consider your data to be reasonably safe; knowing, though, that encryption algorithms themselves come and go as the march of time and technology sometimes expose weaknesses in them.

As far as passwords and their occasional compromise by the service they access go, you can cover yourself 99.9% by using a simple 2FA/MFA if the service provider offers it (this site included). It would take unusual and unreasonable effort by someone with international-grade resources (OR someone who has your phone or 2FA/MFA application on a desktop) to somehow compromise that process.

Well written I will re-read it again, got to run right now. Yeah, but I do think no one will waste extensive resources on me *LOL* or better said wish they went after someone or company instead! Granted though, I am more careful I would like to think then most.

 

[ZeeOSix]

There is very likely a difference between some given email address appearing in a list of accounts from a specific breach and some given email address "appearing on the dark web". The "dark web" is akin to "the seedy side of town" and has similarly vague identifiable boundaries (Making is equally vague as to what "scanning" it means exactly: There isn't a search engine for these Onion addresses, and they tend to come and go rapidly). I just ran the scan at both and Google's results had a throwaway address of mine listed as part of some aggregate lists and general appearances unaffiliated with a specific breach. haveibeenpwned, on the other hand, listed each breach and its date.
Probably smart to use both.

I also did a dark web search through my Experian account. It found 8 hits, 1 of my email and 7 of my phone number. Yet, the haveibeenpwned shows nothing associated with the same email address. The Google dark web scan tool also found my email, so I'm not so convinced that haveibeenpawned is a thorough scan. Yes, use every tool you can find is the smart thing to do.

 

[JHZR2]

I try not to keep passwords anywhere. But it has gotten too hard. I store some for stupid stuff like shopping or entertainment tickets in the Apple password manager in my iPhone. It’s the native sw, not some special app.

Recently it flagged that some of the passwords I use were found in data breaches. What that means exactly I’m not really sure. As @wwillson mentioned above, it could be that they’re just in a database. I don’t know if that means they’re even attributable to me.

But my curiosity is, if Apple is doing this sort of a search, is that as good as the malwarebytes or the haveibeenpwned type sites?

 

[alarmguy]

...

But my curiosity is, if Apple is doing this sort of a search, is that as good as the malwarebytes or the haveibeenpwned type sites?

I suspect yes but who knows, maybe it's even better, seems impossible to actually see what exactly these services do. I think it's smart to separate everyday email from important email with a few accounts anyway. Everyone's information is out there in someway.
Medical, Social Security, Shopping accounts, so much that hackers would have to spend multiple lifetimes hacking it all.
I do like Apples alerts.

 

[JHZR2]

I suspect yes but who knows, maybe it's even better, seems impossible to actually see what exactly these services do. I think it's smart to separate everyday email from important email with a few accounts anyway. Everyone's information is out there in someway.
Medical, Social Security, Shopping accounts, so much that hackers would have to spend multiple lifetimes hacking it all.
I do like Apples alerts.

That is an interesting concept.

I’ve heard from cyber folks that there are the small castles and the big fortress concepts. More small castles need to get more attacks to get them all. But the big fortress might have more resources and ability to avoid the attack.

How real that is I don’t know.

 

[OVERKILL]

That is an interesting concept.

I’ve heard from cyber folks that there are the small castles and the big fortress concepts. More small castles need to get more attacks to get them all. But the big fortress might have more resources and ability to avoid the attack.

How real that is I don’t know.

As we've seen with myriad identity theft examples, you don't need to crack every account or even a significant number of accounts, you just need enough information to seem credible and this certainly doesn't take "multiple lifetimes" to achieve.

Just hijacking somebody's cell phone number can be enough to gain considerable access, you get that and you can typically reset the e-mail password and the rest is easy. That of course can be leveraged for cell # based MFA as well if somebody has the password thanks to a leak or phish.

Complex passwords, unique for every site, and MFA, preferably an authenticator-style on every account is about the best you can do as "average Joe". While multiple e-mail accounts may provide another layer of obfuscation, if you are using free e-mail services, just how private those addresses are? Well...

If you are using an Office 365 type mail system, you can use aliases on your main account if you wanted to be really paranoid. It all ends up in the same place, but you have addresses that are effectively never in the wild (because mail is never sent from them and they aren't used to login to the account). There's another variant of this where the e-mail address isn't the account login address, and the account login is never used in the wild.

 

[ZeeOSix]

Just hijacking somebody's cell phone number can be enough to gain considerable access, you get that and you can typically reset the e-mail password and the rest is easy.

I setup 2-step verification on everything that provides that option. Nobody is getting into those type of accounts to do anything without having my phone in their hands.

 

[JHZR2]

I setup 2-step verification on everything that provides that option. Nobody is getting into those type of accounts to do anything without having my phone in their hands.

My issue with that is that since I’ve started enabling those with email and text, the amount of spam has gone through the roof. Which means that more folks have my info. Which means im more of a target.

So much for laying low…

 

[OVERKILL]

My issue with that is that since I’ve started enabling those with email and text, the amount of spam has gone through the roof. Which means that more folks have my info. Which means im more of a target.

So much for laying low…

You should be using an authenticator whenever possible, as you can't steal that like you can a cell #.

 

[ZeeOSix]

My issue with that is that since I’ve started enabling those with email and text, the amount of spam has gone through the roof. Which means that more folks have my info. Which means im more of a target.

So much for laying low…

I haven't notice more spam emails or spam texts. I always choose to have the 2-step verification code sent via text to my phone.

 

[JHZR2]

I haven't notice more spam emails or spam texts. I always choose to have the 2-step verification code sent via text to my phone.

Spam texts are through the roof. Definitely.

I used to get none. Once I started giving out my cell number for some apps and conveniences… boom.

 

[Brons2]

The reason I stick with Passwordsafe, is there is no on-line version. It it incumbent on me to keep the database safe, but I don't have to worry about breaches like LastPass.

How do you keep it synced across multiple devices? I'm guessing you don't. That's not an acceptable limitation for me.

 

[uc50ic4more]

How do you keep it synced across multiple devices? I'm guessing you don't. That's not an acceptable limitation for me.

A lot of people will just sync the database file across their devices using any file syncing service. I have Syncthing installed on my devices but others might use Dropbox, Google Drive, OneDrive, etc.

 

[ka9mnx]

Pfsense has virtually eliminated spam and ads on our emails and web browsing.