Security researchers have set up a website that allows punters to check whether or not their email addresses have appeared in data dumps slurped from compromised databases. Hacking attacks on sites including Gawker and the network of Sony's gaming division have led on to the publication of hundreds of thousands of users' …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Thursday 3rd November 2011 16:39 GMT Platelet

Nice

Does it include the 46,524 recently dumped by El Reg?

7 0
1. Thursday 3rd November 2011 22:40 GMT Anonymous Coward
  
  Seemingly not...
  
  Someone want to forward it to them? :-)
  
  0 0
Thursday 3rd November 2011 16:43 GMT TonyHoyle

Not that useful

"Theriault concludes that if users even think their login credentials might have been compromised they ought to change their login credentials"

On which, of the many hundreds of forums and businesses I've used that email, should I change the password. Given that, in keeping with best practice, they're all unique.

Without that information it's *useless*. There's a huge difference between some old forum login I've forgotten about getting leaked and a bank account.

1 0
Thursday 3rd November 2011 16:44 GMT craigj

Does the website...

...also tell you if certain vulture mascotted IT news websites have inadvertently emailed your details to other people?

0 0
Thursday 3rd November 2011 16:44 GMT Anonymous Coward

Of course if I'd listened to the scaremongering here

then all my details including my PSN details were be here.

Of course reality is somewhat different..

I wonder the all those El-Reg details are included on that list?

0 0
Thursday 3rd November 2011 16:44 GMT Citizen Kaned

eek

my work one was on the list. i think its from when bethesda got hacked but gonna change pass again just in case....

0 0
Thursday 3rd November 2011 16:52 GMT Anonymous IV

Unbelievable!

"Users enter a username or email address into the site’s search box to find out if their username has appeared in any recent public data dumps. Users are not prompted to enter their password itself."

So this website now has your email address as a result of your search, but not your password.

So what information do spammers use to send you spam?

0 10
1. Thursday 3rd November 2011 17:03 GMT __PB__
  
  Read on past the first paragraph...
  
  "Data entered is not stored, re-used, or given to any third parties," the terms and conditions of the site explain. Tech savvy users can submit a SHA-512 hash of their email address or username as input instead of the plaintext version.
  
  3 0
  1. Thursday 3rd November 2011 22:37 GMT Anonymous Coward
    
    "Data entered is not stored, re-used, or given to any third parties,"
    
    And if you'll trust another company who makes that statement, I've got a bridge you might be interested in. And the phone number of a deposed Nigerian prince with TWENTY MILLION UNITED STATES DOLLARS to give away.
    
    0 0
    1. Thursday 3rd November 2011 22:56 GMT ARaybould
      
      Don't read, or don't understand?
      
      You are replying to a post that mentions the SHA 512 hash option, which appears in the first paragraph on the web site. Did you not read down that far in either of these, or do you think that the hash is personally-identifying or has some other value to a third party?
      
      1 0
    2. Friday 4th November 2011 10:13 GMT Eddie Edwards
      
      Very high risk indeed
      
      It could so easily be a highly sophisticated honeytrap where it gets my IP and my email address and by matching them together with the already public information in their database it would allow them to ....
      
      ... er ...
      
      ... send me email?
      
      1 0
  2. Thursday 3rd November 2011 22:49 GMT TheRealRoland
    
    But, in part, true...
    
    Think about how many people are now looking for a 'how to convert plain text into SHA-512 hash' website. How would you know that one is legit, the other is not?
    
    Hm...
    
    0 1
  3. Thursday 3rd November 2011 22:49 GMT Daniel Evans
    
    Isn't that what they all say?
    
    0 0
Thursday 3rd November 2011 22:10 GMT Dick Emery

Seens legit...whistles.

0 1
Thursday 3rd November 2011 22:16 GMT Anonymous Coward

So...

...I'm expected to go to this site and enter my email address? I think not. ;)

0 1
1. This post has been deleted by its author
  1. Friday 4th November 2011 15:36 GMT TheRealRoland
    
    Again, and I got downvoted for this already...
    
    Who's to tell me that this is legit, in comparison to another website that asks you to enter your email address 'and we will check for you if your address appears on any other list'.
    
    Are you?
    
    Go ahead, downvote as much as you want.
    
    But, this is a bit like that big red button that says 'do not push'... You kinda want to enter your email address, don't you? ;-)
    
    0 0
Thursday 3rd November 2011 22:18 GMT Anonymous Coward

ha ha

10 year old email address not pwned

Lovely jubbly

0 0
Thursday 3rd November 2011 22:38 GMT Studley

All well and good until THEY get hacked...

...and the paradox causes the internet to collapse in on itself.

0 3
1. Friday 4th November 2011 12:02 GMT Anonymous Coward
  
  They do explain...
  
  that they don't store any of the actual data . They only calculate the hashes and then discard the data, to help guard against exactly such an eventuality.
  
  0 0
Friday 4th November 2011 08:48 GMT Connor

Oh dear...

My email address of 12 years is on the list, but I've used that to sign up for just about everything over that time. So the email address could be on there for any number of reasons.

It has a unique 16 character random password that I created about a year ago, so should be safe. If not, tough; I really cannot be bothered to create a new one and update every password manager on all my machines again just to be sure.

Damn I wish I hadn't checked that site now!

0 0
Friday 4th November 2011 08:54 GMT Winkypop

Nigerian version?

Enter your email address + password + bank account number + pin number + inside leg measurement...

0 0
Friday 4th November 2011 10:13 GMT Nick Pettefar

Hmmmm......

I entered a couple of pwned e-mail addresses from members of my Freecycle group I am getting SPAMmed from regularly and they came up as clean. I guess 5 million isn't enough.

0 0
Friday 4th November 2011 11:34 GMT LoopyChew

One day I will create a site like this where they are asked to submit an e-mail and password, and have it direct to a page that just says "Yes."

0 0
Friday 4th November 2011 23:32 GMT Anonymous Coward

"encouraging users to hand over even part of their logins credentials to supposed security checking sites is not necessarily good thing, Carole Theriault of Sophos notes"

Isn't that the reason why part of your credentials is public and part is private? What am I missing?

0 0