https://haveibeenpwned.com/ kindly emailed
me today with the news that my email credentials are among the 773
million disclosed in “Collection #1”. Thanks Troy Hunt!
My email
address, name and a whole bunch of other stuff about me is public knowledge so disclosure of that is no issue
for me. I hope the password is an old one no longer in use. Unfortunately, though for good reasons, haveibeenpwned won’t
disclose the passwords so I can’t tell directly which password was compromised
… but I can easily enough change my password now so I have done, just in case.
I
went through the tedious exercise of double-checking that all my hundreds of passwords are
long, complex and unique some time ago – not too hard thanks to using a good password
manager. [And, yes, I do appreciate that I am vulnerable to flaws, bugs, config errors and inept use of the password manager but I'm happy that it is relatively, not absolutely, secure. There are other information risks that give me more concern.]
If you haven’t done that yet, take this latest incident as a
prompt. Don't wait for the next one.
Email
compromises are pernicious. Aside from
whatever salacious content there might be on my email account, most sites and
apps now use email for password changes (and it’s often a fallback if
multifactor authentication fails) so an email compromise may lead on to others, even if we use
strong, unique passwords everywhere.
No comments:
Post a comment