Pwned Perspective: Understanding email/password leaks without the panic

Lately, there’s been a wave of panic on social media about email and password leaks. This blog aims to highlight why it’s not the end of the world, how common these incidents are, and how understanding the facts can help you not only stay safer online but also avoid unnecessary panic. As the title suggests, this blog focuses solely on leaked login credentials (i.e., usernames, emails, & passwords) and does not cover data breaches involving PII (SSN, DOB, DL, name/address etc). If you’re affected by that kind of breach, freeze your credit file immediately by following this link.

Chances are, your email and passwords have been exposed in one of numerous past breaches; it's an established reality, not an assumption. Services like Have I Been Pwned (HIBP) collect this leaked data so you can check whether your credentials have surfaced on the dark web. 

But don’t panic. Most people don't know that a pwned password is not your actual password in plain text, but a hashed version. Although there have been a few rare incidents where passwords were leaked in plain text, that’s uncommon so you can assume pretty much all breached passwords are hashed and require cracking to become usable. If your password is long, strong, and includes special characters, numbers, etc., it becomes impractical and nearly impossible to crack without powerful computing resources and may take days, weeks, or even months or years to crack depending on the complexity of the password. Hackers don’t have that kind of time and skip these in favor of easier, crackable passwords. Also, if the affected account has two-factor authentication (2FA) enabled, your exposure is minimal. Still, treat it as a heads-up.

In summary, if your passwords are strong and unique and you had 2FA enabled, you can safely assume you are fine. In any case, make sure you do the following:

• Change your passwords immediately, especially if reused
• Enable 2FA wherever possible, preferably using an authenticator app that generates OTP instead of SMS-based verification
• Always use strong and unique passwords or preferably use passphrases

It’s not about fear; it’s about stacking the odds in your favor. Hackers aren’t chasing hard battles; they want quick wins. Don’t be the easy one!

---

Stay Informed and Safe Online

If you enjoyed this blog, you'll find many more cybersecurity related microblogs at link below. They offer valuable insights to help you stay informed and safe online. Explore them at https://blog.selvansoft.com

Is your computer compromised?

Easy way to check if your computer is/was compromised now or in the past

With the recent addition of Naz.API dataset (a massive collection of over 1 billion stolen username and passwords) to HIBP service ("Have I Been Pwned" - a service by troyhunt.com), it is now very easy to check if your computer is compromised by information stealing malware now or in the past. 

Go to the HIBP service at https://haveibeenpwned.com and enter your e-mail (don’t worry, it is 100% safe) and check the search results. The results may span several pages, so make sure to scroll down and check all the breaches your email is listed as compromised. Keep in mind that it is not at all unusual to see your email show up on multiple breaches. For example, see the screenshot below of my own email search.

As you scroll through the list, check if your email is listed for Naz.API. If your email was one of the unfortunate one to be included in the Naz.API list, it is a clear indication that your computer is now or in the past was compromised and information was stolen. The very least you can do is to make sure your current password is not included in the list. There are couple of ways you can check. I know some password managers like 1Password for example can check all your passwords against HIBP database. If you don’t use any tools that support checking your password in HIBP database you are welcome to use my php script at my GitHub repo below which does the same thing, the only caveat is that it checks one password at a time against HIBP database, so you have to repeat that for all your passwords.

https://github.com/aselvan/scripts/blob/master/security/pwned_password.php

How to run: If you are on a Mac or Linux, you can run the script directly with the two commands as shown below ... If you are windows, you have to install php, curl etc first which is beyond the scope of this blog.

curl -s https://raw.githubusercontent.com/aselvan/scripts/master/security/pwned_password.php -o /tmp/pwned_password.php

php /tmp/pwned_password.php

If you are unfortunate to have your password listed in HIBP as per the tools (1Password or my script or any others that check your password against HIBP), and if it is any of your current passwords, change it ASAP and enable 2F if that’s not already in place. If your current password is not found, it means an old password you used in the past was compromised. Still, it is a good idea to change all your passwords ASAP.

If you use more than one email address now or in the past, repeat this for each e-mail.

For further details can be found at the following links

• https://www.bleepingcomputer.com/news/security/have-i-been-pwned-adds-71-million-emails-from-nazapi-stolen-account-list/
• https://www.troyhunt.com/inside-the-massive-naz-api-credential-stuffing-list/

Stay Informed and Safe Online

If you enjoyed this blog, you'll find many more cybersecurity related microblogs at link below. They offer valuable insights to help you stay informed and safe online. Explore them at https://blog.selvansoft.com