Received a new wrinkle on an old scam yesterday, as the email included a password I have used on websites (but not a user name) in an attempt to convince me of its authenticity.
In investigating this, I cam across this useful site:https://haveibeenpwned.com/
(where you can check if any eμail address has been published due to a data breach/hack
You will either get an all clear message, or an 'Oh no' one.
If it's 'Oh no', scroll down the page a bit to see which sites were breached.
You can also check if a password you use has been affected here: https://haveibeenpwned.com/Passwords
although that doesn't show which sites it came from.
I'm not trying to push the site, and I wouldn't sign up for any pay services it offers, but it was a useful reminder to me that I am not the only one who holds my data, and regardless of how careful I think I am being, if they are careless, my information can be released publicly.
Being honest, we are most of us lazy when it comes to passwords, so I would recommend:
1) checking if your email address has been 'pwned' (password owned, I guess)
2) making a point of changing any passwords on sites using that address if you have been pwned
3) in general, using unique passwords, but since we probably don't want to be bothered doing that, at the least, use unique passwords for sites where you provide anything more than email/username/password to register (e.g. sites where you buy stuff.) For other sites, you could use a generic password plus a website marker
e.g. [email protected]
This would also help you in future, if you did get a spammy email with a password, as it would clearly show which site had been breached.
I would describe myself as pretty security conscious in terms of computers, so this was a wake up call to me to stop being so lazy.Is my password safe on here?
In terms of our site, passwords are stored as a 'hash' (a unique code) not in plain text, so even in the unlikely event we were hacked, no passwords would be recoverable.
The problem comes with sites that store passwords as plain text.