Original post on bofh.social

So this is confusing.
#BitWarden is telling me the #passphrase for one of my email #accounts (which includes capitalization, numbers, and symbols) is a #weak and #compromised #password and I need to change it "now".
Except...
My #email address does **not** appear in _Have I Been Pwned?_ / #HIBP […]

Betterment breach scope pegged at 1.4M users : Breach-tracking site flags dataset following impersonation-based intrusion

#Betterment breach may expose 1.4M users after #socialengineering attack
www.theregister.com/2026/02/05/b...

#HIBP posts numbers but investment company yet to publicly confirm how many customers were affected by January's intrusion.
#CyberSecurity #InfoSec #DataBreach #HaveIBeenPwned #CyberCrime

Curious if your data is on the Dark Web? 🕵️‍♂️ Visit HaveIBeenPwned.com to check if your email was leaked in a breach. If you're 'pwned,' change those passwords & enable MFA immediately! 🛡️🔐 #CyberSecurity #InfoSec #HIBP #DataPrivacy #ZeroTrust

Паранойя безопасности против здравого смысла: чиним Home Assistant, который окирпичился без интернета Home Assistant по...

#Home #Assistant #Have #I #Been #Pwned #HIBP #санкции #роскомнадзор #raspberry #pi

Origin | Interest | Match

Just another day at the #HIBP office for @troyhunt.com.

#cybersecurity #privacy #identity

haveibeenpwned.com

Original post on graz.social

With the latest data added to #haveIbeenpwned I found out that #Dropbox lost my credentials a second time. 😔

So make sure to check #HIBP webpage with your email addresses and/or your domain to find out which services got hacked.

So I just deleted all my Dropbox data (I haven't used for 13 […]

HaveIBeenPwned (HIBP) is a crucial tool for checking if your data is compromised. While useful, discussions highlighted its limitations, like cost for domain searches, and debated the safety of entering passwords directly. #HIBP 5/6

How you actually should respond to that “183 million credentials leak” There’s a new Forbes article floating around about the trove of 183 million credentials that were recently leaked to Have I Been Pwned. The articles makes a big deal about the fact that there were “Gmail passwords confirmed” in the leak. Let’s break down why it’s a bad article and what you should have been told instead. The article makes a big deal of the fact that “Gmail passwords” were included in the leak without saying a single word about the fact that _your Gmail password is also your Google password._ Google Photos, Google Docs, Google Drive, **_any site you’ve used “log in with Google” on_** … all these are compromised if your “Gmail password” is. It’s kind of laughable that this article goes to some effort to fearmonger about compromised “Gmail passwords” when the problem it’s trying to scare people about is actually worse than it says it is. While the article understates the damage from the leak in that way, it overstates it in another. This article, and others that have reported about this leak, fails to provide the important context that if you practice decent device hygiene and your devices have not been compromised by infostealers, then _none_ of your account passwords are in this leak. Furthermore, because we all have many accounts and infostealers vacuum up credentials from all of them, my guess is that you would have to divide that number by at least 3 or 4 to arrive at a reasonable estimate of the number of impacted _people_ , which is far more relevant than the number of impacted _accounts_. Given that there are billions of people in the world who log into websites, and we’re talking maybe 20 million people affected by this leak, it’s actually pretty unlikely that you are. Once the article is finished both understanding and overstating the problem it’s reporting on, it gets around to telling you what it thinks you should do about it, and it gets that wrong too. * When discussing how your password manager can help protect you against compromised passwords, it focuses entirely on the Chrome password manager; there isn’t a single word about how other password managers offer similar features and protections. Maybe the author should have done some real research and reporting here rather than just paraphrasing the press release Google sent him. * It focuses on people enabling 2-step verification on their Google accounts—again, just quoting from Google—rather than making it clear that they should be using strong two-factor authentication or passkeys for _all_ of their accounts, wherever it is offered. * It makes a brief nod to the fact that you should not be reusing passwords on multiple websites without making explicit that the best way to do that is to use a password manager, which everyone should be doing; “if you are a user of the Chrome password manager” is not the same as “you should be using a password manager!” * It doesn’t say a single word about the fact that if your data is in this leak, then one of your devices was compromised, and you need to clean your devices and practice better device security practices in the future. Yes, how to do all this is beyond the scope of an article like this, but the article should at least mention it and linked to some outside sources for more information. * While it does hint (under the misleading heading “What We Know About The 183 Million Passwords Data Leak”) that everyone should register with Have I Been Pwned to get notified automatically about breaches or leaks that impact them (well, aside from the ones HIBP is legally prohibited from warning you about), it is far less explicit about this than it should be. ## Here’s the TLDR * This isn’t just a Gmail problem. * Register at Have I Been Pwned if you haven’t already. * Practice good device security hygiene. Most importantly: * keep your OS and apps up-to-date; * keep your device security software enabled (macOS, Windows, iOS, and Android all have it built in; you probably don’t need to pay for a third-party antivirus tool); * keep the malware protections in your web browser enabled; and * if you keep important data locally on your device, back it up following the 3-2-1 rule. * Change your passwords for any of the sites HIBP says have been compromised, if you haven’t already. While you’re doing that, enable strong 2FA (not email or SMS) or set up a passkey. * Use strong 2FA or passkeys everywhere else. * Use a password manager for all of your passwords, and use long, random, unique passwords generated by the password manager. * Don’t invite hackers onto your device by falling for tech-support or ClickFix scams or enabling browser notifications from shady websites. *sigh* OK, that last point isn’t as obvious as the previous ones. I can’t with a straight face explain them in a section entitled “Here’s the TLDR”, so I suppose this article needs to be a bit longer… ## What are tech-support scams and how to avoid them If anyone you don’t know tells you they’re helping you fix a problem with your computer and they need you to give them remote access or run some commands they send you, they are almost certainly scammers and you absolutely should not do what they’re asking. If you suddenly see a pop-up on your computer telling you it’s compromised or broken and giving you a phone number you should call or website you should visit for help getting it fixed, this is almost certainly a scam and you should ignore it. If they’ve managed to make the message fill up the whole screen and you can’t figure out how to get rid of it, then this is even more true. The more flashier and loud the warning is, the more likely it is that it’s a scam. **Do not ask the bad guys how to make the message go away. They will manipulate you into compromising your computer.** Ask someone you know in person for help. If you don’t have anyone to ask, call Geek Squad and ask them to come out and help you and show you how to get rid of the messages yourself next time. Believe me, paying Geek Squad a couple hundred dollars is preferable to giving hackers the run of your computer. Also don’t fall for it if someone calls you randomly on the phone and tells you they’re from “tech support” or Microsoft or Apple or Google or whatever and they’ve detected a problem with your computer and they’re calling you to help you fix it. No one calling you on the phone to tell you they’ve detected a problem with your computer is legitimate. ## What are ClickFix scams and how to avoid them If a message pops up on your computer saying you need to copy and paste a command into a command prompt, the Windows run prompt (Command-R), your browser’s developer console, etc. to fix something, or to get through an “are you human?” check, it is a scam and you shouldn’t do it. The website you’re visiting is compromised, and the people who compromised the website are now trying to compromise your device as well. These attacks often show you an innocent-looking command they’re telling you to copy and paste and say “Click here to copy this command,” but in fact when you “click here” _it copies a malicious command that’s different from what they showed you_. If you find that a bit difficult to grasp, think about the fact that this link doesn’t point to a website called “this link”. ## Stop enabling crappy browser browser push notifications, just stop There are a lot of shady websites out there trying to trick you into visiting them instead of the legitimate website you actually intended to visit. And for many of these shady websites, the very first thing they will do when you visit their homepage is pop up a message asking you to let them send you notifications. The pop-up often doesn’t even use the word “notifications”, it uses exciting, useful-sounding language, e.g., “Click here to to keep getting important news updates!” If you’re the kind of person who tends to end up on these shady websites and say yes when asked to allow notifications, then you probably already know it, because you’re probably already getting notifications from them constantly. Stop letting them do that to you. These constant notifications are literally unhealthy, but aside from that, they’re also a security risk, because they are often used as a vector for tech-support and ClickFix scams. You don’t need the notifications. You don’t need the constant dopamine hits. They are not healthy or safe. Every browser is a little different, but you can search for, e.g., “Edge disable push notifications” or “Chrome disable push notifications” to find out how to turn off these notifications for the browser you use. If you are absolutely certain there is a completely legitimate website you want to allow push notifications from, you can enable notifications manually for that specific website. This is usually accomplished by clicking a button or something to the left of the website URL at the top of the browser window to view and update the browser settings for this particular website. ### Share this: * Click to email a link to a friend (Opens in new window) Email * Click to share on LinkedIn (Opens in new window) LinkedIn * Click to share on Reddit (Opens in new window) Reddit * Click to share on Mastodon (Opens in new window) Mastodon * ### _Related_

How you actually should respond to that "183 million credentials leak"

What a recent Forbes article got wrong and what it should have told you instead.

blog.kamens.us/2025/10/28/how-you-actua...

Massive Gmail Data Breach Exposes 183 Million Accounts: Are You at Risk? Over 183 million Gmail accounts compromised in a recent data breach. Discover how this affects you and steps to secure your account.

🔒 Modifiez vos mots de passe et activez l'authentification à deux facteurs. ⚠️ Évitez de réutiliser vos mots de passe.
#CyberSécurité #FuiteDeDonnées #Gmail #Confidentialité #SécuritéEnLigne #HIBP #InfoSec #TECHi.

www.techi.com/massive-gmai...

Animeify Data Breach Exposed Over 800,000 Users' Plain Text Passwords The 2021 Animeify data breach compromised 808k user accounts, leaking email addresses, names, and unencrypted plain text passwords.

Read the full breakdown here:
www.technadu.com/animeify-dat...

💬 What do you think, is this sheer negligence, or an industry-wide failure to implement security basics?
#CyberSecurity #DataBreach #Animeify #HIBP

Have I Been Pwned ( #HIBP) has unveiled a major front-end redesign - boosting breach visibility & laying the groundwork for future capabilities.

In an interview with #InfoQ, @troyhunt.com shared what’s next: automation, family account enrollment & improved enterprise workflows.

👉 bit.ly/3T8Imek

Discussion on HIBP 2.0 relaunch covers its value, potential vulnerabilities, design changes, and broader data breach implications. Users debated usefulness & security practices. #HIBP 1/6

Have I Been Pwned gets major refresh with celebratory confetti, unified dashboard, and more Have I Been Pwned just got its biggest update in years, featuring a new website design, a revamped dashboard, dedicated data breach pages, and more.

Have I Been Pwned just got its biggest update in years, featuring a new website design, a revamped dashboard, dedicated data breach pages, and more. #HIBP

Have I Been Pwned 2.0 is Now Live! This has been a very long time coming, but finally, after a marathon effort, the brand new Have I Been Pwned website is now live! Feb last year is when I made the first commit to the public repo f...

Congrats to @troyhunt.com & HIBP (and all of us!)! Have I Been Pwned 2.0 is Now Live! (and now, it's even better - it has confetti!) www.troyhunt.com/have-i-been-... cc @gate15.bsky.social #cybersecurity #HIBP

DOGE worker’s old creds found in malware data dumps Infosec in brief: PLUS: Celsius scammer sent to slammer; Death-by-hacking victim warns you're never safe; and more

#DOGE worker's old creds found exposed in #malware dumps
www.theregister.com/2025/05/12/d...

Four #infostealer log dumps found alongside 51 #databreach records associated with DOGE employee on #HaveIBeenPwned.
#CyberSecurity #InfoSec #DataProtection #HIBP #Hacking

Passwort-Check

Small update on our #HIBP style password checker: We are now at 9.91 billion password hashes (sha1 and ntml), and it's growing and growing. Only 1.3 billion (13%) of those are in HIBP.

https://pwcheck.gwdg.de/
https://pwcheck.mpg.de/

#itsec #infosec #security #leak

The recent addition of 284 million compromised accounts to Have I Been Pwned underscores the persistent threat posed by information stealer malware.
🔗 Read more on our blog: buff.ly/17e7Awz

#HIBP #Telegram #HaveIBeenPwned

Hai un account compromesso? 284 milioni di credenziali rubate aggiunte su HIBP! Have I Been Pwned (HIBP) ha aggiunto 284 milioni di account rubati da infostealer e diffusi su Telegram. Controlla subito se sei stato hackerato!

Hai un account compromesso? 284 milioni di credenziali rubate aggiunte su HIBP.

www.redhotcyber.com/post/hai-un-...

> Have I Been Pwned ( #HIBP) ha aggiunto 284 milioni di account rubati da infostealer e diffusi su Telegram. Controlla subito se sei stato hackerato

284 millions de comptes volés ajoutés au service Have I Been Pwned Plus de 284 millions de comptes compromis ont été ajoutés au service Have I Been Pwned : d'où proviennent ces données issues d'un malware infostealer ?

🔥 𝟮𝟴𝟰 𝗺𝗶𝗹𝗹𝗶𝗼𝗻𝘀 de comptes compromis par un 𝗶𝗻𝗳𝗼𝘀𝘁𝗲𝗮𝗹𝗲𝗿 ajouté au service 𝗛𝗮𝘃𝗲 𝗜 𝗕𝗲𝗲𝗻 𝗣𝘄𝗻𝗲𝗱 !

👉 Plus d'infos dans notre article : www.it-connect.fr/284-millions...

#cybersecurite #HIBP #infosec #infostealer

Have I Been Pwned Adds ALIEN TXTBASE Data 280M Emails & Passwords Follow us on Bluesky, Twitter (X) and Facebook at @Hackread

🚨 Massive Data Leak Alert! - #HaveIBeenPwned (HIBP) adds "ALIEN TXTBASE"—280M emails and passwords from infostealer malware now exposed. Check if you're affected! 🔍💀

Read: hackread.com/have-i-been-...

#CyberSecurity #DataBreach #HIBP

1M Breached Glamira Accounts Expose 875K Emails - TechNadu Glamira disclosed a 2023 data breach that impacted 1 million accounts and compromised 875,000 email addresses.

1 Million Accounts Impacted by the Massive 2023 Glamira Data Breach, 875,000 Emails Exposed. Read more⤵️

#Glamira #DataBreach #HIBP

🚨 A cyber criminal has released a possible #Politico data leak!

ℹ️ The sample contains 36 email addresses as well as information from some AWS endpoints!

#dataleak #databreach #hibp

Im November 2024 wurde ein Datenleck beim Stromanbieter #Tibber bekannt, bei dem über 50.000 Datensätze deutscher Kunden entwendet wurden.

#POTATOSICHERHEIT #POTATOSECURITY #DATENSCHUTZ #DATENSICHERHEIT #HIBP
1/5

🚨 A data breach has exposed 23 million records linked to Hopamedia! 😱 Users are urged to stay vigilant against phishing attempts. Check your accounts! 🔒 #DataBreach #HIBP #CyberSecurity cyberinsider.com/hibp-notifie...

Have you received a data breach notification from Ledger this week? While Ledger did have a data breach, it was in 2020 and will be a specific result from #HIBP if you search.
The data breach email doing the rounds this week is a phish. think before you click! :)

#cybersecurity #phish #infosec

Internet Archive masherato: 31 milioni di utenti a rischio
#PotatoAttacks #PotatoSecurity #DataBreach #DatiPersonali #DDoS #Masher #HIBP #InternetArchive #Notizie #Privacy #Sicurezza #StatiUniti #Tecnologia #USA #ViolazioneDati
www.ceotech.it/internet-arc...

Internet Archive hackerato: 31 milioni di utenti a rischio
#CyberAttacks #CyberSecurity #DataBreach #DatiPersonali #DDoS #Hacker #HIBP #InternetArchive #Notizie #Privacy #Sicurezza #StatiUniti #Tecnologia #USA #ViolazioneDati
www.ceotech.it/internet-arc...

Have I Been Pwned: Check if your email has been compromised in a data breach Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.

#InternetArchive アカウントしっかり漏洩してた
haveibeenpwned.com #HIBP

Internet Archive hacked, data breach impacts 31 million users Internet Archive's "The Wayback Machine" has suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records.

Internet Archive's "The Wayback Machine" has suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records.

www.bleepingcomputer.com/news/securit... #tech #0sec #HIBP #hacked #InternetArchive