Today I got two friendly alerts from Have I Been Pwned, a free service that tracks data breaches and tells you if your info was exposed. It told me that my old passwords for Kickstarter and Bitly, breached in 2014, were now publicly available (though encrypted) online.
Probably this guy's fault
Bitly (the URL shortener) and Kickstarter (the slim-wallet store) had announced these breaches back when they discovered them. That breached account info, which includes usernames and encrypted passwords, has finally worked its way onto the public internet.
Have I Been Pwned has taken that info and cataloged it. The site never reveals sensitive information, but if you give it your email address, it can tell you if the associated account was exposed.
Let this remind you of three good security habits:
- Sign up for Have I Been Pwned's alerts (click "Notify me" in the top menu), so any time an account with your email address gets publicly exposed, Have I Been Pwned can notify you, and you can change your password if you already haven't.
- Never re-use passwords! Not even once. Don't let one hack expose your account on five different sites. "But I only re-use passwords on sites that don't matter!" you might say. But then you use one site to authorise another, or you give a site your credit card info, and suddenly that account really matters. Your accounts will get hacked. You can only contain the damage.
- Instead, use a password manager. Then you won't have to remember your passwords, you won't have to make them up, you won't even have to type them. Plus this manager will alert you about hacks, usually sooner than Have I Been Pwned. Life will be easy and free.
If you're worried about protecting your online identity from hackers a password manager like 1Password is a good place to start, but setting up an account is only half the battle. Most of these services feature extra security features that you may not be taking advantage of.
In many breaches elsewhere, passwords have been exposed in clear text. Have I Been Pwned has more details on these two breaches, and many others, in that link.