Want to get paid for a vulnerability similar to this one?
Contact us at: firstname.lastname@example.org
In the wake of the recent account “hacks,” and fueled by the Yahoo (and, this morning, Android) breaches, An outfit called Avalanche (which seems to have ties to, or be the parent company of, the AVG antivirus) has launched https://shouldichangemypassword.com/
They are getting lots of press.
“If you don’t know, a website called ShouldIChangeMyPassword.com will
tell you. Just enter your email—they won’t store your address unless
you ask them to—and click the button that says, “Check it.” If your
email has been associated with any of a large and ever-growing list
of known password breaches, including the latest Yahoo hack, the
site will let you know, and advise you to change it right away.”
Well, I tried it out, with an account that gets lots of spam anyway. Lo and behold, that account was hacked! Well, maybe.
(I should point out that, possibly given the popularity of the site, it is pig slow at the moment.)
The address I used is one I tend to give to sites, like recruiters and “register to get our free [fillintheblank]” outfits, that demand one. It is for a local community site that used to be a “Free-net.” I use a standard, low value password for registering on remote sites since I probably won’t be revisiting that site. So I wasn’t completely surprised to see the address had been hacked. I do get email through it, but, as noted, I also get (and analyse) a lot of spam.
When you get the notification, it tells you almost nothing. Only that your account has been hacked, and when. However, you can find a list of breaches, if you dig around on the site. This list has dates. The only breach that corresponded to the date I was given was the Strategic Forecasting breach.
I have, in the past, subscribed to Stratetgic Forecasting. But only on the free list. (Nothing on the free list ever convinced me that the paid version was worth it.) So, my email address was listed in the Strategic Forecasting list. But only my email address. It never had a password or credit card number associated with it.
It may be worth it as a quick check. However, there are obviously going to be so many false positives (like mine) and false negatives (LinkedIn isn’t in the list) that it is hard to say what the value is.