How To Check If Your Account Passwords Have Been Leaked Online

key-in-lock

Security breaches and password leaks happen constantly on today’s Internet. LinkedIn, Yahoo, Last.fm, eHarmony – the list of compromised websites is long. If you want to know whether your account information was leaked, there are some tools you can use.

These leaks often lead to many compromised accounts on other websites. However, you can protect yourself by using unique passwords everywhere – if you do, password leaks won’t be a threat to you.

Image Credit: Johan Larsson on Flickr

Why Password Leaks Are Dangerous

Password leaks are so dangerous because many people use the same password for multiple websites. If you register for a website with your email address and provide the same password you use for your email account, that email/password combination may be present on a list somewhere.

Crackers can then use this email/password combination to gain access to your email account. Even if you use a different password for your email account, they may try the email or account name and password combination on other websites to gain access to your other accounts.

For example, crackers recently compromised over 11,000 Guild Wars 2 accounts. They didn’t use keyloggers or compromise the game’s servers – they just tried logging in using email address and password combinations found on lists of leaked passwords. Players who reused a password that had already been leaked were compromised. The same will happen for other services that crackers want to gain access to.

Internet Accounts

How To Protect Yourself

To protect yourself against future leaks, ensure you use different passwords on each website – and ensure they’re long, strong passwords. Otherwise, a compromise at one website could lead to your accounts elsewhere being compromised. While compromised websites will generally inform you of the leak and have you change your password immediately, this won’t help much if you’re using the same password on many other websites.

Remembering unique passwords for all the different websites we use can be difficult, which is why password managers can be so useful. We like LastPass, but many people swear by KeePass, which keeps you in control of your data.

Read More:

Checking If Your Password Was Leaked

If you’re curious whether your email address appears on one of these leaked password lists, you don’t have to find a shady download site and download the lists yourself. Instead, you can use a tool that quickly checks for you.

PwnedList is a good one. LastPass now uses PwnedList to monitor whether LastPass account email addresses become compromised. For example, if your LastPass account email address is you@example.com, you’ll get a notification if you@example.com appears on any lists of leaked email addresses and passwords. This only applies to the single email address you use for your LastPass account, not every address you have in your LastPass vault.

If you want to check an email address manually, you can use PwnedList’s website. Plug in an email address and PwnedList will tell you whether it appears on any leaked lists. (Note that you can also enter SHA-512 hashes of your email address if you don’t trust PwnedList with your email address – you can use a tool such as this one to generate a SHA-512 hash.)

password leaks

If your email address does appear on a list, don’t panic – this just means you should ensure you’re not reusing the same passwords on multiple websites. If you use the same password everywhere and your email address appears on one (or more) of these lists, you have a problem – you should change your passwords immediately.

LastPass also hosts some tools that allow you to see whether a specific password appears on the leaked lists of LinkedIn or Last.fm passwords. You can actually plug passwords in and see if someone was using them. The results show how weak many passwords are – plug in “password123” and you can see that at least one person was using it as their LinkedIn password.

Linkedin leaked password test


Your email account is the center of your online security – websites generally allow you to change your password as long as you can click a link in an email. If someone else gains access to your email account, it can be game over for your other accounts. Read How To Recover After Your Email Password Is Compromised for more tips on protecting yourself.

LastPass Hacked, Change Your Master Password Now

LastPass Hacked, Change Your Master Password Now

Bad news first, folks. LastPass, our favorite password manager (and yours) has been hacked. It’s time to change your master password. The good news is, the passwords you have saved for other sites should be safe.

LastPass has announced on their company blog that they detected an intrusion to their servers. While encrypted user data (read: your stored passwords for other sites) was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account.

According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately. If you share that master password with any other services, you should change it there, too. Finally, if you haven’t enabled two-factor authentication you should do that immediately here.

We’ve talked about what happens if LastPass gets hacked before. As it stands, it doesn’t seem that this hack resulted in any significant data losses for users. However, it’s still important to take steps necessary to protect your account as soon as you can.

Note: It sounds like LastPass’ servers are getting hammered right now, so if your password change doesn’t go through, check back frequently through the day until it does.

LastPass Security Notice | LastPass Hacked