Find solution
What does it mean when your account has been compromised?

Is there any reason to change this compromised password? And if so, how?

  • My "throw-away" password is in the list of those compromised by the Adobe hack. It's a common dictionary word that I use for sites that I really don't care about security on: things that I don't even understand why they should be password protected, "test-driving" sites or products where I don't intend to keep using them, and an old email account that was for a blog that I haven't updated in about four years. (And I don't use the account any more). I'm pretty unconcerned about it being compromised. Is there any reason I should worry? And if I do want to change it, is there any way to find out what all the sites are that I have used it on in the past? The only slight concern I have is that I use a variant of this (one extra character added so it isn't just a dictionary word) on sites where I care slightly more about security. I.e. stuff I use on a regular basis, but that doesn't contain sensitive information, e.g. an Evernote account that I use only to take and store notes during academic seminars, my to-do list manager, my metafilter account, etc. Should I change that password? I practice good password hygiene for important stuff, by the way, so please don't lecture me. I use LastPass, and have long strings of letters and numbers that don't mean anything, and never reuse passwords for things like my bank account, primary email address, etc.

  • Answer:

    Try searching your email inbox for "action required to activate". It'll pull up the bog-standard account activation email you get from a lot of these throwaway sites/forums/services/etc. Also try stuff like "registration" or "confirm."

lollusc at Ask.Metafilter.Com Visit the source

Was this solution helpful to you?

Other answers

I'm glad you asked this because I am in exactly the same boat. I personally decided not to care because I can't foresee any actual harm being done. I am not an expert, though, and would be glad to hear from someone who is.

Literaryhero

You remember the http://www.metafilter.com/121929/The-age-of-the-password-has-come-to-an-end? I've used it as an example in presentations to lawyers about how weird and unintuitive computer security is. The thing I love about that story is how improbable the steps of the hack are -- especially the part about adding a credit card to somebody else's account. So...how does this relate to your situation? It's probable that there's an obscure sequence of "add this email address to this system," followed by "delete that information from that system," where you can start from your compromised Adobe address and end up at an address you care about. The question is, are you interesting enough that somebody will bother to figure out the sequence? (Where "interesting" means "famous," or "rich," or "powerful," or "outspoken," or "the NSA wants to roll you.") Only you can make that calculation, vs. the value of your time to change the passwords and make the sequence more complicated. FWIW, I consider myself modestly tin-foil-hat, and I used to use a throwaway password for stupid accounts, the same way you apparently did. I no longer do that -- I use a unique password everywhere, save the ones I care about, and rely on Firefox to remember the ones I don't. (If Firefox forgets it for some reason, I can always recover it somehow, or ... I'll create a new account. Whatever.) But I never bothered to go back and change the old throwaway passwords. I'm vulnerable, certainly, but I'm also not very interesting. (I hope this answer doesn't change the latter fact!)

spacewrench

I would update the email account's password— just because email accounts are so often used for password resets and the like.

hattifattener

Variants will be easy to guess if 80-90% of the password is the same, so yeah, change them. The thing I'd be most worried about is if your password hint is part of the adobe breach, threat actors can easily see which password hints match up to emails and usernames, so if there's any type of username/email match across sites, if you use a variant even algorithmic variant, you would be wise to change your password.

Annika Cicada

Yes, my password hint is part of it, but that hint still only points to that throwaway password, so I'm not sure why that makes it worse? I've never used that password hint with a username I care about. Good point about the variant, though. I've now gone ahead and changed that in the couple of places I can remember using it.

lollusc

Oh wait, I get it. You mean if I use the same password hint for the straight password and for the variant. Which yes, I might well do. But as I said, I've changed the variant ones now (where I remember). Any tips on tracking down where else I might have used it?

lollusc

LastPass has a feature that will tell you which sites have duplicate passwords, but I'm guessing that you don't have LastPass save sites that you use your throwaway password on. If for whatever reason you do, it can certainly check for you if you https://lastpass.com/support.php?cmd=showfaq&id=1446

zsazsa

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.