Date sent: Sun, 10 Mar 2019 01:30:40 +0000 (UTC)
From: "Have I Been Pwned" <firstname.lastname@example.org>
Subject: You're one of 763,117,241 people pwned in the Verifications.io data breach
> You signed up for notifications when your account was pwned in a data breach and
> unfortunately, it's happened.
Really? I don't recall having signed up for this ...
> You're one of 763,117,241 people who've had an account compromised in the
> Verifications.io hack of Feb 2019, the details of which you can read about here:
Thing is, I don't recall having used Verifications.io. At all. Or any other third party verification system ...
> The data disclosed in the breach includes: Dates of birth, Email addresses,
> Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone
> numbers, Physical addresses
> Monitoring Have I Been Pwned for data breaches is a great start, now try these
> next 2 steps to protect all your accounts:
> Step 1: Protect yourself with strong, unique passwords for each website with the
> 1Password password manager: https://1password.com/ Step 2: Enable 2 factor
> authentication and store the codes inside your 1Password account
So, an outside authentication system has been breached, and therefore I should use an outside authentication system?
> You can also run a search for breaches of your email address again at any time
> to get a complete list of sites where your account has been compromised:
That seems a rather long URL ...
> If you don't want to receive any future breach notifications, just click here to
The notification you are receiving is from haveibeenpwned.com, which is maintained by Troy Hunt and is considered being a valid resource.
You have likely used this service before and have signed-up for their notifications, as that site is not known to spam.
As to a verifications.io , you didn't have to be explicitly registered with them, or consent to your data to be used and lost by that shady vendor.
Essentially, any of our PII is not really PII anymore. Given how many vendors whose products we are using on daily bases have our consent to share it with others based on THEIR terms of service, it is everywhere.
The only thing we could do is to use unique credentials with every single service and to rotate those periodically. Password managers could help, but those have their own security issues:
On the subject of haveibeenpwned.com notifications, I have a slight objection to the non-definitive wording of their messages and the absence of criticality ratings for the breaches.
Otherwise, it still delivers value in terms of alerting us of the compromises and their scopes.
@rslade if you send me $100US equivalent in bitcoin and the data they are looking for I can act as your intermediary and clear this up for you.
We recognize that this is wrong and know how to react to it. Sadly there are many out there that don't and get stung by this. I try to post weekly helpful hints on FaceBook for my friends to educate them better. I have many that comment on how much they have learned from what I share (proof that FB is good for at least one thing).