cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Verifications.io breach notification message?

Date sent: Sun, 10 Mar 2019 01:30:40 +0000 (UTC)
From: "Have I Been Pwned" <noreply@haveibeenpwned.com>
To: rmslade@shaw.ca
Subject: You're one of 763,117,241 people pwned in the Verifications.io data breach

 

> You signed up for notifications when your account was pwned in a data breach and
> unfortunately, it's happened.

 

Really? I don't recall having signed up for this ...

 

> You're one of 763,117,241 people who've had an account compromised in the
> Verifications.io hack of Feb 2019, the details of which you can read about here:
> https://haveibeenpwned.com/PwnedWebsites#VerificationsIO

 

Thing is, I don't recall having used Verifications.io. At all. Or any other third party verification system ...

 

> The data disclosed in the breach includes: Dates of birth, Email addresses,
> Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone
> numbers, Physical addresses

 

My word!

 

> Monitoring Have I Been Pwned for data breaches is a great start, now try these
> next 2 steps to protect all your accounts:

 

Hmmmm ...

 

> Step 1: Protect yourself with strong, unique passwords for each website with the
> 1Password password manager: https://1password.com/ Step 2: Enable 2 factor
> authentication and store the codes inside your 1Password account

 

So, an outside authentication system has been breached, and therefore I should use an outside authentication system?

 

> You can also run a search for breaches of your email address again at any time
> to get a complete list of sites where your account has been compromised:
> https://haveibeenpwned.com/Verify/acface0abb2bfa593029fd76fc7d5a9a

 

That seems a rather long URL ...

 

> If you don't want to receive any future breach notifications, just click here to
> unsubscribe:
> https://haveibeenpwned.com/Unsubscribe/acface0abb2bfa593029fd76fc7d5a9a

 

Hmmmmm ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
3 Replies
vt100
Community Champion

The notification you are receiving is from haveibeenpwned.com, which is maintained by Troy Hunt and is considered being a valid resource.

You have likely used this service before and have signed-up for their notifications, as that site is not known to spam.

 

As to a verifications.io , you didn't have to be explicitly registered with them, or consent to your data to be used and lost by that shady vendor.

 

Every time you click "I agree" or have received the printed notification of "Privacy Policy Changes" from your bank, you are consenting on your data to be shared with their affiliates, one of which happen to be the verifications.io.

 

Essentially, any of our PII is not really PII anymore. Given how many vendors whose products we are using on daily bases have our consent to share it with others based on THEIR terms of service, it is everywhere.

 

The only thing we could do is to use unique credentials with every single service and to rotate those periodically. Password managers could help, but those have their own security issues:

https://www.securityevaluators.com/casestudies/password-manager-hacking/

 

On the subject of haveibeenpwned.com notifications, I have a slight objection to the non-definitive wording of their messages and the absence of criticality ratings for the breaches.

 

 Otherwise, it still delivers value in terms of alerting us of the compromises and their scopes.

 

Regards,

Vladimir

Flyslinger2
Community Champion

Snark alert:

 

@rslade if you send me $100US equivalent in bitcoin and the data they are looking for I can act as your intermediary and clear this up for you.

 

Snark end.

 

We recognize that this is wrong and know how to react to it.  Sadly there are many out there that don't and get stung by this. I try to post weekly helpful hints on FaceBook for my friends to educate them better.  I have many that comment on how much they have learned from what I share (proof that FB is good for at least one thing).

rslade
Influencer II

> Flyslinger2 (Contributor III) mentioned you in a post! Join the conversation

> Snark alert:   @rslade if you send me $100US equivalent in bitcoin and the
> data they are looking for I can act as your intermediary and clear this up for
> you.   Snark end.

Maybe your African prince friend can help out 🙂

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
`Here,' Ralph said, `we defend ourselves by checking people's
driver's licenses.'
`How is that working out for you?'
`Not so well,' Ralph said. - `First Contact', Evan Mandery
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468