[conspire] (forw) You're one of 131, 577, 763 people pwned in the Exactis data breach

Wed Jul 25 14:46:07 PDT 2018

I'm forwarding this notice (with specific hash values specific to me
elided) to make a couple of points.  One is that the data security
breaches tracked by sites like haveibeenpwned.com are _serious_ as a
general matter, and you-plural should take careful note and be very
serious about data security.  See
https://haveibeenpwned.com/PwnedWebsites for the list of breaches _that_
site tracks, including (without limitation) the June 2018 breach of
marketing firm Exactis.

I believe I registered myself at haveibeenpwned.com immediately
following the horrific credit card data breach at Experian.  At that
time, I found that 'data breach' information revealed about me there
(and everywhere else I could find) was harmless.  But that was worth
checking.

The other point I want to make is that _even_ sites like
Troy Hunt's site haveibeenpwned.com, that appears to be very
well-intentioned, tend to err on the side of sensationalistic
exaggeration (an outcome difficult to avoid with massive automation).
E.g., this notice from them, like the data I got from them after the
Experian breach, revealed that the 'personal data' revealed about me in
it consisted of my name and e-mail address embodied in the headers of
six postings to the public Irish Linux User Group mailing list.

Like, wow.  What a calamity.  The bad guys know my name and e-mail
address.  Call Interpol.  This is what's labeled my being 'one of
131,577,763 people pwned in the Exactis data breach'.

So, take the problem seriously, but don't take notices literally without 
investigation.  (To be fair, quite a number of people _do_ think it's 
a serious data breach if their names and e-mail addresses appear
anywhere on the Internet outside of their AOL^w Facebook walled gardens.
I think they're delusional, but that's indeed the way many people
think.)

Discussion (likewise well-intended, but likewise hand-waving
sensationalism, mostly):
https://www.reddit.com/r/techsupport/comments/8269jc/i_just_discovered_haveibeenpwnedcom_what_do_i_do/
https://www.reddit.com/r/techsupport/comments/42125t/is_haveibeenpwned_a_legit_page/

----- Forwarded message from Have I Been Pwned <noreply at haveibeenpwned.com> -----

Date: Wed, 25 Jul 2018 21:24:56 +0000 (UTC)
From: Have I Been Pwned <noreply at haveibeenpwned.com>
To: rick at linuxmafia.com
Subject: You're one of 131,577,763 people pwned in the Exactis data breach

You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened.

You're one of 131,577,763 people who've had an account compromised in the Exactis hack of Jun 2018, the details of which you can read about here: https://haveibeenpwned.com/PwnedWebsites#Exactis

The data disclosed in the breach includes: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages

Monitoring Have I Been Pwned for data breaches is a great start, now try these next 2 steps to protect all your accounts:

Step 1: Protect yourself with strong, unique passwords for each website with the 1Password password manager: https://1password.com/
Step 2: Enable 2 factor authentication and store the codes inside your 1Password account

You can also run a search for breaches of your email address again at any time to get a complete list of sites where your account has been compromised: https://haveibeenpwned.com/Verify/[RM removed hash value]

Why are you only hearing about this now? Whilst the breach occurred in June, sometimes there can be a lengthy lead time of months or even years before the data is disclosed publicly. Have I Been Pwned will always attempt to alert you ASAP, it's just a question of how readily available the data is.

Please note that it is not possible to retrieve the passwords themselves from HIBP: https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-passwords-available-via-have-i-been-pwned/

If you don't want to receive any future breach notifications, just click here to unsubscribe: https://haveibeenpwned.com/Unsubscribe/[RM removed hash value]

----- End forwarded message -----