When I logged in today I got a warning from Safari that the username and password I use here has appeared in a data leak. The combination is unique to Singletrackworld and I was wondering when the leak happened and why you didn’t notify users?
Oh no. Just looked on Have I Been Pwned. No mention of STW. No the online checker.
Where did Safari get its knowledge?.
STW should have the ability to delete ones account completely. Or at least the user and leave content created.
I've sent an email to tech@ with a link to the thread as I had another question for them anyway.
Nothing from Chrome.
When I logged in today I got a warning from Safari that the username and password I use here has appeared in a data leak. The combination is unique to Singletrackworld and I was wondering when the leak happened and why you didn’t notify users?
Have you checked haveibeenpwnd - https://haveibeenpwned.com/
It's normally done off email addresses, so could it be as simple as your email address having been in a breach.
I use unique emails for every site I have a login to and mine isn't in HIBP.
How long have you been a user? Didn't the site get hacked years ago and most of the posts get deleted? I'm talking 10 years or something, so that could be why.
Oh and obviously, change your password just in case.
Also store all your passwords in a decent password manager.
As far as I can tell, we've had no data breach here.
Obviously we'll be watching closely. We do have considerable protections and alerts in place.
Just looked it up, Safari is warning you that your password has been leaked in a breach.
Doesn't mean STW has had a data leak if you recycle passwords.
'Safari periodically checks cryptographic hashes (derivations) of your saved iCloud Keychain passwords against a constantly updated list of known leaked credentials from data breaches—without sending your actual passwords to Apple or anywhere else.'
I use unique emails for every site I have a login to and mine isn't in HIBP.
That's quite appealing - is there an easy way to do that?
That's quite appealing - is there an easy way to do that?
if you use Apple iCloud+ then yes - been a built in feature for years. No idea otherwise 🤣
I've had no warnings about STW so maybe OP's user/pass combo isn't as unique as they think 🤷♂️
I use unique emails for every site I have a login to and mine isn't in HIBP.
That's quite appealing - is there an easy way to do that?
I seem to remember that Firefox has some sort of "relay emails" which I think are disposable email addresses that can be forwarded to your correct email. I don't use it but it's promoted by Firefox for similar reasons inky_squid uses...
Years ago I had a pay as you go account with an ISP call NDO, they provided what I seem to remember was your own domain where you could put anything you liked before the @ in an email address so you could have as many unique addresses as you liked but they all came through to the same inbox.
Microsoft hotmail allows the setting up of a limited amount of aliases (at least they used to).
You can do the same with Proton email, who I am already in the process of replacing gmail with, that all stays within the proton email environment, It is a paid for email service which not everyone might be keen on, but I have decided I would rather pay a small amount for email than my data be the product.
duckduckgo browser also has the ability to create unique email addresses for individual use, they just forward them to your normal email, might work with the duckduckgo addon for other browsers as well, but I haven't tried that. But while it is a forwarder it also strips out trackers from emails, which is probably a good thing, but does indicate they must process the email in some way.
All my main stuff, banking etc I still use my proper email address, for accounts with shops etc I use unique proton addresses, and for everything else where a financial transaction isn't going to be involved I use a duckduckgo address.
If you have a Gmail account you can create infinite aliases by putting a plus symbol at the end of your username and a word after it. So if your email address is pwned@gmail.com, if you create an STW account with an email called owned+STW@gmail.com, you will still get the emails from STW in your pwned@gmail.com inbox.
Tru tru but bware: you can break some sites like this, eg I created a site account somewhere but then could never log in as the login box had a rule against "+". Annoying
I use unique emails for every site I have a login to and mine isn't in HIBP.
That's quite appealing - is there an easy way to do that?
Kinda. I used to run my own email server which means I setup lots of aliases. There's also this system called plus addressing, which means you can have the email bob@bob.com and then add anything between a + after bob and before @bob.com, eg bob+stw@bob.com bob+anythingyouwant@bob.com etc etc.
So the best (and fairly easy tbh) way to do would be to buy a domain, just a cheap one. Then use someone like FastMail to run your email. It's fairly cheap and you get decent features. Including as many aliases as you want and they also do the plus addressing.
The Google plus addressing is great, you can also do it by adding a full stop anywhere in the first part of the address, as GMail just strips it out.
For some reason though, it always makes me giggle, as it puts me in mind of this 
Thanks for the replies. I had forgotten about the plus but figured that for anything that mattered the sketchy folk would know just to strip it off. I was hoping there was an easy solution to generating the kind of email addresses companies get if you log in with apple ID and say not to share your real email.
Ah, ratbags. Thanks for the correction.
I meant to add "please look this up before using it" as I was working from memory and assuming it still works at all even.
Ah, ratbags. Thanks for the correction.
I meant to add "please look this up before using it" as I was working from memory and assuming it still works at all even.
Yeah it does still work 🙂 (assuming the site allows + in the address, as mentioned earlier in the thread)
FWIW I use a unique PW for this site and have not been notified of a breach (I'm signed up to a bunch of 'haveibeenpwned' type thingies). BitWarden is also not reporting that the pw is compromised.
FWIW myself,
I have no reason to believe that STW has been compromised.
I have every reason not to reuse my password from here on anything else and would urge others to do likewise (not least because it's best practice generally).
FWIW myself,
I have no reason to believe that STW has been compromised.
I have every reason not to reuse my password from here on anything else and would urge others to do likewise (not least because it's best practice generally).
not even on Mumsnet?
I use a unique email for STW - nothing comes up for that email on Have I Been Pwned.