Warning from Experian

We have found your personal details online . Apparently my email address and password have been sold online recently. The particular password found (now changed) indicated that the compromised sites are either www.iconbar.com or nforum.ncatlab.org . I logged into iconbar but could not access the page to Let us know because it said that my browser was not giving away its identity (it is Chromium under Raspberry Pi OS), so I might be a spammer! I think on the whole that the nCat forum is likely to be more secure than iconbar. I post this here in the hope that somebody responsible for the iconbar site sees it.

I think some of these are likely false positives; for instance, I have reports that a couple of my emails had been leaked by gravatar.com, and I know that I only ever had one email there, which wasn’t either of the ones reported.

The particular password found (now changed) indicated

Did it provide a password AND an email address?

I get warnings every so often from Chrome on Android that my password has been found in a data breach; and it is usually the password of a less important site where I just picked a word and, you know, the chance of somebody else picking that particular word is non-zero.

Unfortunately Chrome doesn’t make a clear association that it was the password and the login name (and I know it doesn’t as one of the found passwords was a test on my own server that used the username “kittykittykitty” which I’ve never used online), thus indicating that these messages are more “we think your password isn’t great so we’re going to scare you into making a better one”.

How does Experian know it’s you, anyway? Do you only ever use the one email address? I have about eight addresses that I typically use, my main (domain) address is rarely given out, and I have around sixty spamdrop addresses made in Yahoo (like “heyrick<keyword>-<keyword>”) so if something gets passed on to a third party (like advertiser scum), I can identify who leaked.

Ironically, the only big bump I’ve had in unwanted spam came suspiciously right after using my email address to order a replacement passport. You know, given that some of Britain’s government portals are more than happy to toss information over to dodgy Chinese ad brokers… https://www.theregister.com/2024/04/24/ads_on_gov_uk_websites/ (WTF are there adverts on, what I presume, are publicly funded websites? Yet more evidence of the endless depths of Tory corruption?)

Did it provide a password AND an email address?

Only part of the password, one that I started using maybe thirty years ago.

Do you only ever use the one email address?

Up till recently, yes. I am a bit thick and a creature of habit. In the early days of the internet, security concerns only rarely arose, so be kind and put it down to habit. I think from now on I shall start to adopt multiple personae.

On another tack, I just succeeded in reinstalling Manjaro on my Pinebook Pro. After an upgrade a couple of weeks ago, sound and wifi ceased to function on it. This is fairly common to judge by the Manjaro bulletin boards, and Andrew Rawnsley even has a printed sheet of suggestions which he hands out to clients. However, in my case they did not work. But reflashing an image to the NVME board is incredibly quick, but fiddly. Thirteen screws, as small as fleas, must be removed and put back in the process. There are probably slicker ways of doing it which I have not learned yet.

I get warnings every so often from Chrome on Android that my password has been found in a data breach;

I do sometimes question these things. Sometimes the organisations concerned are heavily pushing their own agenda.

A number of years ago a company (script kiddies to be brutally honest) did a cyber audit and flagged my password as weak and easily revealed as part of a common word dictionary hack. Untrue, but they may have been annoyed,¹ but even so they were unprofessional in suggesting that I was the sole person with a weak password – which it was not.

It was a nonsense construct which included upper/lowercase and letter number substitutions as the system policy refused any that did not fit that pattern, they would not reveal the actual password to our cyber guy “for security reasons”, I did reveal it, “for anti-bullsh** reasons”², just before changing it.

¹ They had just got themselves settled at a live data point, ready to begin work, and I asked whether they needed anything. “No, run along” was the brusque reply.
30 minutes later I was asked by our cyber guy whether I was sure the data point was live, and I offered to show him the evidence that it was indeed live, but assured him I could see the MAC address of their units being connected and disconnected. I pointed out that I had offered assistance to them. I went to the kitchen later for coffee and repeated my helpful enquiry. The response was even more brusque, and I departed.