TOT Google email re BT mail

Probably a scam.

It is probably wise to change your password from time to time anyway - just do it through the main admin site and not by following any links inside the email. It could well be a genuine warning - especially if your password is relatively short or a dictionary word.

Might be worth feeding your email address into a legit tester eg.

"Onliner spambot" seems to have harvested lot of email addresses including some of my old msgids from way back when. But is probably harmless.

Some others with DOB and addresses are less so.

Have I been pwned is completely unaware of the most serious data breach that I was a victim of - Experian's MFU a couple of years ago.

It seems to be suggesting that the leaked password is for the Google account linked to *********@btinternet.com, not the BT webmail account. So it's your Google Account password you should be changing.

Mike

Interesting.

Using that, snipped-for-privacy@davenoise.co.uk has been 'pwned' That is a legitimate address I use as a spam trap. But never ever for anything else, and only on newsgroups.

If it is an address that goes to a real mailbox, someone knows the password to that mailbox?

Since I don't even know it, the supplier of the pop box? 123-reg, if I remember correctly.

If I had the password at one time, it would only have been on this RISC OS machine. Rather unusual to have that hacked into.

Firstly, is it a genuine email. Look at the headers. If it is, then change all your passwords anyway. Indeed sighted folk should really use a password manager so even they don't to know anything other than their password managers password and its two factor authorisation. Bit harder for the blind as not all password managers are accessible on all platforms. Brian

Was that the Yahoo one or the facebook one? Brian

All this password stuff amuses me! :-)

I run a mail server on my home desktop machine and mail gets delivered straight to my inbox, no passwords required anywhere. It's the same machanism that's used for *everone's* E-Mail so mine is no less secure.

E-Mail isn't secure, end of story, treat it like a postcard that anyone can see as it travels. If it occasionally happens to get dropped into a (fairly) secure letterbox then that's a bonus.

Using it as a way to recover/change lost passwords always strikes me as very insecure.

I'm a massive fan of 2FA wherever it can be used. Probably not 100% secure (what is ?) but it raises the bar for casual hackers.

For real security, I'd have expected someone to have introduce nFA - where n>2 and can be distributed amongst staff such that you'd need a quorum to effect change.

Maybe there is such a provider around, only (ironically) keeping it secret ?

A cursory Google suggests Citrix and Netscaler offer "n-factor" but I have a sneaking suspicion that *isn't* what I was thinking of.

In a thread split point, one possibility of blockchain applications is to implement a (n from x)FA type authorisation for a smart contract, if needed.

not only those but also bank details. I know of an email with bank details for payment that was intercepted and the recipients details changed. £45K was involved. Luckily the donor's bank smelled a rat.

But it doesn't help! The E-Mail travels, by default, in clear across multiple servers on the internet before it gets to your (secure) maibox.

As I said, like a post card, it does maybe finally end up somewhere secure but anyone can look at it on the way.

If you *encrypt* all your E-mail then they will be reasonably secure.

Have you created a google account using that email address (you can crate a google account linked to any real email address - you don't have to have it attached to a gmail address)

If you have a google account attached to that address (say if you created one to partner an android phone), then that is the account you need to change the password on, not that of the actual BT mailbox.

No harm in changing the password anyway - just don't follow links in the email to do it.

You can check the header of the email as well to see if its legit. Google use pretty good authentication of emails coming from their servers including crytographic signing (DKIM) as well as a SPF record.

The link you apparently see in an email (or indeed, on a website) does not tell you where you go when you click it. Where you actually are sent to is hidden from you.

On your system the mailbox itself is presumably protected from access by the world outside - i.e. its inside your network.

For most users accessing email hosted on systems outside of their control using protocols like POP3/IMAP/Exchange etc, those servers are accessible by anyone. So depend far more heavily on password security as a guardian.

In some respects its less so than it once was since it will typically be TLS protected for delivery to the SMTP server at an ISP, and thence the mail will be routed direct to the receiving server indicated in the domain's MX records - again via TLS connections - so little of the traditional unencrypted store and forward via multiple SMTP hops happens today.

But yup, access to someone's mail account brings significant potential for harm that many never give much thought to.

Its basically telling you that they address shows up in databases along with compromised credentials that are now in the public domain. So if you have every used it on a site that was later compromised, or even if it just ended up in a database that was scraped from somewhere and ended up in a public "paste" it could show on HIBP.

You can also check if one of your passwords has shown up in a compromise:

Although most mail readers will show you the actual target if you hover over the link.

No thanks. I'd rather not give details of passwords to a random site. ;-)

Yes, that's why I said the bit about "... dropped into a (fairly) secure letterbox".

Yes, but it isn't that secure on the way there.

Is it really all TLS secured? There's no guarantee that it is and you really don't know how it gets routed from sender to you, or more to the point, from sender to your (fairly) secure mailbox.