What's the basis for recommending resetting my email password when an unknown account password is compromised?



  • One of the banks that provides identity theft monitoring to accountholders notified me that my email address was included in a recent data breach, along with a password, but without any indication of where this email and password was used. I asked if they could provide the (already compromised) password so I could find the affected account in my password manager, they said they didn't actually have the password included in the breach (huh?), and recommended I change the password on my email account. I don't see how changing the password on my email account will counter the compromise of an unknown account.

    What's the basis for recommending resetting my email password when an unknown account password is compromised?


    This is the entirety of the information in their alert:

    breach report

    Their response to my subsequent inquiry looked like a form letter and didn't answer my question, and included this recommendation:

    If you have any affiliation with the website listed in the alert details as the source of the data breach, you should change your account password for that website, and also any of your other passwords that are the same as that password.

    If you do not recognize the website listed in the alert details as the source of the breach, then you should change the password for your email account, and also any of your other passwords that are the same as that password.

    Which is unhelpful because there is no website listed in the details. When I asked why they recommend changing the password for my email account they did not respond.



  • This is the most salient part:

    you should change your account password for that website, and also any of your other passwords that are the same as that password.

    Many people are not security savvy. Some people reuse the same password across multiple accounts. Like both their email and bank accounts. This is what enables credential stuffing attacks to succeed. This is not saying that you are security naive. If the bank is sending this to everyone affected then they're reasoning that this situation applies to some amount of people involved. Remember that the credential dump included the email address associated with the password. The second attack to attempt would be checking that password against that email account.

    I have to send out these notifications from time-to-time. I prefer adding some additional suggested steps:

    1. Change your password for the affected service.
    2. Choose a strong password (password strength advice goes here).
    3. Do not use the same password across multiple services.
    4. Use a password manager (suggestions go here).
    5. Do not use your corporate email address for personal business.

    Suggestions 2 and 3 go towards defeating credential stuffing. Suggestion 4 is meant to make suggestions 2 and 3 less painful.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2