76

I recently was emailed from HaveIBeenPwned.com (which I am signed up on) about the ShareThis website/tool (not signed up on).

I have no memory of signing up for that service.

When I go to recover the account (I might as well close/change password), I get this:

reset password page for ShareThis, but with an error message that reads: 'No user with that Address. Need to Register?'

The two facts seem mutually exclusive:

Either I had an account and it was pwned, or I didn't have an account (and thus HIBP is in error)?

How do I find out the true situation, and what is the most secure course of action?

SomeGuy
  • 730
  • 3
  • 18
AncientSwordRage
  • 1,925
  • 4
  • 17
  • 19
  • 1
    The dumps might also contain contact/invite database entries, so if somebody has uploaded an address book or you did „send this to a friend“ it all could be possible reasons. Does it say the dump contains a password? – eckes Mar 04 '19 at 20:01
  • 1
    Just adding that I had the same issue with the "ShareThis" hack. That list might have that behavoir – Ole Albers Mar 05 '19 at 09:09
  • Someone could have acted on the breach and already taken control of your account and changed the associated email address? – TylerH Mar 05 '19 at 17:40
  • @TylerH possibly, but my only concern would be them reusing my password on another site (unlikely as I don't reuse passwords) or impersonating me, which they can't do if they changed the email address, right? – AncientSwordRage Mar 05 '19 at 17:45
  • 1
    @Pureferret depends on the kind of information aside from your email address that was included in that site's profile/settings. If you're not familiar with the site and can't even login using the email address reported, you're *probably* safe. This was just an extremely edge case that popped into my head. – TylerH Mar 05 '19 at 17:49
  • @TylerH my only concern is if it was also associated to my Google account and gained access to other personal data – AncientSwordRage Mar 05 '19 at 17:53

5 Answers5

126

From the FAQ:

Why do I see my email address as breached on a service I never signed up to?

When you search for an email address, you may see that address appear against breaches of sites you don't recall ever signing up to. There are many possible reasons for this including your data having been acquired by another service, the service rebranding itself as something else or someone else signing you up. For a more comprehensive overview, see Why am I in a data breach for a site I never signed up to?

It's likely some services allow signing up without confirming an email address, or that accounts that haven't confirmed email addresses are still stored indefinitely but cannot be logged in to, or any number of similar issues.

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
  • 77
    One other possibility is that, more simply, the database where your address was found was a mix of multiple data leaks, with the majority of the data belonging to ShareThis. – DrakaSAN Mar 04 '19 at 17:07
  • 3
    @Pureferret The good part is that if you were included because (for instance) someone else mistakenly used your email address, then you don't have to worry about more sensitive information like passwords being leaked as well. – bta Mar 04 '19 at 18:28
  • 13
    @Pureferret This happens to me all the time. For some reason, some people keep registering accounts to various places with my primary email address. Sometimes I "forgot password" and lock them out, delete the accounts that way, or find contact information and tell them directly to stop using my email (within legal limits), usually I have to contact customer support for the service and demand that they disconnect my email from that account. There really needs to be some sort of public shaming for companies that do anything other than (re)send verification email to an unverified email. – mtraceur Mar 05 '19 at 00:01
  • 4
    @mtraceur From what I have seen the lack of verification is not even the result of low skill developers, its an intentional business choice to reduce friction for signing up to a service. – Qwertie Mar 05 '19 at 00:35
  • @mtraceur so your mates use your email address to give them a logon, and all the spam goes to you, charming... – mckenzm Mar 05 '19 at 01:35
  • @Qwertie I agree, and it is because of people like me that invoice (or sue) for unsolicited "verification" email that this is dying off. – mckenzm Mar 05 '19 at 01:35
  • 3
    @mckenzm Teach me your ways so that I can invoice or sue for unsolicited non-verification email too. We'll pincer maneuver them into no email, but that's probably for the best. – mtraceur Mar 05 '19 at 02:06
  • 1
    @DrakaSAN Are you suggesting that the bad guys don't keep track of data sources and clearly mark datasets for compliance reasons, as everyone else surely does? :) – I'm with Monica Mar 05 '19 at 09:07
  • i would also point out syntax errors. i tend to get emails on my name.surname@gmail.com address which were suppose to be sent to namesurname@gmail.com. – user33040 Mar 05 '19 at 10:01
  • 14
    @user33040: Well, those addresses are identical to GMail. As are na.me.sur.name@gmail.com, n.a.m.e.s.u.r.n.a.m.e@gmail.com, etc. – Dubu Mar 05 '19 at 10:14
  • @Qwertie Oauth has a lot going for it. It's low friction, you can't use other peoples' accounts and you are not storing a password each time you sign up to a new website. – Robin Salih Mar 05 '19 at 15:17
76

Adding on to what AndrolGenhald said, they have deactivated all accounts associated with the breach so theres a good chance it won't show up regardless:

ShareThis has already deactivated the ShareThis accounts potentially associated with this incident, so if you created an account prior to January 2017, you may no longer be able to log in.

https://www.sharethis.com/data-privacy-incident/

hairydresden
  • 1,096
  • 5
  • 10
  • 13
    Well spotted... Seems like an unusual approach? – AncientSwordRage Mar 04 '19 at 17:32
  • 3
    @Pureferret Unfortunately, I wouldn't know. I just got the email for our domain from HaveIBeenPwned today and was doing my reading on it. – hairydresden Mar 04 '19 at 17:56
  • 7
    On top of which, ShareThis might have expired the account after a period of inactivity anyway, regardless of a hack. A few months go I went through my passwords file to update some old insecure passwords on a bunch of unimportant sites and found that they had all expired my account for inactivity. – Paul Johnson Mar 05 '19 at 13:49
1

A bit late to this thread, but I just got an alert through my credit card about the sharethis breach. I never signed up for sharethis, but a quick search through my old emails found a couple of cases of people using the service to share an article with me. So I'm guessing that the database of email addresses of people on the receiving end of the service were also exposed.. which would explain why there was no hashed password leak associated with my address.

user221959
  • 11
  • 1
0

While other contributors have responded with some great answers, I'll focus on the last part of your question:

How do I find out the true situation, and what is the most secure course of action?

Troy Hunt, a prominent security researcher launched HIBP with a purpose in mind to aggregate all leaked databases into a web app where users can search for their compromised email addresses.

What he started has come a long way and now there are many other websites they not only offer email searching but allows anyone to download the complete leaked dataset for free.

I know the following three that where you can download the complete dump files and to get to the source of truth, instead of relying on HIBP alone that doesn't offer much info due to privacy laws and stuff:

https://databases.today/search.php

https://www.vigilante.pw/

https://nuclearleaks.com/

KeyboardMonkey
  • 29
  • 5
-2

As much as all of the theories are tangible, the biggest possibility is that the creator of the website is having a data issue, website X is meant to have ID X however has ID Y and thus is displaying data from ID Y. Why would anybody be signing up for services they won't be able to use with an email they cannot use either, they could just use random strings if it was a brute force attack.

Thus you've been been 'pwned' just not on the website it is incorrectly displaying.

I think this is the most probable cause.

Jack Williams
  • 5
  • 2
  • 3
    I..I don't follow any of what you've said. Which wesite, why would it have Y and not X...how would the wrong infor get to HIBP? – AncientSwordRage Mar 06 '19 at 13:34
  • You're telling me it's more logical for somebody to be putting in somebodies email for no reason, than for the person who coded the website to of made a real simple mistake? - X is a representative of anything, like N would be in maths. And if you're asking what website I'm talking about, the one the question is.. 'haveibeenpwned' I've just realised you've not read the question originally, which is why you're confused at my answer, to the question you've not read. – Jack Williams Mar 06 '19 at 13:36
  • 4
    Jack, I wrote the question. I don't know if you're saying the mistake is on HIBP, or the compromised website? Is ID an email address or like a database row ID? – AncientSwordRage Mar 06 '19 at 13:43
  • Apologies - actually didn't notice that. Referring to 'haveibeenpwned' putting the wrong id's onto pieces of data, so when the ID is called (database row ID for example) it displays the wrong data. – Jack Williams Mar 06 '19 at 14:19
  • 2
    I doubt that it's just a mistake on HIBP's end. – ave Mar 06 '19 at 20:05
  • 2
    *You're telling me it's more logical for somebody to be putting in somebodies email for no reason* — As mtraceur observed in a comment on another answer, this happens all the time. Usually the "somebody" honestly thinks they have put in their own email address, despite all evidence to the contrary. https://www.xkcd.com/1279/ – zwol Mar 07 '19 at 15:55
  • @JackWilliams - *putting in somebodies email for no reason* - that happens to me quite frequently, I have a firstinitial-lastname@gmail.com address and I get a *lot* of errant website signups where someone with a similar name as me entered my email address instead of their own. I also get tax forms, mortgage applications, etc, and once, some naked photos clearly meant for someone else (he was embarassed when I told him he sent to the wrong address) - people really need to be more careful about using the correct email address – Johnny Mar 07 '19 at 19:34
  • It seems we're leaning towards the answer that OP has an overly generic name, and has used overly generic name in email address. I still think thats just as likely as the developers making a mistake however. – Jack Williams Mar 08 '19 at 10:54