What do these credit security alerts mean?

Question

A bank where I have an auto loan has a credit reporting feature. The feature shows that I have several "Dark Web Alerts" for "Compromised Email Address". The alerts list the breached sites, for example schmevite.com and schmafepress.com (and others). This doesn't make sense. How was my email address breached at a website for party invitations and blogging?

I haven't used either of those site in a long time. I assume my username is my email address. However, my email account not been breached (right?). The recommended action is to change my email password, but my email has not been breached, so why would I do that? Am I expected to change my email password every time some remote site that I've barely used is breached? Shouldn't it be telling me to change my schmevite and schmafepress passwords?

NOTE: I have a different, and reasonably complex password for each site. The point being if someone has breached my scmevite or schmafepress password, which uses my email as the userid, why do I need to change my email password?

But then I have another of the Dark Web Alerts which says "Compromised Email Address", but does not list a compromised website. Instead it says "Password: Exposed". Now I'm really concerned. If someone gets into my email account, they can find all of my other passwords (including to financial sites) by requesting password changes.

But that alert was exposed on 4/18/20 and I haven't lost my money yet. Should I be concerned about this? What do I do? (P.S. "Should I be concerned about this" is rhetorical -- I am!).

Thanks for helping me understand.

Answer 1

Your email account is likely not compromised, especially if you use unique passwords for all of your accounts and use a major email provider.

For the alerts that name sites, this is likely just reporting that your credentials were part of a data breach related to that site. You should treat your password on the named site as public knowledge and change it, both there and anywhere else you've used the same or a similar password. Just because a set of credentials was stolen from schmevite.com that does not mean that attackers won't try to use those same credentials elsewhere, since many people re-use the same or similar password for multiple accounts. If you use unique passwords for every account then you have no need to worry about this attack vector, and only need to change your password on the breached site.

For the alerts that don't name a particular site it's likely that your username/email address and a password were found by researchers as part of some unattributed database of accounts. It's not uncommon for password lists to be sold with no indication of where they came from. Often they're collections, combined from multiple breaches such that it's very difficult to determine where exactly the leak came from. If your username is found in one of these collections it's a good idea to change any passwords that are older than when the collection was discovered. There are tools such as Have I Been Pwned's password checker that you can use to determine if a specific password has been found (at least, in any of the databases that particular tool knows about), but if you're using a password manager with unique, randomly-generated passwords it's likely faster and easier to just change them all.