On 3/22/2019 9:06 PM, Viktor Dukhovni wrote: > Sure they may also be scraping email addresses from breaches, but > that's one source. These scams are not a specific indication that > one's passwords are at risk. That's true or false with or without > receipt of these scams.
Have you checked on haveibeenpwned for the email addresses and domains in question? I do not disagree that the scammers are likely throwing everything they can into their engine to send out the scams whether that's just a scraped email or more compromised PII. So if you see one that has a password and it's legit, don't jump to OMG, I've been hacked by this guy. Look at haveibeenpwned and similar sources to see, was I pwned through someone else's compromise and do I need a better unique password regiment? In general, for lay people, I tell them to use unique passphrases and they don't stress when they see this BS as much. Regards, KAM
