If you have unique passwords on each website, then you know how to mitigate the risk. This isn't a problem with Monitor. most users re-use passwords, and so knowing when one is breached is useful information.

rsredden said

I am so sick of Google, I decided to give Firefox a try again. For the first time, it offered me Monitor, which demonstrated I have suffered a data breach, apparently at multiple sites, and they have all gotten hold of the same one of my passwords. Even though I suspect Y'all are aware that the breach was not my doing, Firefox is set up to treat me like an idiot after the fact, going into detail about safe passwords and using password manager apps--the whole thing about not using one password for multiple sites and all that, which I've been aware of and responded to cautiously and reliably for about the last fifteen years, of about twenty that I've been online. The problem is that I am very internet savvy, so that info, as helpful as it is meant to be, is useless to me and a bit offensive. I have been using LastPass for about the last five years. I have nearly 300 unique passwords. It is useless to me to be told that some strangers have access to one of my nearly 300 passwords. What am I supposed to do with that information, change all my passwords? Why did they not provide me the password that was part of the breach, so I can hunt it down and change it? Right now, all it's done is set me up to worry, when in fact, the forces that absconded with my data, presumably as part of huge data breaches involving major companies, probably have no interest in me whatsoever! I think presenting things in this manner, as well meant as it may have been, is a bit irresponsible and condescending. Not everyone out here is an idiot, even if we may not be computer techs. Is there any way I can learn which of my many passwords was part of this breach? What else am I supposed to do with this info, when I already have unique passwords for all of my many accounts and I use a password manager? I mean no offense in presenting my frustration and understand you all are volunteers and not responsible for the problems as I have outlined them. I hope someone can help me sort this out.

I completely agree. And there seems to have been no reply from Mozilla that makes any sense. The notification of breaches is very worrying and then we are presented with no specific options. Like you say, change WHICH passwords?! C'mon Firefox, life your game here.

I completely agree. And there seems to have been no reply from Mozilla that makes any sense. The notification of breaches is very worrying and then we are presented with no specific options. Like you say, change WHICH passwords?! C'mon Firefox, life your game here.

You would change the password on the site that was breached. So if monitor told you that your account on xyz.com was breached, change that password and any other sites that use the same password.

As I tried to make clear to you, I have several hundred internet accounts, each with its own password. I want to ask, do you think it is easy to hunt down a correct password from several hundred when you are just given a handful of the characters, but the fact is I tried very carefully to do exactly that, and I could not find it. I went through account by account, looking for those exact characters and came up empty-handed, so I am left right where I was. I know it certainly has nothing to do with any of my major accounts with which I do regular business or money handling, and I am nearly convinced there is no such account with that password--for all I know, I had other reason to change that password after the breech, so I just feel like Firefox, well-meaning as I acknowledged them to be, set me up to worry for nothing, because they aim everything at the least responsible users of the internet. I wasted a whole lot of my personal time and effort looking for something I ultimately could not find, and I don't appreciate it. I have stopped using Firefox, yet again, and I am back on Chrome.

I should let you know that you come off sounding pretty stuck up about yourself, that you took it from what I said that I didn't even know to go looking for the password with intention of replacing it. I simply wanted to know, if you had access to the password, why you offered me only a fragment of it (most of my passwords are 14 characters long, so to be certain I didn't miss it is impossible, but I can't spend the rest of my life hunting down a handful of characters in long passwords on hundreds of sites; it's just silly!).

When you are communicating with a user who has made clear that they are not inept on the internet or their computer, you should think twice before speaking to them as if they were idiots. It doesn't make you look good, regardless of how many "solutions" or "answers" you have arrived at. Thank you.

Monitor doesn't tell you the password. It tells you th account that was breached. So even if you have hundreds of accounts, if monitor tells you that www.website.com was breached, you can go there and change your password.

And the other, bigger issue is that they did not tell me what site the account was on. I could not go to any specific account to readily find the specific password as you suggest. As I clearly informed you, they only gave me a handful of characters of the password. If they had indicated the website of the account, it obviously would have been very easy to take care of, and I could only presume that that was information they did not have access to, because they did not provide it. If they know the website involved and don't provide it, that is even worse, but as it is, your condescending recommendation that we look at our account on xyz.com is absolutely useless and seems to demonstrate, that at least on this issue, you don't have a clue what you're talking about. It was so far afield of the experience, that at first I didn't even notice the period and that you had given me a generic web address, which did not fit in the picture at all, and I thought it was supposed to represent what I actually got, which, again, was just a handful of characters from the password that was filched. Thank you.

Someone else has entered the discussion to inform me that they would have given me a website address. Both are mistaken. I do not have an account on any site that is named by five random characters and has no domain. I don't suspect anyone does (yes, I am being a wiseguy to put it that way). The note explained to me plainly that I was being provided with part of the password that had been accessed by the web criminals who took part in the breech. If I had been given a web address, I could have and would have readily control-clicked on it to find out what account it was online (as the characters provided did not suggest any website--once I found it useless, I had no reason to store it or remember it, but it was something like #akL0 and looked very much like a small chunk of one of my dear LastPass passwords), and that was plainly not an option. Anyway, I'm done with y'all. I like the idea of Firefox, but every time I try to give it a try, something turns me off, and you've done it again. Thank you.

Are you sure you are talking about Firefox monitor? Because the website is always part of the breach. Perhaps you can share a screenshot? Monitor doesn't have access to the leaked password, it only knows the email address and the service that was breached. Not the password. So it would never have sent you 5 characters from the leaked password to begin with.

@ rsredden and stephenlloydhelper :

Would you please go over these frequently asked questions :

https://support.mozilla.org/en-US/kb/firefox-monitor-faq

It was long enough ago now that I don't recall all the details, but the issue arose when I reinstalled Firefox and it opened to Monitor for the first time. I do not recall if I followed the information to find the partial password somewhere else. Because it was months ago, and I no longer recall the details, I just now went on Monitor and found two separate breaches, one of which was on a site (MySpace.com) I have never used but may have been used by my two now adult sons when they were children and used my computer. We have not lived together for seven years now and probably any use of MySpace by them would have been considerably longer ago than that, and when I went to the site, LastPass failed to demonstrate my having a password for it on the computer, and I do not find it on searching my LastPass vault. The other was a site that I find online was responsible for hundreds of millions of data breaches (verification.io), and I am certain I never had reason to have an account with such an organization. It is described as having been an "email marketing company," and I don't even know what that means, but I certainly never had reason to seek assistance from one. After what I read, I feared going to that site, but I opened LastPass and again found no evidence of any such account and no password for it. It leaves me in the same position of wondering what on earth I'm supposed to do with this information, how on earth I suffered a data breach by these two companies that have never been part of my computer activity (at least not intentionally), and how I can protect myself from data breaches by companies I have no reason to believe I ever used directly and have no evidence of ever having had an account with.

Ah, so you've run into a case of a website that scrapes e-mails being hacked.

You can read about that specific breach at https://monitor.firefox.com/breach-details/VerificationsIO

Basically, yes, not all websites that are hacked contained data you gave them. Some websites collect data, and then sell it to other parties. There isn't anything specific you can do about that breach, but you can make sure that any websites that use that e-mail address have new passwords.

As a footnote, Mozilla does not receive the details of data associated with your email address that may have been held by a website or data broker. Monitor can provide general information about the types of information that were discovered (or confessed to) in the leaked data, but that doesn't necessarily mean the site/broker had all that data for every address it held.

If you weren't a MySpace user, the company might captured your email address when extracting a "friend's" address book contents. But they might not know anything else -- why would they? -- and in that case there's no action required.

Unfortunately (?), Monitor can't know your specific relationship to the companies that suffer breaches, so you see the same thing a MySpace user sees.

Finally, an answer that makes sense to me. If a contact had my email address swiped from them, then it could make sense for my email address to be associated with sites I've had no direct contact with, through whatever else they extracted from the contacts device. I can understand, in that context, that as I wanted to presume, I have nothing to worry about and it makes perfect sense that I would not find either site among my accounts in what is known to be a very reliable password manager, when I went through account by account. Unfortunately, in terms of the entire discussion, I no longer have a clue what agency decided it made sense to give me a few characters from a password, and their having done that without giving me an associated web address really strikes me as absurd, but I now suspect even more securely that it was not one of my passwords to begin with. Unfortunately, it started with a message from Firefox, and after following it through the rabbit hole, I lost track of what info came to me from where, and my brain only recalled the connection to Firefox. Anyway, thank you.

While it probably doesn't warrant spending any time on this one, if you ever see someone claiming to have and show a part of your password, they might be trying to cash in on breach data purchased on the dark web. I definitely wouldn't trust them to do anything helpful!

Thank you. That is a useful thought.

Tyler Downer said

If you have unique passwords on each website, then you know how to mitigate the risk. This isn't a problem with Monitor. most users re-use passwords, and so knowing when one is breached is useful information.

The problem I have is Monitor is not telling me Which password was breached.

What exactly is the benefit of knowing that some site somewhere that I don't recognize has managed to obtain my email address and unknown password? Seriously...what do you expect me to do with this information? Are you advising me to change EVERY password I have?

Hi Jackie, Mozilla's data provider doesn't send Mozilla the passwords (if any) associated with the email address. That would create the risk of further spreading the information. I agree it's not practical to change a dozen passwords every time a mailing list or tracking database leaks; if there isn't a link to a particular account, you might not want to change your usual schedule of changing your passwords from time to time.

First time ever I received a breach notice. Normal advise (such as that given on the Firefox.com site) does not apply. I cannot change a password to a site I have never visited (since blocked) and certainly never signed up for.

This experience is distressing as I take pains to be as secure as possible. I really don't know what I can do about this. Should I be prepared to be bombarded by spam, or have my email used in nefarious ways or worse still be part of an identity theft???

Hi nithig, Zynga is famous for social games, so if you have played popular games on Facebook, you might have connected Zynga to your Facebook account at some point. But that kind of login doesn't involve sharing your FB password with Zynga, so even if someone grabbed everything Zynga had, it should not include your FB password. Still, it wouldn't hurt to change your FB password now and then.

As for whether you can expect spam, you can always expect spam.