Firefox Monitor - Breach report foggy
I realize that the Firefox Monitor breach report comes from the pwned site, and I very much appreciate this Firefox service, especially having name of the software firm that was breached. The breach report that I received stated: "Compromised data: Passwords, Phone numbers", and presumably my email address that was identified at pwned. This breached software firm serves one specific industry area. What puzzles me is that I have no web accounts with any firm in the industry area that is served by the software company that was breached. All my web accounts are written down in a well maintained Word list, and all passwords are unique to each site. If I have no web account passwords to be breached, then why did pwned report a password breach? In the first few minutes, this being my first breach report, I imagined in panic mode that my email password had been breached, but that makes no sense. My email provider or my desktop would have to be breached for my email password to be revealed. Perhaps the "password" breach message is not to be taken literally, that the warning should be interpreted as: If you have a web account with firms serviced by the breached software company, then the hackers have your web account password. I can understand that my email address was breached, meaning associated with my name and phone number, but password? No mention of my address? Is there some brief, useful wording in this direction that Firefox Monitor could add to these warning emails, giving them context and intepretation, perhaps "PASSWORDS" HERE REFER TO WEB ACCOUNT PASSWORDS.
Could it be that the underlying breach happened before you got that email address?
It is also possible that the a company you had passed your address to had been taken over or had passed your data to a sub contractor.
I strongly recommend following the "what to do" advice on the Firefox Monitor website.
No, the underlying breach happened long after I created the email address at issue, and I do not see how that matters either way. Maybe I misunderstand your point, but let's move on. See below for key issue. Also, my address is secondary here, so let's pretend I never brought it up. I agree that subcontractors could be involved, but that makes it all permanently unknowable, so I proceed from what I do know. My main question: Is the password breach stated by pwned and forwarded by Firefox Monitor necessarily a web account password, given that generally in no other way would such an organization have a password created by me? This would have a yes or no answer. If the password breach reported by Firefox via pwned is necessarily a web account password, would it not be helpful for Firefox Monitor to mention this brief point in its warning email? Imaginary example: A specific software company named ABC designs and runs software to serve all and only companies that manufacture Widgets. I bought a widget online from XYZ Widget Company, but I bought it without creating a web account, so no password was involved. Pxned reports that ABC was breached and my password was revealed--a password that seemingly does not exist.
The breach information is such that an email address matching yours has been included in the information that was stolen.
It may have been an account email address (used to log into a website), but it could also be an email address stored by the organisation subject to the breach.
Yes, you are exactly right about the email address and so forth. But my question is: What is going on when pwned (and Firefox indirectly) refer to "password"?' Must this be a web account password? I see no alternative. And yet I have created no web accounts in the industry area served by the software firm that was reportedly breached. Are the pwned reports just vague and sloppy in this way? Or what?
It suggests that the data dump that was found from that breach features not just your email address, but also has a password field.
As with your email address, the password may be for an online account or is stored by that company for anothet reason. If you recognise that password, I strongly recommend that you change it swiftly.
I don't think the data supplier reports the specific data elements associated with each individual address, but instead reports what was found in the dump. It's possible that some columns were blank; in fact, I assume that's normal when there's a breach because people often have incomplete profiles.
Firefox Monitor specifies three breached data fields in my case, but the pwned site for my email address mentions nine data fields breached! Which is correct? I would guess pwned. You tell me to look at the password to see if I recognized it. I keep saying "Look at what password?". The pwned site shows my breached email address, but not any passwords of course, which would simply enable hackers. The firm that was hacked per Firefox Monitor provides software services to a specific kind of small business with retail clients. I have never heard of the software company itself and I do not run a small business, so no password there for me because no web account ever. Further, I have no web accounts with any of that software firm's potential small business clients, based on the software company's self-description. At issue here is the end value and reliability of these Firefox Monitor reports regarding breaches. My current sense is that Firefox Monitor would do much better to just report a breach involving my email address and possibly other personal data of some kind, and point me to the pwned website. I am talking about improvements to Firefox Monitor's messaging. I have little hope of finding out more information on my case because of the factors described above.
Reply to Jsicher2000: I think you must be right on that, data fields are listed, not individual data findings. Perhaps Firefox Monitor could improve the language of their warning message to "data fields potentially containing your ....", or similar. The literal meaning of the Firefox Monitor language is that my password was revealed, but as the longer post to Seburo indicates above, I am fairly confident that I had no such web accounts and passwords at the software firm or at their potential clients. Furthermore, the list of apparent fields differs between the Firefox Monitor message (3 fields) and the pwned site response to inputting my email (9 fields). Odd, that, and not helpful either. I will just comment in passing that if the breached firm is a company in software services to businesses, then a breach of them is not traceable to any organization that the consumer could have registered with, so you don't even know where to look for a revealed password. Firefox needs to fine tune the language of these messages. I hope this point gets through to someone with Firefox who will think all his through. Also in the Monitor message langauge "web account password" works better than just "password", which on first thought could be the email account's, although that makes no sense actually, unless your email provider was hacked, best I can tell.