Were you among the roughly 400,000 people whose usernames and passwords were stolen from Yahoo yesterday? How about the 480,000 whose credentials were exposed in a December 2010 hack of Gawker? Or the 860,000 hit by Anonymous’ hack last year of StratFor?
If you don’t know, a website called ShouldIChangeMyPassword.com will tell you. Just enter your email—they won’t store your address unless you ask them to—and click the button that says, “Check it.” If your email has been associated with any of a large and ever-growing list of known password breaches, including the latest Yahoo hack, the site will let you know, and advise you to change it right away.
Two quick caveats. First, just because your email comes back clean on this site doesn’t mean your password has never been stolen. The recent hacks of LinkedIn and eHarmony, for instance, did not pair the stolen passwords with email addresses, so ShouldIChangeMyPassword.com can’t include them in its search.
And second, don’t go giving out your personal information to just anyone who claims to offer a service like this. Crooks have been known to prey on people’s fears with phishing emails and websites that trick the gullible into giving out information that actually hadn’t already been stolen. Note that ShouldIChangeMyPassword.com only asks for your email, not your password, bank account number, or anything else of the sort. It is also run by a well-established Australia-based company called Avalanche Technology Group, and it comes with endorsements from others in the security sector, for what that’s worth.
All that said, you don’t really need to visit any website at all to know whether you should change your passwords: If you haven’t done it in a while, or if your passwords aren’t strong, you should. And try to choose better ones than these Yahoo users.