What is the NCSC/MELANI check tool?
You can use the MELANI check tool to find out whether there is a particular risk related to your e-mail address and passwords. Web shops and other Internet services are hacked every so often and hence the associated customer data may be extracted. If passwords are not stored sufficiently secure, criminals may obtain access data (e-mail address and associated password for the hacked service). With this data, criminals then try to log in to a variety of other Internet services. If you use a password more than once, you will allow the criminals to, with a little luck or perseverance, log in under your identity and abuse this other service. Services that detect such login attempts can report this to MELANI and we include the data in the check tool. In most cases, we are unable to determine which data leak the corresponding data originates from or which passwords are affected. The check tool is not comprehensive: Even if your e-mail address is not listed in the check tool, it is still possible that an e-mail-and-password-combination has found its way to criminals.
We generally recommend the following measures:
- Change all your passwords regularly.
- Do not use a password more than once, but use different passwords for each access.
- Activate two-factor authentication if available.
Here you can find further rules of conduct regarding passwords.
Why does someone know my password?
Web shops and other Internet services are hacked every so often and hence the associated customer data may be extracted. If passwords are not stored sufficiently secure, criminals may obtain access data. Furthermore, criminals can get passwords through malware infected computers or via phishing.
Why does NCSC/MELANI know my password?
We do not know your password. An Internet service reported to us that someone has tried to log in with your e-mail address. The password used was not conveyed to us.
How do you know that my password was used?
An Internet service reported to us that someone has tried to log in with your e-mail address. Your email address is one of many that have been tried out. We do not know for sure if the attempt happened with one of your actual current passwords.
Why can't you tell me which password of which service is affected?
We only know that someone tried to log in to an Internet service with your access data. If a provider's customer database has been extracted, the provider itself should inform its users and reset all passwords.
Why does NCSC/MELANI not inform which Internet service is affected?
We usually do not have this information. We normally just receive a list of concerned e-mail addresses from a partner or an Internet service and include this data in the Checktool. The data often originates from different leaks, which is why it is often impossible to say with certainty which service they were originally obtained from.
If we know the Internet service concerned, we will only disclose its name with the express consent of the concerned company. Many companies do not want their name to be associated with a cyber incident for a variety of reasons. We encourage concerned services to inform their users themselves.
Why should I use different passwords everywhere?
Web shops and other Internet services are hacked every so often and hence the associated customer data may be extracted. If passwords are not stored sufficiently secure, criminals may obtain access data (e-mail address and password for the hacked service). With this data, criminals then try to log in to a variety of other Internet services. If you use a password more than once, you will allow the criminals to, with a little luck or perseverance, log in under your identity and abuse these other services.
Who does have access to the actual e-mail addresses or account names?
No one except us. The e-mail addresses and account names provided to us, are not on the server. We just store the hashes (SHA-256) on the server. Only hashes are transferred from the client to server. If you enter the e-mail address or account name, it is immediately hashed on the client side and never stored.
Why can’t I search for a whole domain or with a wildcard?
We did not store e-mail addresses or account names on the system, only hashes. This makes a wildcard search impossible by design. Apart from that, we have privacy concerns, if one can basically have a look at all e-mail addresses or account names. If a provider or organization would like to have a search for a whole domain, we can do that offline. Please provide some proof that you are really responsible for the domain.
Why did you do this? Why did you not just pass the information to a site like haveibeenpwned.com?
We are not in the position to pass the raw data to another organization.
Why do we use Cloudflare?
We considered the risk of DDoS attacks to be very high. Cloudflare is an experienced DDoS mitigation provider. We decided to use a DDoS mitigation provider, not only for the protection of the tool itself, but also for the ISP where our server is located.
Does that mean that the server is located in an US cloud?
No, the server with the hashes is located in Switzerland. We just use Cloudflares network for DDoS mitigation. The IP address you see, when doing a lookup is the front-end server in the cloudflare network. This server does not store any data, but passes the requests to our backend system.
