@troyhunt yeah, but the site usually has some kind of incentive to ensure their users aren't hacked? Hacked accounts are rarely used for something good, instead they are used for spam or other malicious activity which the site probably does not want.
So if you send them a list of usernames and passwords for that site, they can check if it's valid. If it is, they can prevent the user (and criminal) from logging in with that compromised password. They can then inform the user and force them to set a new password.
One problem with this is of course that if the individual is still compromised , there is little benefit and the site might not be interested or able to help them clean up the malware.
Then again, a similar approach is sometimes used by ISP:s who will disconnect the customer and check that they are clean before allowing them back online, so maybe it's not as unrealistic as I think they the websites might try to lock people out until they are "clean".
=> More informations about this toot | View the thread | More toots from gnyman@infosec.exchange
=> View troyhunt@infosec.exchange profile
text/geminiThis content has been proxied by September (ba2dc).