Fuck fuck fuck fuck fuck… Noooooooooo!

Back when the internet was new and it wasn’t clear why every business would need a website, pringles was one that stood out to me as completely unnecessary. There’s no direct sales and there’s no pringles news to speak of. Turns out they had a bunch of fun little mini games on there. In short, I probably need to check the status of my pringles.com account…

But I’ve already popped?!

What should I change my pringles account to? Will onlyfans do?

my bank account, I can handle being breached. But my Pringles.com account?!?!?!? That is SACRED

I deal with this sort of thing pretty regularly for the company I work for. We get threat intelligence from several vendors when they see our users show up in “dumps”. Basically, threat actors will package up stolen credentials in a large zip file and make that available (usually via bittorrent) for anyone to download. Security vendors (e.g. Mandiant, which Google bought) download those dumps and search for accounts associated with their customers and send out these warnings when they find one. On the customer side, if the breach was recent we’ll force a password reset and warn the user about the breached password, with a recommendation to change their password on the affected site and also change any passwords which might be similar elsewhere.

Why do we force the password reset, even when it wasn’t the account for our business which was breached?
There’s a couple reasons for this. First off, people still reuse passwords all the fucking time. Maybe this victim didn’t, but we have no good way validate that. Second, even without direct reuse, folks like to have one main password that they apply slight variations to. They might use “Hunter 42!” at one site and then “Hunter 69*” at another. This isn’t smart, attackers know you do this and they have scripts to check for this. Lastly, if an organization is following the latest NIST guidance, you’re not changing your password on a regular cadence anymore. With that is the expectation that passwords will be rotated when there is a reason to suspect the credentials are compromised. Ya it’s annoying, but that’s part of the trade-off for not having to rotate passwords every six months, we pull the trigger faster on forced rotations now.

If you get one of these, consider it a good time to think about how you come up with and store passwords. If you are re-using passwords, please turn off your computer/device and don’t come back to the internet until you have thought about what you have done. If you aren’t already using one, please consider a password vault (BitWarden or KeePassXC make great, free choices). These will both help you create strong passwords and also alleviate the need to memorize them. Just create a strong master passphrase for the vault, let it generate the rest of your passwords as unique, long (12+ character) random junk, and stop trying to memorize them (with the exception of your primary email account, that gets a memorized passphrase).

Shit, do I check separately for each account, or should I change all of them just to be safe?

I was going off about passwords last week because of exactly this kind of shit. Who in the goddamned fuck needs a pringles.com account.

We live in insane times.

Someone tell OP all their passwords are at risk being kept on google.

Once you pop you can’t stop, changing your password…