I can tell from the first 2 characters that the leaked password associated with my email address was scraped from Pizza Hut Australia's online ordering system (they only recently implemented SSL on the login page).
It's interesting that I setup a particular password for that service when I noticed it didn't use SSL. Make's me wonder how many databases this comes from. It certainly isn't Google's.
Out of interest, do you know from your data as to when your Pizza Hut Australia account could have been compromised? Was it a plus addressing yourname+pizzhut@yourdomain.com type email address?
Would be interested to know more about this. I'm @junto on Twitter if you don't mind contacting me. It would be appreciated.
Hi, No I assume that the breach happened in the last 3 years, and before they implemented SSL. I have noticed that http://www.pizzahut.com.au/members/login is still a valid page, inaccessible via SSL, but haven't checked if logging in on that page actually works.
I noticed that they've also implemented a password reset email, instead of their previous practice of just emailing you the password. Hopefully this means that they are no longer keeping unhashed passwords on the system.
It seems that they realised they weren't doing things correctly in the last 6 months (maybe a bit longer, not 100% sure) and have taken steps to rectify this. This may be due to a discovered security breach, but may just be a change in their internal IT policy. Hopefully they're now following best practices!
It's interesting that I setup a particular password for that service when I noticed it didn't use SSL. Make's me wonder how many databases this comes from. It certainly isn't Google's.