Passwords in the TINS database are hashed and salted. There is no cleartext. Therefore a breach is unlikely.

Of course I can't be sure that I prevented every possible attack. Where did you see this? Please show me some more information so I can investigate.

I really do want to know more about this. I could check my own password for example.

Ok, I checked a few email addresses in the TINS database against haveibeenpwned.com. Some of them are green, some of them are red. It doesn't look like the whole site was breached. It looks like indeed that this is just a re-used password.

At this point I won't take additional security precautions, unless somebody feels strongly otherwise.

{"name":"612855","src":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/1\/0\/10d4e39672f2daf65940fac7f5d84d51.png","w":952,"h":412,"tn":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/1\/0\/10d4e39672f2daf65940fac7f5d84d51"}

Coincidentally I finally got around to cleaning up saved passwords in Firefox and Chrome, and moved them all over to LastPass instead. Then using LastPass I generated new, long, complex passwords for all the things, one-by-one.

LastPass's code to automatically generate new passphrases for known services appears to be broken for years now (according to threads I found online anyway). I started around 11 AM and didn't finish until like 4 AM (with undefined breaks and distractions in between). Which is why I had put it off so long.

I've only been using a [cloud/mobile] password manager for about a year now. And I only finally switched fully to it literally today. In theory, I'm reasonably safe now. In practice, you only have to break one passphrase (well, and 2fa^1.7n) to get everything that I have.

The passwords that are duplicated are for cross-platform apps that require me to type in a password to log in from the TV or game console or what have you. I didn't want to have to try to type a 48 character password by glancing at my phone (which sleeps every few seconds, requiring my fingerprint to unlock, and I think even LastPass locks in that case again). So I came up with a reasonably secure passphrase that is sufficiently random and complex that I can easily remember, and that my wife will be able to type if necessary. It's shared to make it easy because the worst thing is when you're uncertain which passphrase you used... And for the things I'm using it for I can just call the company and yell at them if my account ever gets hijacked (and if they're utilizing services I'm paying for and not using then I guess who cares).

Unfortunately, now if LastPass goes down (or I get amnesia or otherwise permanent memory loss) I'm fucked.