After a widely publicised hack or data breach, you'll often find "password check" sites springing up.
Some of them are legitimate, asking only for your email address and checking it against a list of known data dumps.
→ Dumps are the files that typically circulate on the Underweb after a hack, containing as much or as little personally identifiable information (PII) as the thief cares to share; legitimate password check sites collect these to build a list of probably-hacked email addresses.
But other "password check" sites are as bogus as they sound on the surface.
They ask you to type in your login details, either into a clone of a regular site's login page
, or into a nicely-worded "you can trust us, honest, guv" page of their own.
That sounds like phishing, doesn't it?
And the reason it sounds like phishing is that it IS phishing!