alt.hn

5/19/2025 at 9:37:23 PM

Have I Been Pwned 2.0

 https://www.troyhunt.com/have-i-been-pwned-2-0-is-now-live/

by LorenDB

5/19/2025 at 10:52:17 PM

He should partner with a law firm, for class action lawsuits, for every breach due to negligence (which is probably all of them).

Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.

Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)

Optional: Sell data of imminent lawsuits, to an investment firm.

Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.

by neilv

5/20/2025 at 2:00:16 PM

Heh, such an American response. Sue everyone and everything, lawyers gets paid. But at the end of day, nothing changes.

Meanwhile in EU, we have laws like NIS2, where if negligent in non-compliance. Fines are 10mil. EUR or 2% of global annual revenue. Eg.: If Apple gets $8bil. fine, yep that changes quite a lot I think. :)

by Fokamul

5/20/2025 at 2:52:46 PM

How does the EU solution make user's whole? At least with class actions, users get to see a few pennies.

I'm not trying to make an argument against strong regulatory bodies. We need those for sure. It would just be nice if the users were compensated for the exploitation and abuse they're subjected to.

by uncletammy

5/20/2025 at 3:07:18 PM

The US solution does not make users whole and does not meaningfully change anything.

The EU solution meaningfully changes the offending company's behavior. I would rather have significantly less breaches of my information than a check for $6 in the mail every couple months.

by devmor

5/20/2025 at 3:22:38 PM

> The EU solution meaningfully changes the offending company's behavior.

Citation needed. I'd imagine they just add a tiny markup to their prices to pay the eventual fine instead of investing huge amounts of money into fixing their broken processes. Comparing the list of EU-issued fines against the respective companies' profits shows that they can simply afford to make those mistakes instead of preventing them.

by Chiron1991

5/20/2025 at 3:58:40 PM

> they just add a tiny markup to their prices to pay the eventual fine instead

Ironically, this counter-argument applies perfectly to the "US solution".

On the contrary, EU's huge fines have a better chance of being effective.

by lone-commenter

5/21/2025 at 6:13:41 AM

Stock holders generally frown upon multi-billion euro fines and may want a change in management.

by theshrike79

5/21/2025 at 2:31:00 PM

And it's probably securities fraud ;)

by disgruntledphd2

5/20/2025 at 8:51:30 PM

>The EU solution meaningfully changes the offending company's behavior

How are those cookie consent popups working out?

by newZWhoDis

5/20/2025 at 10:18:26 PM

Great, they meant better acting corporations have no click or single click (dismiss-able with simple add-ons to proactively affirm the user's position) ribbons to get get rid of unwanted cookies. Let's be realistic anyone who hates those banners and hasn't bothered to do the google search and 5 minute task to get rid of them permanently (either enabling or disabling consent) is not having their political opinion changed by them, they are using them as an excuse to buttress their position of government bad or corporations malicious.

by greycol

5/20/2025 at 10:00:40 PM

It is a meaningful change, or you wouldn’t be talking about it.

Meaningful does not mean a solution.

by devmor

5/20/2025 at 5:50:26 PM

The EU solution provides incentive for the government to attack large businesses with lawsuits. That’s predatory and will lead to large businesses trying to lobby the EU to go after their competitors.

That just seems dysfunctional.

by rubitxxx9

5/20/2025 at 2:42:46 PM

The difference between the US and the EU being: the cost of negligence is known ahead of time?

by dfee

5/20/2025 at 3:17:16 PM

Agreed. It's unfortunate how litigious we are but it's the only language we speak apparently.

by xeromal

5/20/2025 at 6:13:08 PM

It's with American companies in mind. Though I expressly addressed that it isn't about lawyers getting paid, and also how this might change things (motivate companies to behave responsibly, in this regard)

Basically, we have a high-corruption society, especially in 2025, but there's still vestiges of a system that can be leveraged in the public's interest, if you contort just so.

by neilv

5/20/2025 at 6:07:53 PM

Do either of these approaches actually solve the problem? I think companies won't take it seriously unless their executives do, and their executives won't unless they are personally punished in a way compensation can't compensate for. Cane them Singapore style.

by lupusreal

5/19/2025 at 11:04:09 PM

> do direct deposits to many millions of people, every time there's new settlements paid

I wish I could easily donate my tiny settlements to a good cause. It might make it worth the time to register for the class.

by nyokodo

5/19/2025 at 11:06:58 PM

Probably impossible, but create a slush fund where companies that behave badly are forced to pay into so we can do things like fix roads and build housing.

by Avicebron

5/20/2025 at 1:05:00 AM

We could also design some kind of electoral process for picking those in charge of defining the rules and creating yet more bodies to enforce it.

Maybe this time we can come up with a better way to disincentivize corruption and bribery.

by _heimdall

5/20/2025 at 11:57:16 AM

We could instead randomly select representatives instead of using popularity contests where the candidates need money for advertisements in order to get popular, or to just even let people know that they exist.[1]

https://en.wikipedia.org/wiki/Sortition

[1] But the real solution is getting rid of money.

by keybored

5/20/2025 at 1:28:28 PM

Sure, that's still designing am electoral process. I didn't prescribe any one model in my precious comment.

by _heimdall

5/20/2025 at 3:14:05 AM

So on the nose. We shouldn't have to wait for pennies from lawsuits to have good roads and adequate housing

by gleenn

5/20/2025 at 2:44:18 PM

I think there’s already an amendment for that.

by jonhohle

5/19/2025 at 11:51:10 PM

The idea of fines as a revenue stream has never sat well with me. Fines are meant to be a disincentive. The ideal collection amount is zero. Treating them as a revenue stream creates a perverse incentive to enforce the penalty without disincentivizing the behavior.

by mulmen

5/20/2025 at 12:32:49 AM

This is literally what happened in Belgium when politicians did budget. A piece of the expected slice was traffic fines.

So that means that any kind of system that would improve traffic other than repressive measures would cost them twice, once to fix the situation and again when they can issue less fines.

by OptionOfT

5/20/2025 at 5:12:32 AM

If I drive carelessly and get a meaningful fine, I'll think twice next time, irrespective of who gets the money. I only care that I am fined. Unless the police starts to administer fines when they shouldn't, all is good, right? What happened in Belgium?

by dmos62

5/20/2025 at 5:51:53 AM

I don’t know about Belgium specifically, but one of the usual issues is that it incentivises aggressive policing of minor issues that make money (like parking violations), which takes resources out of other problems (like mugging).

by kergonath

5/20/2025 at 9:14:04 AM

In some situations (cough random towns with sections of highway running through them in Texas), it incentivizes an approach to traffic enforcement which is barely distinguishable from getting mugged.

by lazide

5/20/2025 at 10:00:21 AM

Putting the highway, into highway robbery!

by FridgeSeal

5/20/2025 at 10:04:52 AM

That's fine for you personally, and it may sound all good from a logical, theoretical, or academic perspective, however I personally know of people who have lost their license due to multiple fines and "demerit points" (NZ) resulting in that consequence.

The fines, and loss of license hurt them personally, professionally, and financially, but didn't change their behavior outside of the very short term.

In NZ we have people that are in and out of prison due to burglaries, robberies, etc... but the penalties don't change their longer term behavior.

There's a deeper problem, and penalties are important, but not the entire fix.

by tenzing

5/20/2025 at 11:11:18 AM

The occasional fine I get (and the prospect of getting another) does affect my driving habits and attentiveness, and it's the same for people close to me. Can't talk for others, though I'd expect this to be the norm.

by dmos62

5/20/2025 at 10:34:43 AM

Then these people _obviously_ are not fit to drive a multi-ton killing machine at all and should have their license permanently revoked, when they had multiple chances for introspection.

by xythobuz

5/20/2025 at 2:07:53 PM

And yet people drive with suspended licenses every day.

by mulmen

5/20/2025 at 6:49:21 PM

Yeah, as if "criminals" cared about the laws. :D (See: gun control).

by johnisgood

5/20/2025 at 5:55:27 AM

Driving carefully is not a boolean. It's possible to design roads/environments (accidentally or not) in such a way that the “you drove carelessly” metric that triggers the fine statistically applies more often.

by Timwi

5/20/2025 at 7:12:45 AM

If they design the road to make it harder to follow the rules it is bad.

by victorbjorklund

5/20/2025 at 10:35:40 AM

Bad for the driver, good for the government. That's exactly the point.

by dotancohen

5/20/2025 at 6:41:34 PM

Not really. If you hit a person with your car and that person becomes disabled. It will be way more expensive for the govt in the long run compared to a few fines.

by victorbjorklund

5/20/2025 at 12:22:06 AM

Just like police departments use asset forfeiture to get money to buy their “toys” while innocent people lose their cash and cars because carrying cash is suspicious.

by tutorialmanager

5/20/2025 at 2:03:46 PM

> The ideal collection amount is zero.

I agree with the overal position. Though I believe optimizing to collect zero fines is a bad measure.

A fine can be a relatively just mechanism to show that actions have consequences. And even the best people will occasionally make honest mistakes, so they will just get a fine instead of being persecuted for minor offences.

If fines degrade to a revenue stream, it's an indication something else is off with the financial structure inside the government. At least around here fines don't go into some official's private accounts, but I can see how they might "help" an underfunded department. Thinking about it this way, maybe we should consider funneling fines into a separate pool of money. Though I am not sure what to do when the fines are used to fix damage caused by the action (e.g. ecological damage). Governing is hard :(

by archi42

5/20/2025 at 1:01:03 AM

If your ideal is a perfect society where everyone follows the all rules all the time you are going to be sorely disappointed. The ideal collection amount is the size of the fine multiplied by the actual occurrence of the offense. And that revenue should be strictly used for rehabilitative or restorative justice. For example, speeding fines should go to road improvements that deter speeding making roads safer. If no one’s speeding, there’s no need for that. But people will always break the law.

by mcmcmc

5/20/2025 at 2:50:49 AM

> The ideal collection amount is the size of the fine multiplied by the actual occurrence of the offense.

I don't think that's a logically self-consistent idea. The "actual occurrence of the offense" is not an inevitable pre-existing fact, it exists downstream of the size of the fine and efficiency of enforcement. If you fine people 5% of their annual income for going 1 mph over the speed limit, and put more traffic enforcement on the road, fewer people are going to speed.

So to answer the question "what's the ideal collection amount", you have to consider what the costs (economic and social) of rule breaking behavior are, and trade those off with how much behavior can be modified by fines, as well as the costs of enforcement.

Furthermore, just taking the statement at face value, the only way to actually collect the size of the fine multiplied by the actual occurrence of the offense is to successfully fine 100% of offenders or fine some non-offenders, but even if this is possible it's almost certainly not the "ideal" amount of enforcement.

by bscphil

5/20/2025 at 1:34:08 AM

The safest road is the closed one.

I just want to say that in modern times safety is put as #1 priority, while it's actually always a balance. E.g. we wanted the safest airline industry, we'd close the airports. But we balance the safety vs usefulness.

by deepsun

5/20/2025 at 1:21:15 AM

Yes I agree. I was replying to the suggestion to put the proceeds from fines into a general slush fund. Doing that creates an incentive to use speeding tickets to pay for police overtime and radar guns instead of traffic calming infrastructure.

by mulmen

5/20/2025 at 3:30:12 AM

> But people will always break the law.

That says a whole lot all by itself. You acknowledge that reform doesn’t work? There is always money to be made because people don’t like the set of rules set? So when people follow all those rules, make new rules that people will break to keep it going? Where does it stop?

by dgfitz

5/20/2025 at 12:27:35 AM

I think the problem is:

1. How else would you penalize businesses?

2. What else would you do with fines?

If fines exist, it would seem foolish not to budget around that.

by anamexis

5/20/2025 at 12:45:50 AM

Governments should not operate fiscally like corporations. A financial institution will budget around fees because it's in their benefit for their customers to incur fees. A government should not budget around fines because they want the behavior which was fined to not occur at all.

by j_w

5/20/2025 at 7:20:57 AM

I think one way to prevent bad incentives is to ensure that the organizational units that create and enforce policies are not the ones that benefit from any fines collected.

by thayne

5/20/2025 at 2:09:15 PM

On the surface this sounds great, but governmental organizational units are still able to pressure one another, or have third parties apply pressure.

by j_w

5/20/2025 at 12:42:53 AM

Maybe a uniform tax credit/refund for each citizen that is covered by that level of government. We the citizens can then decide if we fix the issue or continue to generate fines, but at least the budget isn't expecting revenue that could disappear (like the lack of traffic tickets during the beginning of COVID).

by watercolorblind

5/20/2025 at 12:58:37 AM

How about fines go into a sovereign wealth fund (but not be seen as major source for the fund- more a bonus) so there is no short term budget planning based on fine revenue.

by craigdalton

5/19/2025 at 11:30:17 PM

HN Invents Taxes And Fines

by GuinansEyebrows

5/20/2025 at 3:02:34 AM

So what we are really saying is that we should form a new government?

by recursivegirth

5/20/2025 at 3:49:56 AM

With blackjack and hookers. In fact forget...

by asdfasvea

5/20/2025 at 3:00:44 PM

Isn't that basically the history of Nevada?

by hansvm

5/20/2025 at 2:46:32 PM

liberal tax and fines

by asdffdasy

5/19/2025 at 11:09:19 PM

Wow I think you just launched a political party I would vote for

by idiotsecant

5/19/2025 at 11:43:04 PM

We shall call it the Turtle Party, inspired by the Turtle Religion. Turtles all the way down.

by tylerflick

5/20/2025 at 1:03:53 AM

> companies that behave badly are forced to pay

Isn't this just regulation?

by glial

5/20/2025 at 1:47:54 AM

It’s a form of regulation. We could also put the sysadmin and the CIO to death every time there is a data breach but we, as a society, have decided that is too extreme. We could also choose to simply wag our fingers and hope the shame they feel will prevent a repeat. Fines seem to strike a balance.

by brewdad

5/19/2025 at 11:21:49 PM

Fine companies to fund bridges.

by hx8

5/19/2025 at 11:40:20 PM

That sounds like a great slogan, but you really don't want a justice system that's has an additional mandate to collect revenue. It's basically civil forfeiture all over again

by gruez

5/20/2025 at 12:21:47 AM

Isn't that...taxation? Seems alright to me!

by idiotsecant

5/20/2025 at 12:36:07 AM

fines ≠ taxes

by kevindamm

5/21/2025 at 8:49:56 PM

The justice department does have a mandate to punish those that do not pay their taxes....

by hx8

5/19/2025 at 11:05:52 PM

I'd donate a bit to make this a reality if someone had a chance at pulling such a service off.

by Covzire

5/20/2025 at 12:04:09 AM

I think this would have a negative effect.

Getting a company to publicly announce a breach is hard today. Your suggestion would make it even harder, and more data breaches would be kept from the public because of the consequences.

I would rather know that a company messed up and change my password, than not knowing

by throwaway8eor

5/20/2025 at 1:58:19 AM

> I think this would have a negative effect.

How? Disclosure should already be legally required--class-actions and lawsuits should already be a thing. The Have I Been Pwned data sets aren't volunteered by these companies. It's a catalog of leaked data.

The class-action response of "identity monitoring" is nonsense. More companies, if they can't afford to or don't want secure data, shouldn't collect it or should aggressively purge it. User data should be a liability.

by pfranz

5/22/2025 at 12:59:20 AM

Amen. User data should be a liability. The incentive should be avoiding data collection.

by freeopinion

5/20/2025 at 3:25:07 AM

I'm not sure, the effect would be to increase the riskiness of nondisclosure. If you disclose and get fined, that would be bad, but if you don't reveal and the penalty for nondisclosure is bankruptcy for the company and all its executives, that would be worse.

by BrenBarn

5/20/2025 at 12:10:36 AM

Only get a couple bucks from these class action lawsuits - give ‘em a 15% discount or something if they own up to it publicly, I don’t mind getting $18 instead of $20

by mock-possum

5/20/2025 at 9:15:15 AM

That's a massive infrastructure change to pay out what would likely be peanuts to users, put a massive maintenance burden on the platform (payments are a nightmare system), and disproportionately benefit a law firm profiting off of the lawsuits and the good will of the brand. Seems like a shit deal to me.

by hresvelgr

5/20/2025 at 12:38:30 AM

>Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.

and how long until that data is breached?

by dylan604

5/20/2025 at 9:20:25 AM

> Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.

That's not much of a motivation, given that Troy already is a folk hero.

by Vinnl

5/20/2025 at 12:06:53 AM

Take my money. Still waiting for Blue Shield to pay me for selling my health info to Google.

by bix6

5/20/2025 at 4:27:23 AM

Usually a breach results in a brief dip in a company's stock price, followed by a rally. Look at what happened after the Coinbase incident.

by linkregister

5/20/2025 at 4:41:39 AM

I bought croudstrike on “the day”. Just waited a few months and back up to pre destroying the world levels.

by conception

5/20/2025 at 1:47:00 AM

Stock market is too illogical. Seems like a dip buy opportunity every time.

I bet companies even buyback after these dips.

by Tubelord

5/20/2025 at 4:20:40 PM

Ah yes, automated lawsuit initiation, that's what we need! Ooh, we could run every breach announcement through Deep Research and let the AI make a determination on which one is negligence! That would definitely incentivize more transparency and accountability on behalf of companies!

Actually no, the end result of this will be a return to deny, deny, deny, because the worst case scenario then becomes the truth getting out.

IMHO we should be crucifying the liars and the truly negligent, but forgiving the honest and good faith efforts. At least for now, automating that judgment is pretty difficult and will result in more of the "customer service" like experiences that we already get from most big tech, except now it has the power to make or break companies.

Man we have sure moved on from the era of Blackstone's Ratio being a thing people united around. I'm not saying it should be applied literally, but punishing an innocent person should be considered a lot more wrong than not punishing a guilty person IMHO.

by freedomben

5/20/2025 at 4:58:23 PM

Look at this recent “data incident”

https://oag.ca.gov/system/files/Partnership%20HealthPlan%20o...

“Based on the investigation into this incident, it was determined that the information involved may include your name, Social Security number, date of birth, Driver’s License number (if provided), Tribal ID number (if provided), medical record number, treatment, diagnosis, prescription and other medical information, health insurance information, member portal username and password, email address, and address.”

It’s not about innocence or guilt. If you leak so much information these people will have to monitor every single account, credit card, etc for life, on top of all their personal sensitive info being leaked and possibly accessed by unscrupulous employers. The damage is incredible. It’s not about innocence. It’s about responsibility.

by meroes

5/20/2025 at 10:10:03 PM

I guess I should clarify: for incidents like that, I agree there should be severe consequences and blowback, including class action lawsuits and the like. If you are collecting stuff like SSN, DoB, DL number, etc then you definitely have a huge responsibility to protect that. I want to make data like that radioactive to collect so people think very carefully about whether they want to take on the liability.

What I don't think should happen is some automated lawyer combing the internet looking for any disclosures and then automatically filing lawsuits based on it.

by freedomben

5/20/2025 at 1:57:28 AM

"He should partner with a law firm"

He is a Microsoft employee.

by gerdesj

5/20/2025 at 2:03:54 AM

No, he's not.

https://www.troyhunt.com/about/ says "I don't work for Microsoft"

by paranoidrobot

5/20/2025 at 2:24:47 AM

"Microsoft Regional Director"

We can debate semantics but if you describe yourself with a job title attached to a company then I suggest that you have an association which looks rather like ... employment.

by gerdesj

5/20/2025 at 4:33:37 AM

It's not a job title, it's some Microsoft program, like their MVP program.

The RD site linked from Troy's site isn't loading for me at the moment, but if you search "what is the microsoft regional director program" you get back information making it clear that it's not for MS Employees.

https://rd.microsoft.com/en-us/

> The Microsoft Regional Directors program recognizes industry professionals for their cross-platform technical expertise, community leadership, public speaking[...]

by paranoidrobot

5/20/2025 at 7:35:05 AM

What a strange naming choice though...

by reddalo

5/20/2025 at 9:22:41 AM

You can be sure that the confusion is not accidental.

As I see it, it's a way for MS to profit from free labour for it's support service and a marketing stunt to benefit by association from the good reputation of this researcher and his initiative.

Even if it is not the case, people like the one previously will think: it is Microsoft employees that are managing this website, they know security.

by greatgib

5/20/2025 at 3:02:00 AM

Its not semantics at all, you just are excusing your own misunderstanding. He didn't describe himself with a job title, and he even explicitly states directly after listing those awards, that he is not an employee of Microsoft.

Extending your logic, I have a CCIE, so if I ever state I'm a CCIE, I'm an employee of Cisco? I have a masters degree by coursework from a university, so I I ever state I have an Msc, I'm an employee of the university? I have an electrical licences issued by EnergySafe Victoria, so if I say I'm an A-Grade Electrician, I'm an employee of EnergySafe Victoria?

by cupofnotjoe

5/20/2025 at 1:54:24 PM

Remind me what CCIE stands for?

I don't think many people would be confused into thinking a Microsoft Certified Application Developer or an AWS Certified Cloud Practitioner are actually employees of those particular companies

by anonymars

5/20/2025 at 4:00:12 PM

Yes, those are better names. That doesn't make him a Microsoft employee.

by shkkmo

5/20/2025 at 4:34:43 PM

I'm not saying it makes him an employee. I'm saying those are bad attempts to argue that it's not a confusing title.

by anonymars

5/22/2025 at 4:19:06 PM

> I'm saying those are bad attempts to argue that it's not a confusing title.

You might want to reread, nobody was arguing that.

> We can debate semantics but if you describe yourself with a job title attached to a company then I suggest that you have an association which looks rather like ... employment.

"Debating semantics" is arguing about which definition to use. There is no valid definition under which you can say that Troy is a Microsoft employee.

You can't say "I'm not wrong, You're just debating semantics", all you can say is "I was wrong because I was confused by a misleading title I wasn't familiar with."

cupofnotjoe pointed this out and got a bunch of responses from people with poor reading comprehension who entirely missed his point.

Edit: I use 'you' in the general sense here, not specifically the person I'm responding to.

by shkkmo

5/22/2025 at 10:54:32 PM

I'm going to sum this up as

> Its not semantics at all, you just are excusing your own misunderstanding. He didn't describe himself with a job title, and he even explicitly states directly after listing those awards, that he is not an employee of Microsoft.

Yes, I agree. (I believe you think I am arguing against this; for clarity, I am not).

> Extending your logic, I have a CCIE, so if I ever state I'm a CCIE, I'm an employee of Cisco? I have a masters degree by coursework from a university, so I I ever state I have an Msc, I'm an employee of the university? I have an electrical licences issued by EnergySafe Victoria, so if I say I'm an A-Grade Electrician, I'm an employee of EnergySafe Victoria?

I think these are poor examples and reinforce that the confusion was reasonable. That is the only point I've been arguing in this thread.

by anonymars

5/20/2025 at 1:45:39 PM

If I say "I'm a Cisco Regional Director" or "I'm a Walmart Regional Director" is you immediate though that I don't work for Cisco/Walmart?

by patmorgan23

5/20/2025 at 3:56:45 PM

Nobody is really disputing that Microsoft chose a confusing award name. However that name being confusing doesn't mean he is an employee or anything really like an employee.

by shkkmo

5/22/2025 at 10:43:09 AM

Well TBH, if you say that you are a cisco security engineer, I would assume you are from Cisco. Same for ACME whatever.

He made it clear that he is not MS but this is the only time I saw such a misleading "title"

by BrandoElFollito

5/20/2025 at 3:59:05 PM

Directly adjacent to the post it says "Hi, I'm Troy Hunt, I write this blog, run "Have I Been Pwned" and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals"

That reads to me like he's a Microsoft Employee. It's obviously important/significant enough to include it prominently on his website.

by skarz

5/20/2025 at 2:17:10 PM

All your examples are not things that commonly are job titles, so you are not "extending logic".

by detaro

5/20/2025 at 3:59:29 PM

The things he mentioned are of the same class, so yes, it does "extend the logic".

Just because the name for something is confusing, that doesn't change the nature of the thing named.

by shkkmo

5/20/2025 at 4:29:21 PM

They are not of the same class. The class is "job title", implying employment. "Regional director" is a job title. The others are not.

by anonymars

5/21/2025 at 2:12:28 PM

"Microsoft Regional Director" is not a job title. It is an award that Microsoft gives out only to non-employees.

You might think the award has a confusing name, and you would be correct. What you cannot be correct in asserting is that an award makes someone an employee because that award has a confusing name. That isn't a question of "semantics", if you assert that award makes him an employee, you are simply wrong.

by shkkmo

5/21/2025 at 8:36:47 PM

I'll repeat what I said in a related thread: I'm not saying it makes him an employee. I'm saying those are bad attempts to argue the title isn't confusing.

by anonymars

5/22/2025 at 4:22:35 PM

And I'll repeat myself: those weren't attempts to argue the title isnt confusing.

by shkkmo

5/22/2025 at 10:09:01 PM

I'm not sure what you're rebutting. This is roughly the thread as I understand it:

1. "Extending your logic, I have a CCIE, so if I ever state I'm a CCIE, I'm an employee of Cisco? [other examples follow]"

2. "All your examples are not things that commonly are job titles, so you are not 'extending logic'."

3. "They are the same class"

4. "No they aren't, those are not job titles, thus they don't imply employment"

...

#. "those weren't attempts to argue the title isnt confusing."

I don't know what you're reading but #1 is doing just that; roughly translated: "Why would 'Microsoft Regional Director' imply he works for Microsoft? If I have a CCIE does that mean I'm an employee of Cisco?"

by anonymars

5/20/2025 at 6:00:06 PM

None of the things mentioned are common job titles, so no, they are not the same class.

by detaro

5/21/2025 at 2:15:32 PM

"Microsoft Regional Director" is not a job title, it is an award. You thinking it sounds like a job title doesn't make it a job title, it makes you confused. Being given an award does not make you an employee, especially when that award is only given to non-employees.

You ar correct, "Microsoft Region Director" is an award, not a certification like the others mentioned so they aren't quite the same class, but the analogy still holds. Neither being given an award nor a certification makes you an employee.

by shkkmo

5/20/2025 at 6:42:22 AM

Like many people I have a "main" email address, and I use per-company addresses for almost everything else. Now that the domain-searches require subscriptions this site has become much less useful.

I just added my domain to the site again and I see "2,243 Total Breached Addresses", and "18 Addresses excluding Spam Lists", but I have no idea what they are. Attempting to click the links shows me I need to "upgrade" to see them, and the download of excel and JSON result in 404 errors.

Too bad, I guess if you have only a single email address it might be good to get informed, but if you use a domain with multiple addresses it's way less useful.

by stevekemp

5/20/2025 at 9:22:44 AM

I have quite a few personal catch-all domain names, and two of the main ones are used for the per website alias as you do, so over a decade and longer later, I would never be able to manually enter each address. Or remember them.

And yes, the subscribe restrictions for domain searches are annoying.

But Troy and family also need to eat, so I understand the need for a payment part, especially for companies.

We just ended up in the grey zone in between. I wish there were some more nuances, but then again, HIBP can't cater for every edge case unless they want to hire lots of devs and customer services.

I ended up signing up for a subscription, checked my domains, and then cancelled the subscription. It felt a little cumbersome, but ok. A non-recurring 2-day access would have worked for me...

by flurdy

5/20/2025 at 3:27:18 PM

Yeah, I also sit in this grey area. I think the maximum is 10 per domain or so, and last I checked, I'd had 11 or 12 leaked, so I can no longer see them. It's unfortunate though I don't know an easy solution that allows both people with per-site addresses to get free access, and also companies to be required to pay.

by eythian

5/20/2025 at 10:51:25 AM

I have a similar setup, and also use lots of addresses at one domain. But I'm not subscribed (as far as I know) and I can do a wildcard search at my domain without issues, and also see exactly what emails been leaked. I don't see what leaks they're part of, but that feels less relevant, I already know where it got leaked as each email is for one product/project/company.

by diggan

5/20/2025 at 1:00:36 PM

I used to just add the +something in my email but now I try and remain diligent to create a masked email. When I first started, I foolishly did it with my domain name but have since moved to creating it with @fastmail.com.

by hk1337

5/22/2025 at 10:34:45 AM

Why do you feel it’s foolish that you used your own domain name?

by einsteinx2

5/22/2025 at 10:47:23 AM

I think OP means that they used aaa+facebook@smthg.com, so aaa@smthg.com is now revealed to be their main address.

As opposed of having facebook@smthg.com only

by BrandoElFollito

5/22/2025 at 11:05:44 AM

I did it like the first one first then moved to the second, where @smthg.com is my domain, but it also has my name in it so it seemed counterintuitive to link my name to it.

by hk1337

5/22/2025 at 11:08:40 AM

ah ok, thanks for the clarification this is a common problem with domains with actual names

by BrandoElFollito

5/22/2025 at 11:03:42 AM

Because it has my name in the domain. Since I was doing it for to help with privacy too, it seemed counterintuitive.

by hk1337

5/20/2025 at 12:30:44 PM

Is your per-company addresses a derivation of your main email address?

If so, this is called “email tumbling” and services exist to strip the “per-company” part to expose your main email.

by tiffanyh

5/20/2025 at 1:00:55 PM

I can't speak for OP but I too use per-company or per-service emails, and no they have zero connection to my main email (not even the domain actually, domains are cheap so I have multiple ones for different purposes). Since I started doing so a very long time ago I did choose a standard scheme for it (making use of the company's domain), so it would certainly be possible to recognize it's a per-company domain given human attention or (more likely) AI. Ideally the email specifically would not be something I'd see but just a pointer that would be randomly/plausibly auto-generated, and then my email server (or client) could transparently disambiguate it via a db on my side to what the service was. Then it'd be undetectable. Unfortunately while it's clear enough how all the pieces of that could come together I don't know of any existing solution and haven't had time to try to hack on it myself. So far it hasn't given me any problems however.

by xoa

5/20/2025 at 4:21:14 PM

There was a while where I had a complex lookup system Apple got "strawberry.cake@example.com", and posting to mailing lists were sent from "steve@12.2025.example.com" - which would lose MX records after a month.

But in the end I settled on facebook@example.com, instagram@example.com, and similar obvious names.

by stevekemp

5/20/2025 at 10:15:14 AM

> It's likely a single-digit percentage of requests that are real humans being [blocked], and we need to look at ways to get that number down, but at least the fallback positions are improved now.

The fallback suggestions mentioned in the article are "try clicking the box again" and "try reloading the page"

I'm slowly starting to wonder if I should start sending snail mail to companies that block me, instead of resigning to go somewhere else. HIBP is a free web service and shops have no obligation to serve a given individual, but it everyone puts CloudFlare Turnstile, Google Recaptcha, etc. in front of their services, a "single-digit percentage" of people simply cannot participate in modern society. Similar markers (IP address misclassified as bot range, unusual/old/infected browser, ...) will constantly be triggering for the same group

by Aachen

5/20/2025 at 6:47:06 PM

I got "radicalized" about these filter measures at my last job, where we operated a popular public-facing website, and we apparently adopted some third-party solution to reject otherwise valid logins based on some heuristics, with an intentionally vague "try again later"-style error message. Throughout a few months, I noticed a steady trickle of coworkers talking on the internal chat about being unable to log into the site citing that exact error, with varying degrees of urgency (eg. for myself, I noticed I couldn't log in using a private browsing window, but didn't worry too much because my long-lived session cookies were still fine). I like to think all of them were eventually pointed in the direction of the team working on the integration so that these false positives could be worked around, but definitely not everybody initially realized what was happening to them.

If even people within the same company fell victim to these filters, what chance would the wider public have? On the other side of my tenuous work/life balance, multiple friends that were long-time users of our product were also getting locked out of the site, and of course they had no means of understanding that they were false positives of a fraud detection heuristic, much less of getting individualized support. I know those people and that they were genuine good-faith users, but naturally, while I could pass on word of their struggle, I couldn't offer any actual help since that would disclose details about those heuristics that we were apparently paying good money for and wouldn't want the public to know anything about. I also saw social media discussions where other affected users were helplessly telling each other to try different browsers or reinstall Windows.

Of course, I understand the need to combat abuse of services (and I applaud this employer for many other measures taken in that effort), but it definitely did a number on my loyalty to the company and excitement to be part of the industry to realize that my friends and I would be readily sacrificed if push came to shove.

by ben0x539

5/20/2025 at 4:30:24 PM

6 hours later, case in point...

I'm blocked logging into Slack due to an invisible captcha: https://snipboard.io/h1E86S.jpg

I was surprised I was failing to type this code over from my email but no, that wasn't the issue. In the developer tools, the server fesses up I'm detected as "bot" again. As it's an invisible process, there's nothing I can do about it. This is a clean browser because it's for pentesting websites at work. No add-ons installed, no uBlock, no noscript, no corporate configuration, nothing

by Aachen

5/20/2025 at 11:12:14 AM

Agreed, it seems like my (fixed) IP address is triggering Google and CF for some reason. I don't run any scrapers or so from home but do use NoScript, am I a bot for using NoScript? Perhaps.

by whizzter

5/20/2025 at 2:10:48 PM

Yeah, I have rather aggressive blocking on with uBlock Origin. Google started blocking me about a month ago, I have to solve captcha for literally every query. I know it's uBlock as things are back to normal when I disable it. Well, this helps me to learn new muscle memory to rely on DuckDuckGo and Brave Search instead.

by jacekm

5/19/2025 at 10:36:50 PM

Does anyone else feel like the new design feels less trustworthy? I've probably just been conditioned on too many templates that all look the same, and there's nothing inherently wrong with it, yet it makes me wonder if I've accidentally opened a ripoff instead of the real thing.

by 85392_school

5/19/2025 at 10:39:48 PM

No, I agree. This new version looks like someone using a cheap template with cheap gradients (I don’t know how else to describe the gradients), and it immediately makes it look less trustworthy.

by pocketarc

5/20/2025 at 8:54:25 AM

Yes. Maybe I'm just a grumpy old man, but I think website redesigns are just a marketing thing (and fun for web developers) and rarely benefit the user. Nasa ADS has a fantastic (if super old-looking) site for many years that was clean and fast and did the job, they spent a lot of time and effort jazzing it up with pictures and javascript, and now it still just does the same thing.

by Y_Y

5/20/2025 at 10:40:20 PM

It also has horrible performance and hikacks scroll. The site feels horrendous.

by GreenWatermelon

5/20/2025 at 5:37:58 AM

Unfortunately the new UI does not allow to search for leaked phone numbers anymore. The old did (e.g. could check for facebook phone number leak, see https://www.troyhunt.com/the-facebook-phone-numbers-are-now-...). The new does not let it pass through the input field.

Edit: it's also statet in the announcement:

> Just one little thing first - we've dropped username and phone number search support from the website

But it's really a bad time to remove this feature since there's a ongoing law suite against facebook in germany (https://www.vzbv.de/pressemitteilungen/facebook-datenleck-be..., hgerman link) that utilized the search there to know if one can participate or not.

by micw

5/20/2025 at 7:30:09 AM

The API still supports it so it should still be possible to implement a new solution for it.

The reasons for dropping the feature as outlined in the announcement seem very reasonable to me considering the larger implications.

by FinnKuhn

5/19/2025 at 10:30:10 PM

Amazing that even within the last decade a site as large as LinkedIn could be storing unsalted passwords. How does anyone fail at this in the modern era?

by AdamH12113

5/19/2025 at 11:40:42 PM

It's actually really easy to do unintentionally. For an intervening middleware, a password field in a JSON object is just like any other field in a JSON object.

You may have some kind of logging / tracking / analytics somewhere that logs request bodies. You don't even have to engage in marketing shenanigans for that to be a problem, an abuse prevention system (which is definitely a necessity at their scale) is enough.

Storing unsalted passwords in the "passwords database" is uncommon. Storing request logs from e.g. the Android app's API gateway, and forgetting to mark the `password` field in the forgot password flow as sensitive? Not so uncommon.

by miki123211

5/19/2025 at 11:55:55 PM

A company as big as LinkedIn should have bots continually accessing their site with unique generated passwords etc., and then be searching for those secrets in logging pipelines, bytes on disk, etc. to see where they get leaked. I know much smaller companies that do this.

Yes, it's easy to fuck up. But a responsible company implements mitigations. And LinkedIn can absolutely afford to do much more.

by jeffparsons

5/20/2025 at 10:24:45 AM

Such bots can certainly solve part of the problem, but they can't fix the issue entirely.

If your logging is on an obscure enough endpoint (password reset flow in the Android app's API gateway), you may forget to add that endpoint to the bot, just like you may forget to mark it as sensitive in your logging system.

At this scale, the developers working on these esoteric endpoints might not even be aware that such a bot exists.

by miki123211

5/20/2025 at 8:06:31 AM

I always picture a random middle manager in $large_organisation being told about something like this, and then they work out the angles and try to find the benefit.

If the method works, and it shows that the logging feature Fred got so much credit for is storing passwords, what are the political implications of that? Can our intrepid middle manager steal some of Fred's glory? Or is Fred an ally and it should be carefully handled? Or do they sit on it and wait until an opportune moment to destroy Fred?

This is the kind of reasoning process I think goes on, because I've seen very few large organisations make actually-good technical decisions.

by marcus_holmes

5/20/2025 at 10:26:30 AM

Sadly, this is not as far-fetched as we here on HN would like it to be.

by shmeeed

5/20/2025 at 2:52:47 PM

The fact that you think random middle managers are all that psychopathic really says more about you than it does some hypothetical middle manager.

Are their psychopaths and Machiavellian schemers in management? Certainly. Are they the majority? Almost certainly not, unless you're working for absolutely the wrong company.

As the Brits would say, "cock-up before conspiracy."

by psunavy03

5/20/2025 at 4:31:45 PM

No. It may not be conscious Machiavellian scheme, but it's a common attitude among middle managers. They are extremely sensitive to their reputation, which is why they punish people who make them look bad, even if it's something good for the company. Finding security vulnerabilities or wasted resources is met with an ambiguous hostility.

And unfortunately, a lot of people aren't emotionally intelligent enough to recognize that many managers use emotional reactions to redirect the room away from them. Because if you're the angry one, people won't ask questions like "didn't someone mention the possibility of this to you 6 months ago?"

by Capricorn2481

5/20/2025 at 5:10:55 PM

Everyone is extremely sensitive to their reputation. That is just human nature. Someone who can't factor that into their actions and communications is frankly lacking basic social skills.

by psunavy03

5/20/2025 at 1:09:50 AM

There are so many things that companies as big as linkedin should be doing but aren't :(

by some_random

5/20/2025 at 12:37:29 AM

that would require hiring a security personnel which they can't afford to do. /s

by knowitnone

5/20/2025 at 1:08:49 AM

I think the new approach is to "hire" LLM agents to do the job, unless the hiring manager can prove they exhausted all ways an LLM could possibly have done the task.

by _heimdall

5/20/2025 at 2:50:08 AM

Would this be solved by providing the client with a (frequently rotated) public key to encrypt the password field specifically before submitting to the server, so that the only place it can be decrypted and stored is the authentication service at the very end of its journey through the network?

by taberiand

5/20/2025 at 3:39:56 AM

A new public key per password-mutating session is quite an interesting idea.

It does have some challenges in introducing a read-before-write to fetch the session key at the start of the session, but given the relatively low call volume of such flows that might be a small price to pay to simplify security audits and de-risk changes to any service in the call chain.

by riknos314

5/20/2025 at 6:35:56 AM

The existing solution for this is SRP (Secure Remote Passwords http://srp.stanford.edu/).

Unfortunately my understanding is that it’s trivial to implement unsoundly but it’s also not something for which there are an abundance of good implementations across languages.

It’s been awhile since I’ve looked though so maybe there is a newer, less radioactive approach. But yes, never actually sending the authenticator itself (and doing so in a way that the proof is valid only once) would stop this sort of thing cold.

by stouset

5/19/2025 at 10:38:20 PM

They must have not asked enough Leetcode Hard questions in interviews.

by korm

5/19/2025 at 10:41:34 PM

I am stealing this. Made my day :)

by Svoka

5/20/2025 at 2:10:53 AM

LinkedIn at one point were continually pressuring people into handing over their email credentials in the name of making it easy to find your contacts.

So yeah, LinkedIn have never been exactly a bastion of IT Security.

by paranoidrobot

5/20/2025 at 7:22:05 AM

They (and the users) have a very real use case for that, just like a contacts app needs all of that. The problem is not keeping it safe.

by dewey

5/20/2025 at 8:28:30 AM

No user ever had a real use case for seeing a button that says "invite X" that doesn't send an invite on the platform, but instead sends an email to X who doesn't have a Linkedin account.

And if you decline, it asks you again. Two times using different wording.

by rpigab

5/20/2025 at 12:26:17 PM

You'll be surprised how many features "tech" people think nobody uses (Like a share button on a website), are actually very popular. That's likely the reason that feature still exists as everything is most likely A/B tested to death.

I was not only talking about that though, but also that they can build shadow profiles and recommend people to you that way.

by dewey

5/21/2025 at 8:32:22 PM

IIRC linkedin was one of the breaches where I got a spam email to my linkedin address, told them and they were like "can't be us - must be you who has been hacked". And then later "ah yeah was us, but no personal data was stolen". Like email address is not personal - lucky me for having a catch all domain and being able to just block the address I had used with linkedin.

by nedt

5/20/2025 at 11:46:49 AM

Same company that requires you upload a biometric scan of your face paired with your passport for ""verification"" (despite not needing it on signup) if you want to enable MFA, btw ;-)

On a related note, I no longer have an active linkedin account.

by DaSHacka

5/20/2025 at 6:58:59 PM

I worked for a company with millions of users that had plaintext passwords in the DB. The login had been rolled from scratch in the days before you could get decent, tested off-the-shelf code for their particular stack. There were always so many fires to put out and projects to keep the wages being paid that it never got looked at. It got bought by Microsoft and eventually they just consumed the whole thing somehow, so it's gone now.

It did allow me to cheekily run a SQL GROUP BY once to see what the most common passwords were, though. Top password was actually "trustno1" IIRC, followed by all the usual suspects, e.g. abcdefg, 12345678 etc. (there were no meaningful password rules)

by qingcharles

5/19/2025 at 10:37:25 PM

> How does anyone fail at this in the modern era?

Most probably some ancient legacy mainframe or whatnot other integration that nobody really has the time and budget to clean up and migrate to something more modern.

The larger the company, the larger the risk for ossification of anything deemed "business critical" because even a minuscule outage of one hour now is six if not seven figures worth of "lost" time.

by mschuster91

5/19/2025 at 10:55:42 PM

LinkedIn isn't old enough to have anything ancient. It was launched in 2003, and even then you'd get laughed at for suggesting storing passwords in plaintext.

by fwip

5/19/2025 at 11:04:51 PM

Plaintext, sure, but it was certainly common still to use SHA-256 which is very quickly cracked if your password is short.

by Sohcahtoa82

5/19/2025 at 11:23:33 PM

Doesn't mean that the infra is still ancient. What I see a lot is tech debt from migrations. Lots of times both the old and new systems have to work together for a period of time, so you leave certain legacy protocols and flags in place for the transition period and then the new system is never fully "updated" to the new standards. Pre win2k AD, file path lengths, encryption protocols, etc etc. Sure, the new system is "up to date" but the old compatibility settings remain.

by bongodongobob

5/19/2025 at 11:29:07 PM

This is also how feature flag services become mission critical because everything gets launched behind feature flags that never get cleaned up

by malfist

5/19/2025 at 11:25:35 PM

For all the talk of AI Slop, I don’t hear much about the fact that we have been suffering from Outsourced Slop for decades now. I suspect that is how this kind of thing also fail at LinkedIn. I say that based on my experience dealing with outsourcing companies and the product they produce through outsourced programmers.

It’s really just been a similar problem as with AI code, that without strong and competent management that can set intelligent expectations and requirements and test for them, you will surely get what appears to all the business and leadership types like an equivalent product, without any sense that it’s slop underneath the surface.

by hoseyor

5/20/2025 at 12:05:42 AM

I'm on board with the cheap offshore and bad incentives motiv, but feel this has to be augmented with a mention of the senior cowboy coder (who just went into retirement). Most likely in the future these stereotypes will be joined by vibe coders and AI-powered juniors, but as someone working this industry for a couple of decades give or take - we've learned how to deal with these by now.

by sally_glance

5/20/2025 at 6:31:32 AM

> the senior cowboy coder (who just went into retirement)

They just went into retirement?

by ohhnoodont

5/20/2025 at 6:30:00 AM

I've seen coworkers at Big Tech Co™ make huge security blunders despite attending prestigious universities (Berkeley, Stanford, etc) and having 5+ years of industry experience. No LLM slop required. Just rushing to meet deadlines while requirements shift rapidly enough that details get overlooked.

by ohhnoodont

5/19/2025 at 10:26:10 PM

It shows you a vertically scrolling timeline (with logos and blurbs) of all the data breaches that have exposed your email. How delightfully horrifying.

by standardUser

5/19/2025 at 10:30:36 PM

Makes me feel a little powerless. The only thing I can really do is freeze my credit

by MattSayar

5/19/2025 at 10:41:02 PM

what?

Why not just use different passwords for different things. I'd recommend something like privacy.com so you can generate a bunch of one-use cc cards when doing shopping on sites you don't trust and the like.

Also don't willingly give up valuable personal information unless it's absolutely necessary, it's also not illegal to give online services outright false information (incorrect birthdates for example) which, in the event of a future data breach of that service, now at least those who would plan to benefit from your personal information might have some difficulties resetting important accs and the like.

You just gotta be smart, it's not about being powerless, HIBP and the service is just one tool to make you aware of what's out there before it gets used against you. (I would highly recommend setting up notifications for important e-mail addresses)

by SLWW

5/19/2025 at 10:58:03 PM

Application specific credit card numbers really needs to be a legally required thing.

My card has been skimmed a couple of times and by far the most annoying part of the experience is having to reset and update regular accounts with the new number.

Of course for online purchases the whole flow here should be inverted: businesses should just be registering against my payment provider directly, no account numbers involved (under the hood maybe have it be managed by ED25519 public keys for identity?)

EDIT: while we're at it, why even have persistent numbers for in person cards? Let me tap it against my phone, invalidate the stored key from that time on, and generate a new one.

by XorNot

5/19/2025 at 11:02:38 PM

> Application specific credit card numbers really needs to be a legally required thing.

My latest card (debit) one has a feature I've not seen elsewhere, but I think kind of solves that too. It has a new CVC number every 10 minutes, which I kind of both hate and love. Love it for the obvious reasons of "not even having the physical card lets you use it digitally" but also because I cannot have it 100% in my password manager, I have to use the banking app to get the latest CVC code when I need it.

by diggan

5/20/2025 at 12:52:50 AM

I’ve want a physical one of these that changes both the CVC and the entire 16-digit number. Heck let the name submitted with the number be a longer checksum that can be verified at point of sale to figure out who’s actual account it is.

Plus then my gibberish name on my card number will match the gibberish secret question answers.

by koolba

5/20/2025 at 10:31:30 AM

> Heck let the name submitted with the number be a longer checksum that can be verified at point of sale to figure out who’s actual account it is.

That's going to be one hell of a lot of an issue in practice. Hotels, car rentals and AFAIK even some airlines want that the name of the card holder matches the name on the ID card.

by mschuster91

5/20/2025 at 2:17:49 AM

Use multi-factor authentication and strong, unique passwords for everything and you'll never have to worry about this.

by rainonmoon

5/20/2025 at 10:54:48 AM

Wish it was so easy, some websites have decided they like lower security, especially for some reason, my banks. Banc Sabadell in Spain for example, only does 2FA via SMS (famously insecure) and your password is limited to 6 numbers, and accepts nothing else.

by diggan

5/20/2025 at 2:41:42 PM

How exactly is that supposed to prevent your data from getting stolen in a database leak?

by Ajedi32

5/21/2025 at 3:28:23 AM

This thread isn't about data in general, only passwords. So first of all, a strong password is much harder to crack in the instance that it's stored in a hashed form in the database. In the instance it's stored (unforgivably) in cleartext, it cannot be used, because an additional factor is required to authenticate. That is how exactly.

by rainonmoon

5/21/2025 at 4:19:25 PM

HIBP tracks full data breaches, not just password leaks. Screenshot from the article https://www.troyhunt.com/content/images/2025/05/image-19.png

If your physical address gets leaked having a unique random password doesn't help with that. It's still a good idea though.

by Ajedi32

5/19/2025 at 11:58:28 PM

Lots of regular people use Have I Been Pwned and sending them to 1Password is probably the single best thing you could do for them (I know it's a sponsorship - but it's a very complimentary one).

I'd make the language around that promo banner stronger (ie. "We strongly recommend") and make it stand out more on the page.

So many social media accounts get hacked[0] because of shared passwords and those affected users often end up on the site - funnelling them to a password manager and a reason why it's good hygiene is great.

ps. congrats on the relaunch!

[0] I've probably assisted 20+ such cases in the past ~12 months

by nikcub

5/20/2025 at 7:45:12 AM

It's a sponsorship, so I'm not complaining, but if the goal was really to get people to use a password manager he would be sending them to Bitwarden since they have a free plan, plus their paid plan is only $10/year compared to $36 for 1Password.

by tallanvor

5/20/2025 at 10:53:41 AM

Besides the pricing, is there any reason to prefer Bitwarden over 1Password? Been happily using 1Password for some years, never had any issues, but maybe I'm glossing over anything? Probably the cli interface (`op`) is the one feature I couldn't live without today.

by diggan

5/21/2025 at 2:29:19 PM

They both do e2ee so they cannot read your secrets server-side, which is the standard.

Critically though, Bitwarden is open source, meaning that if the encryption is weakened, it would be noticed in the source.

With 1Password the clients are closed source: you have to trust the company to encrypt the secrets properly and an (malicious or accidental) change of the encryption cannot be detected by the user.

After Lastpass's fiasco around encryption, I don't feel like blindly trusting another company.

by Lcchy

5/20/2025 at 1:02:05 PM

Open-source versus proprietary and the option to self-host are the two that immediately come to mind.

by MattSteelblade

5/20/2025 at 4:11:00 PM

I can't speak about the other password managers, but 1Password's architecture ensures even 1Password can't see any of your credentials. It's E2E Encrypted.

I've been a 1Password user for over a decade. It's user friendly, and I'd rather not have the responsibility to self-host my company and extended family's credentials.

by atonse

5/20/2025 at 7:09:18 PM

Bitwarden is also a zero knowledge architecture built on E2EE; I would presume that is the standard in the industry.

by MattSteelblade

5/20/2025 at 7:19:15 AM

Why not bitwarden?

by bloqs

5/20/2025 at 1:34:50 PM

Does it feel like this site is itself a vulnerability? It seems like being able to go type in anybody's email address and just get a list of sites where it was found would be part of an OSINT process.

Shouldn't it at least send you a link to verify that you control the address before showing your results?

by brightball

5/20/2025 at 2:13:44 PM

> Does it feel like this site is itself a vulnerability? It seems like being able to go type in anybody's email address and just get a list of sites where it was found would be part of an OSINT process.

I think it is a reasonable trade-off. For non-technical people (i.e. ~everyone) it provides a really useful service where you can see if your data has been leaked and what passwords to reset. For bad guys it makes their lives a little easier by creating a quick lookup and potentially knowledge about some leaks they weren't aware of, but ultimately there'd be a dark web version if HIBP didn't exist.

I think there's also a lot of PR value in a site like HIBP. If a non-technical person sees a headline like "400 million customer records leaked by Big Corp" it feels pretty abstract, but if you go and type your email address into HIBP and see a list of companies who have leaked your email address (and most likely some other data) it feels more personal.

by remus

5/20/2025 at 1:49:22 PM

I guess the assumption is that bad actors have access to the data anyway so putting such verification process is not deterring any bad actor in any way

by upcoming-sesame

5/20/2025 at 1:55:39 PM

This is indeed a part of an OSINT process. Always has been.

by whatamidoingyo

5/20/2025 at 8:39:28 PM

Most online criminals will already have this or know how to get it with even the slightest bit of research, so it's not really a big deal in 99% of the cases. I think the net good is better than the net bad by orders of magnitude.

by EasyMark

5/20/2025 at 1:47:28 PM

I felt the exact same way. Especially because I saw my email had been registered and leaked by some seedy looking conservative news site full of Trump propaganda. I always knew people could sign others up for junk "malicious subscriptions" and suspected that is what happened when I would get this trash in my inbox, but now seeing that other people can also see it very publicly is disturbing. How are they to know I didn't sign up for this myself? I'd hate to think people were thinking that about me.

EDIT: Seems like https://haveibeenpwned.com/OptOut does the trick.

by replwoacause

5/20/2025 at 1:44:38 PM

[dead]

by pixxel

5/19/2025 at 11:05:55 PM

For those who would prefer to stay a little more under the radar, you can hide results from a search of your email appearing on this service.

https://haveibeenpwned.com/OptOut

by YPPH

5/20/2025 at 2:15:32 AM

Thanks for the info!

For anyone considering, here are the 3 opt-outions that appear after you email verify:

1. Just remove my email address from public search

No one using the public HIBP search feature will be able to see your email address in the results. You’ll still be able to search your own address through the notification service, which verifies that you control the email before showing any results. If your email is part of a domain monitored by someone else (e.g., your employer), the domain controller will still be able to see it in domain-level searches.

2. Remove my email address from public search and delete the list of breaches it appears in

Your email address is no longer searchable — neither through the public service nor by you, even if you verify ownership — because the associated breaches have been deleted from the database. However, your email address is still retained by HIBP to ensure it is excluded from any future breaches and not added to your record.

3. Delete my email address completely

The record containing your email address will be completely deleted, meaning it will no longer appear in search results — for you or the public — at the time of deletion. However, if your email address appears in future data breaches, it will become publicly searchable again, as the opt-out record itself has also been deleted.

by cypherpunks01

5/20/2025 at 2:47:06 AM

What if the opt out list gets pwned?

by coolcase

5/20/2025 at 3:04:39 AM

I assume if that ever happens, someone will register https://haveibeenpwnedbyhaveibeenpwned.com. It'll be the top post of HN for a couple of says while everyone argues in the comments about how the state of online security is "fundamentally broken" while someone asks if they can sue. Then we'll all forget and move on.

by eddythompson80

5/20/2025 at 9:15:19 AM

I think there was an earlier blog post from Troy sometime ago describing that HIBP never stores unencrypted email addresses; i.e. they are all hashed and any lookups go against the hash, not the actual email address.

by TonyTrapp

5/20/2025 at 10:08:26 AM

> The AI

> I wanted to make a quick note of this here, as AI seems to be either constantly overblown or denigrated.

This just gestures at middle-of-the-road thinking.

So what’s this begrudging note about? To set us on the correct course in the middle of the road?

> I'd say it was right 90% of the time, too, and if you're not using AI aggressively in your software development work now (and I'm sure there are much better ways, too) I'm pretty confident in saying "you're doing it wrong".

Well done. AI plug done.

I don’t see how that statement fulfills the implied middle-of-the-road opinion though.

by keybored

5/19/2025 at 11:00:24 PM

Who has the record for being in the most breaches? My main email seems to currently be in 40 breaches, earliest one in from June 2011 (HackForums, don't even remember what that is), and last one in September 2024 (FrenchCitizens, although I'm not French nor have I ever lived in France).

by diggan

5/20/2025 at 2:54:04 AM

I'm almost there with you with 35. I checked both of most used emails, and they are at 35 and 32.

by Brajeshwar

5/20/2025 at 12:09:36 AM

john@yahoo.com is in 322 breaches.

by mtmail

5/20/2025 at 1:53:11 AM

This is fun.

john@hotmail.com has 340!

by aaronharnly

5/20/2025 at 8:10:52 AM

John@gmail.com has 395!

by bazmattaz

5/20/2025 at 1:46:09 PM

John really needs to get his shit together.

by MyPasswordSucks

5/20/2025 at 2:01:57 AM

HackForums is a popular skid forum ran by an FBI informant who lives in Vegas

by edm0nd

5/21/2025 at 8:35:35 PM

steve@apple.com has 82 breaches. Good that he gave it to his CEO decades ago.

by nedt

5/19/2025 at 11:34:11 PM

You’ve got me beat by 1. Congratulations

by montag

5/20/2025 at 2:49:43 AM

[flagged]

by coolcase

5/20/2025 at 4:40:19 AM

Depressingly I’m at 51.

by kevinbluer

5/20/2025 at 9:16:40 AM

example@example.org is at 65 breaches. Fun!

by TonyTrapp

5/20/2025 at 8:27:30 AM

New HIBP, same old restriction banning users from 3rd world countries https://imgur.com/a/AzNSreV

by randunel

5/20/2025 at 8:58:01 AM

"Have I been pwned... at birth, by accidents of geography and economics"

Sorry that's happened to you. The only remedy I can think of is get a non-commercial proxy in some "recommended" country like through a friend.

by Y_Y

5/20/2025 at 4:04:37 PM

VPN?

by skarz

5/19/2025 at 10:37:49 PM

Too much scrolling. I prefer the old page.

by nipperkinfeet

5/20/2025 at 6:36:07 PM

They could preserve the same basic concept but scrunch it vertically a lot. Right now, the tiles in each column are spaced out so much that if you moved them all into one column, they wouldn't overlap.

Instead, they could stagger them. Some blank space would still make it easier to understand visually, just not as much. If they did this, it would be a bit harder to see how which date-circle on the timeline corresponds to which tile, but that could be fixed somehow, like a dotted line that joins a tile to its circle or by moving the circle to one side of the center line.

They could also shrink the contents of the tiles themselves.

(1) There's no reason to have MORE space after "Compromised data:" than before it. It wastes space, and (IMHO) aesthetically it looks very awkward and clumsy.

(2) Personally, I'd also not double-space the bullet items. I can see how it adds emphasis, but it wastes a lot of space and to me it looks bad.

(3) Too much vertical space above the "View Details" button. Sure, some padding is nice, but why so much more here than between the icon (at the top of the tile) and the first paragraph?

by adrianmonk

5/19/2025 at 10:39:29 PM

Feels like doom scrolling

by gpi

5/20/2025 at 2:17:50 AM

It also scrolls like shit if you happen to be on a GPU not made in the last 10 years.

by grg0

5/20/2025 at 10:41:59 PM

Or on a phone.

by GreenWatermelon

5/20/2025 at 5:32:29 AM

The ';-- in front of Pwned is a brilliant idea but less brilliant execution. Missed opportunity, I'm wondering how many people don't realize what it is

by kmarc

5/20/2025 at 9:02:16 AM

Oh that's what it was! I actually didn't think much of it until you pointed it out. At a glance looked like some random arrangement of squares

by flysand7

5/20/2025 at 5:38:38 AM

I definitely know what it is but for those who don’t what would you tell them

by mindwok

5/20/2025 at 6:00:24 AM

I think it's an SQL injection.

by adhamsalama

5/20/2025 at 1:42:50 PM

Oh, I thought it was the loss meme.

by addandsubtract

5/19/2025 at 10:23:24 PM

Is there a term for this trend in web design, with defaulting to dark mode and having slick gradients everywhere?

by mNovak

5/20/2025 at 3:02:29 AM

Not too far in the past, when Bootstrapped themes were becoming the face of the Internet, a new framework came to town — TailwindCSS. The smart thing they did was introduced the framework with a few brilliant template and a lot of styled components. I bought the initial copy and does a lot of people. Those templates, TailwindUI.com (now TailwindCSS.com/plus)[1] became the gradien-y, dark-ish, glow-y design you see a lot these days.

A similar design wave is also happening with internal dashboard, admin interfaces. Thanks to https://ui.shadcn.com Personally, I'm fine with the standardization of such functional interface designs.

btw, for Have I Been Pwned, this is Bootstrap[2] and I'm not surprised it is also inheriting those design styles.

1. https://tailwindcss.com/plus

2. https://getbootstrap.com

by Brajeshwar

5/19/2025 at 10:25:53 PM

I think GitHub kinda did it first on their desktop home page, but that has been out for years.

by aetherspawn

5/20/2025 at 2:20:32 AM

As someone who frequented a lot of video game-centric Invision Power Boards in the early 2000s, this is deeply insulting.

by rainonmoon

5/19/2025 at 11:00:52 PM

I actually think I saw it on Linear (the issue tracker app) first. Who knows

by burgerrito

5/19/2025 at 10:29:07 PM

I feel like that was a subtype within the style that Stripe popularized.

by MarcelOlsz

5/20/2025 at 1:09:55 PM

The term is ‘unreadable’. There are good reasons `:prefers-color-scheme` exists; use it.

by kps

5/20/2025 at 1:42:59 AM

I’ve never been able to figure out how haveibeenpwned.com can be useful to me, since I have had the same email address for many years and I don’t want to give it up. Do people get a new primary email address every time their address shows up in a breach list like haveibeenpwned ?

by BubbleRings

5/20/2025 at 2:07:59 AM

For personal use: To know what services you use have been breached. You can then follow it up with ensuring you rotate the password on that site/service.

If they have other PII of yours, it's a heads up that scammers might target you and/or your family with that information.

For work use: To monitor which sites/services employees use with work email addresses, and use it as a reminder/re-enforcement that they should rotate credentials used on that service, and if they're reusing them at work - to change there, too.

by paranoidrobot

5/20/2025 at 2:00:33 AM

Your identity isn't a problem! Its the password bit.

by gerdesj

5/20/2025 at 3:54:09 AM

I have my own mail server and setup a catch all alias to a single account. So I can generate -- on the fly -- e-mails for services.

- Apple: me.apple@example.com - Google: me.google@example.com - Uber: me.uber@example.com - Tinder: me.tinder@example.com - random business: me.randombusinessname@example.com

This helps me with the following:

- unique usernames and passwords for each service

- easily able to tell when a service sells my information or gets hacked/breached

- "haveibeenpwned" also allows mail server owners to get access to reports for all addresses on a domain and receive notifications on breaches

- much easier to remember and communicate with others as compared to iCloud hide my e-mail addresses

- on the outgoing/sending, re-writing the "from" address field in e-mails is very easy to do

by xyst

5/20/2025 at 6:37:41 AM

If you use this approach, once 10 of your aliases are in the HIBP database you will need to pay for a subscription to see breaches for your domain (and even then the $40/year tier is only good for 25 aliases).

I wish HIBP had a solution for those of us who are individuals but use a domain catchall to manage online accounts.

by ohhnoodont

5/20/2025 at 6:46:21 AM

Yes it really does suck - apparently I've been breached numerous times but I can't see details without paying.

by stevekemp

5/20/2025 at 9:18:59 AM

I used to have a primary email address as well (which occurs in several HIBP breaches). I never gave it up, I still have it to this day for sending personal mail. However, I started using service-specific email addresses (e.g. hackernews@example.org) at some point, gradually transitioning every account I registered somewhere to this new scheme. They all end up in the same inbox, together with the emails from the original address. If one of them ends up in a breach, I block delivery to that service-specific address and add a new one.

by TonyTrapp

5/20/2025 at 9:37:20 AM

I do too. Though it does get awkward when dealing with a human related to that site. E.g. a small time hotel phoning about a booking or a local events organiser, they all seem weirded out that I have their name in my email address... :) I often rely on Fastmail's email masking these days instead, which at least reduces that human interaction awkwardness.

by flurdy

5/20/2025 at 1:58:23 AM

It's more than just the email. If you're in the breach, it might now publicly tie your email to things like your real name. You also have to worry if you reuse passwords (which you shouldn't do even if you haven't been in a breach), because now the password in the breach is known to be used with that email address, and attackers will pivot to other services to try those same credentials elsewhere.

by MarioMan

5/20/2025 at 2:04:32 AM

They change their passwords...

by salomonk_mur

5/19/2025 at 10:40:02 PM

The new design looks great, and I always love following Troy's updates (although sometimes with semi-morbid curiosity).

I do find the timeline to be a little confusing- it seems to be ordered from earliest breach to most recent, but the dates on the timeline don't match that, as they seem to be when the data was leaked?

Display: breach date Ordering: breach published date?

I think it might be clearer to order + display the published date, and in the cards themselves show the breach date in a standard way.

by mslev

5/20/2025 at 9:31:56 AM

I was always frustrated by this service because it is good to tell you that you have been pwned and your email appears in a breach but sadly it is more often than not more scary than useful as you can't see exactly what has been leaked about you. Especially your password.

I understand the rational to hide the details, but bad actors like criminal probably have the source file with the details anyway.

What annoys me is that it is good to know that your email appears in a random pastebin agglomerating hundreds of leaks but if they don't give the exact name and date of the site, and without seeing the password it is hard to know who leaked your data and which password to change.

The worse is that I was used to use a very shitty simple password for all the sites that ask one without needing one (let's say media with free subscription needed to read a single article, Free conference or online webinar), ... and these one are the best targets to have leaks despite them being totally harmless if you take care to not give your personal info inside.

by greatgib

5/19/2025 at 10:44:08 PM

Very cool.

Small bug report: I've been pwnd a few dozens times, and my timeline is not in calendar order. I see Adobe (October 2013), then LinkedIn (May 2012), then Dropbox (June 2012), then Lastfm (March 2012), then some 2016 ones, then Kickstarter in 2014, and then after that they start being more in order of the listed dates.

by CobrastanJorji

5/19/2025 at 11:48:51 PM

Might be related to the 'breach disclosed/discovered' date? I noticed some of mine appeared out of chronological order, too.

by Casteil

5/20/2025 at 1:31:22 PM

When it mentions that your password has been leaked for a service, is this the plain text pwd (that service somehow stored that way) or is it a hash? Was the website salting the passwords (so no rainbow-table attack could happen)? What key derivation function were they using? Etc...

I feel the red circle with "Password compromised" is way too simplistic if this wants to be a TRUE trusty site regarding cybersecurity. If they just want to show fear and sell 1Password ads, I understand it, I won't consult it anymore. But if they want to really step up their game from a technical perspective, they should include more details.

by santiagobasulto

5/20/2025 at 10:40:07 PM

I'm not convinced the target audience is infosec.

I've leveraged this site a few times to show family members the pervasiveness of breaches and to recommend pw managers.

If a tool like this can help a few people increase their posture then I consider it a success.

by slumberlust

5/20/2025 at 3:03:20 PM

Every detailed blurb on the breach that I've seen says "Passwords stored as" and lets you know how they were encrypted.

by fckgw

5/19/2025 at 11:51:59 PM

This is a great site. Thanks for making it! I wish governments would take this kind of thing seriously though. Identity theft/stealing accounts/etc etc all starts with breaches like this and in the modern world it is often less devastating to have someone break into your house than to break into your digital life. With a break in you will get actual support in the form of a phone number to call (911 in the US) and real people doing real work to track down who did it and stop them. With the digital world you have nobody to call and even if you did I doubt much followup would happen. Society needs to change gears on this stuff and actually take it seriously.

by jmward01

5/20/2025 at 4:45:15 AM

Ok, one of my email addresses is in a bunch of leaks. What is interesting is that most services on this list I have never used. How did they get my email in the first place? What is the accuracy of that whole business?

by benob

5/20/2025 at 4:07:47 PM

What's the best service or app for tracking data breaches where your username and password are leaked? I'm trying to mitigate some leaks through ProtonPass but it's very frustrating as they simply say "password ****123 was found on the dark web" (they actually redact the full password) so then I manually have to go through my 100+ passwords and look for that particular password.

by skarz

5/19/2025 at 10:29:44 PM

> But now it's on a timeline you can scroll through in reverse chronological order, with each breach summarising what happened.

Maybe I'm reading it wrong but it looks like it might be a little off. I get:

- October 2013

- June 2008

- ...a bunch more...

- November 2021

- December 2020

by dsissitka

5/19/2025 at 11:00:10 PM

Not only is not in order, I tried a few emails and in all of them I get a bunch of sites that I've never used. I wonder if it's fetching the wrong data?

by dandellion

5/19/2025 at 11:27:23 PM

I regularly have doppelgangers that sign up for services with my email address.

I've been added to door/visitor notifications. I have received medical information for them. Retirement package info. A telecom internal tracker. A Doubleclick account for a while. Lessons for their children. Countless rewards accounts.

by kbrosnan

5/20/2025 at 2:57:28 AM

This has literally never happened to me... is your email address "go@away.com" or something?

by gpm

5/20/2025 at 1:39:44 PM

I also checked my throwaway gmail and it was included in a French Citizen leak [1]. I'm neither French, nor do I have any other connection to France. Not sure why my email would be included there, except for some random using my email (or misspelling theirs) – it's [5-7 letter english word][number] at gmail.

[1] https://haveibeenpwned.com/breach/FrenchCitizens

by addandsubtract

5/20/2025 at 1:50:38 PM

I keep wondering if its smart to just roll over an email address when it gets compromised, and limit your exposure, as well as force you to change your password while you're on every website ditching your former email.

I know some people use email tags, but maybe just rolling a new email might be better, followed by deleting unused dead accounts you will never use again.

by giancarlostoro

5/20/2025 at 10:03:59 AM

I just very much appreciate a regular gaming typo having made such a cultural impact over the last 25 years.

by robertlagrant

5/19/2025 at 11:23:56 PM

Am I the only one who is experiencing severe lag when scrolling on the new site (Firefox android)?

by rtrgrd

5/20/2025 at 10:43:48 PM

Same here. Also Firefox Android.

by GreenWatermelon

5/20/2025 at 8:23:42 AM

1) The search function has disappeared from the home page.

2) When clicking "details" on one of the search results, and then the back button, the search results disappear.

3) Other than that, thanks man great service!

by BurnGpuBurn

5/20/2025 at 12:38:38 AM

I love this site! Though I do wonder how much this site also helps amateur hackers find where to search for a specific person's password. One way to deal with it could be to email the person their pwns.

by luchris429

5/20/2025 at 2:04:41 AM

As a security researcher who is into OSINT, HIBP is my first go to when obtaining an email address of interest. If it's found, it immediately helps me know which leaked DBs to go grep through and find more info about the target email addy.

Obtaining and storing TBs of leaked databases is another part of the puzzle that is always growing and a bit more complex.

by edm0nd

5/19/2025 at 10:53:00 PM

I regularly use plus codes on my email addresses when I sign up for services, is there a way to search for an email address and all associated plus codes? Last I checked I couldn’t find that functionality.

by tech234a

5/19/2025 at 10:54:54 PM

If you use a custom domain, in the dashboard you can claim the whole domain and then see every breach for every address under it. Otherwise I don't think so.

by jsheard

5/20/2025 at 1:56:17 PM

I just verified that this database does not include the Vultr breach, or, at least it does not include email addresses that are unique to the Vultr service.

by paulnpace

5/20/2025 at 2:18:17 PM

Geez, and they have one of my domains with an address claiming to have been compromised by "B2B USA Businesses" in a leak in mid-2017, which is over a year before the domain was registered.

by paulnpace

5/19/2025 at 10:28:23 PM 

    Uncaught (in promise) Error: Invalid response from fetch: 401 - 
        at emailSearch.ts:295:19
        at async HTMLButtonElement.<anonymous> (emailSearch.ts:43:23)

by rasz

5/20/2025 at 12:20:40 AM

There's something interesting in the domain search: some breaches contain addresses that... simply don't exist. Like B2BUSABusinesses has sales@mydomain.

by glandium

5/19/2025 at 10:56:26 PM

A lot of companies I've never heard of before are leaking my data. :(

Can we make it so that companies I've never heard of before don't have my data in the first place?

by Buttons840

5/19/2025 at 11:19:24 PM

My latest one was from these guys https://www.eye4fraud.com/ who I have never knowingly done business with. Almost too absurd to be true

by lovich

5/19/2025 at 11:20:18 PM

[flagged]

by immibis

5/20/2025 at 4:59:47 PM

Lol I was looking at recently or yesterday and was wondering why it looked more nicer and usable than usual heh.

by babuloseo

5/20/2025 at 1:10:39 AM

I really wish I could put in my domain name, I have so many aliases that it's basically impossible to search each one individually.

by Saris

5/20/2025 at 1:17:53 AM

it's right there after the "The Domain Search Feature" heading. Verify ownership, then you get results

by flas9sd

5/20/2025 at 1:47:37 AM

Ahh I see it on the footer of the website, a bit hidden!

I'm not sure I really need it for personal use, more just a cool thing to see, so I'm a bit undecided on paying for the domain feature. I can see it being useful for a business though where each email is a different employee dealing with accounts everywhere.

by Saris

5/20/2025 at 1:54:36 AM

You can pay for just one month at a time. I pay now and then and check in on my personal domain – like you, I use dozens of email addresses with a catchall.

by aaronharnly

5/20/2025 at 6:43:27 AM

The first tier ($4/month) only works for up to 25 aliases. Depending on how many of your aliases have leaked, you may have to pay a lot to perform that check.

I wish HIBP had a solution for those of us who are individuals but use domain catchall forwarding as our method for separating accounts.

It feels good to see adobe@mydomain.com, newrelic@mydomain.com, internetarchive@mydomain.com, etc. there but not any of the addresses I use for normal communication.

by ohhnoodont

5/20/2025 at 12:02:12 PM

Oh that's a good idea. I'm not sure 25 aliases would be enough though, that price jump is quite a bit.

by Saris

5/20/2025 at 2:55:03 AM

Curiously the domain I've been using for years now only shows up in 1 breach... am I really lucky or am I only getting partial results?

by gpm

5/20/2025 at 5:27:44 AM

It's funny how you can find someone's interests just by typing his/her email address

The ultimate tracking tool

by WhereIsTheTruth

5/20/2025 at 2:40:36 AM

Interestingly, the timeline is not chronological for me? I can't seem to figure it out the order it is in.

by msephton

5/20/2025 at 7:41:49 AM

Does anyone feel like paying $274 and checking if the domains search allows gmail, hotmail etc? :o)

by Squeeeez

5/20/2025 at 9:20:48 AM

I signed up for domain search when it was still free. It requires verifying an email address that you shouldn't have access to, unless the email service in question is not set up according to RFCs.

by TonyTrapp

5/20/2025 at 7:32:54 AM

i like the new design, but it feels that the "stats" like the cache hit ratio and edge locations won't matter to the vast majority of visitors, who are just trying to check for potential breaches.

on the other hand, they will be great for the api/business pages

by bstsb

5/20/2025 at 11:52:40 AM

I use a lot of email+site@example.com. It would be great if those were included too!

by l72

5/20/2025 at 12:16:20 AM

Awesome! My timeline is showing out of order though (starts with a 2013 then a 2019 then a 2011).

by bix6

5/20/2025 at 12:51:57 AM

Great service. I use regularly with extended family to convince use of MFA.

by hanatanaka1984

5/20/2025 at 1:40:47 AM

In our country, email has never been widely adopted among non-tech-savvy citizens. SMS verification remains the most popular—and likely safer—method.

by lynnharry

5/19/2025 at 10:52:51 PM

This new design no longer links to the pastebins you were included in.

by charcircuit

5/19/2025 at 11:18:13 PM

It does at the very bottom of the list for me

by jpopesculian

5/20/2025 at 1:12:29 AM

For me it only shows a list of them and none of them are clickable.

by charcircuit

5/20/2025 at 6:06:10 AM

Too bad the term pwned dates us now

I think we’re backed to hacked

by yieldcrv

5/19/2025 at 11:20:55 PM

nit: timeline should be most recent to least recent

by h1fra

5/20/2025 at 1:32:25 AM

The input box doesn't work

by geor9e

5/20/2025 at 5:53:00 AM

Now waiting for this website to get pwned for its search history so hackers can identify targets worth pursuing.

by xlbuttplug2

5/20/2025 at 3:56:34 AM

[dead]

by curtisszmania

5/19/2025 at 11:50:39 PM

[flagged]

by havingapoo

5/20/2025 at 12:48:13 AM

I really wish Troy would've put a little more thought in to this before deciding to host using a for-profit corporation based in the US that wants to be a monopoly.

Will Cloudflare sell data to US TLA agencies? Probably.

by johnklos

5/20/2025 at 4:22:35 AM

Really impressive evolution of a crucial service. The architectural and UX improvements are well thought out, especially the focus on resilience and scalability. Love the transparency around the decision-making process, too-Troy’s commitment to keeping HIBP fast, free, and useful is a great example of public-interest software done right. The migration to .NET 8 and use of Cloudflare for caching shows how mature and modern the stack is becoming.

by willmarquis