He should partner with a law firm, for class action lawsuits, for every breach due to negligence (which is probably all of them).
Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)
Optional: Sell data of imminent lawsuits, to an investment firm.
Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.
Heh, such an American response. Sue everyone and everything, lawyers gets paid. But at the end of day, nothing changes.
Meanwhile in EU, we have laws like NIS2, where if negligent in non-compliance.
Fines are 10mil. EUR or 2% of global annual revenue.
Eg.: If Apple gets $8bil. fine, yep that changes quite a lot I think. :)
How does the EU solution make user's whole? At least with class actions, users get to see a few pennies.
I'm not trying to make an argument against strong regulatory bodies. We need those for sure. It would just be nice if the users were compensated for the exploitation and abuse they're subjected to.
It's with American companies in mind. Though I expressly addressed that it isn't about lawyers getting paid, and also how this might change things (motivate companies to behave responsibly, in this regard)
Basically, we have a high-corruption society, especially in 2025, but there's still vestiges of a system that can be leveraged in the public's interest, if you contort just so.
Do either of these approaches actually solve the problem? I think companies won't take it seriously unless their executives do, and their executives won't unless they are personally punished in a way compensation can't compensate for. Cane them Singapore style.
Probably impossible, but create a slush fund where companies that behave badly are forced to pay into so we can do things like fix roads and build housing.
Getting a company to publicly announce a breach is hard today. Your suggestion would make it even harder, and more data breaches would be kept from the public because of the consequences.
I would rather know that a company messed up and change my password, than not knowing
How? Disclosure should already be legally required--class-actions and lawsuits should already be a thing. The Have I Been Pwned data sets aren't volunteered by these companies. It's a catalog of leaked data.
The class-action response of "identity monitoring" is nonsense. More companies, if they can't afford to or don't want secure data, shouldn't collect it or should aggressively purge it. User data should be a liability.
I'm not sure, the effect would be to increase the riskiness of nondisclosure. If you disclose and get fined, that would be bad, but if you don't reveal and the penalty for nondisclosure is bankruptcy for the company and all its executives, that would be worse.
Only get a couple bucks from these class action lawsuits - give ‘em a 15% discount or something if they own up to it publicly, I don’t mind getting $18 instead of $20
>Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
That's a massive infrastructure change to pay out what would likely be peanuts to users, put a massive maintenance burden on the platform (payments are a nightmare system), and disproportionately benefit a law firm profiting off of the lawsuits and the good will of the brand. Seems like a shit deal to me.
> Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
That's not much of a motivation, given that Troy already is a folk hero.
Ah yes, automated lawsuit initiation, that's what we need! Ooh, we could run every breach announcement through Deep Research and let the AI make a determination on which one is negligence! That would definitely incentivize more transparency and accountability on behalf of companies!
Actually no, the end result of this will be a return to deny, deny, deny, because the worst case scenario then becomes the truth getting out.
IMHO we should be crucifying the liars and the truly negligent, but forgiving the honest and good faith efforts. At least for now, automating that judgment is pretty difficult and will result in more of the "customer service" like experiences that we already get from most big tech, except now it has the power to make or break companies.
Man we have sure moved on from the era of Blackstone's Ratio being a thing people united around. I'm not saying it should be applied literally, but punishing an innocent person should be considered a lot more wrong than not punishing a guilty person IMHO.
“Based on the investigation into this incident, it was determined that the
information involved may include your name, Social Security number, date of
birth, Driver’s License number (if provided), Tribal ID number (if provided),
medical record number, treatment, diagnosis, prescription and other medical
information, health insurance information, member portal username and
password, email address, and address.”
It’s not about innocence or guilt. If you leak so much information these people will have to monitor every single account, credit card, etc for life, on top of all their personal sensitive info being leaked and possibly accessed by unscrupulous employers. The damage is incredible. It’s not about innocence. It’s about responsibility.
Like many people I have a "main" email address, and I use per-company addresses for almost everything else. Now that the domain-searches require subscriptions this site has become much less useful.
I just added my domain to the site again and I see "2,243 Total Breached Addresses", and "18 Addresses excluding Spam Lists", but I have no idea what they are. Attempting to click the links shows me I need to "upgrade" to see them, and the download of excel and JSON result in 404 errors.
Too bad, I guess if you have only a single email address it might be good to get informed, but if you use a domain with multiple addresses it's way less useful.
I have quite a few personal catch-all domain names, and two of the main ones are used for the per website alias as you do, so over a decade and longer later, I would never be able to manually enter each address. Or remember them.
And yes, the subscribe restrictions for domain searches are annoying.
But Troy and family also need to eat, so I understand the need for a payment part, especially for companies.
We just ended up in the grey zone in between. I wish there were some more nuances, but then again, HIBP can't cater for every edge case unless they want to hire lots of devs and customer services.
I ended up signing up for a subscription, checked my domains, and then cancelled the subscription. It felt a little cumbersome, but ok. A non-recurring 2-day access would have worked for me...
Yeah, I also sit in this grey area. I think the maximum is 10 per domain or so, and last I checked, I'd had 11 or 12 leaked, so I can no longer see them. It's unfortunate though I don't know an easy solution that allows both people with per-site addresses to get free access, and also companies to be required to pay.
I have a similar setup, and also use lots of addresses at one domain. But I'm not subscribed (as far as I know) and I can do a wildcard search at my domain without issues, and also see exactly what emails been leaked. I don't see what leaks they're part of, but that feels less relevant, I already know where it got leaked as each email is for one product/project/company.
I used to just add the +something in my email but now I try and remain diligent to create a masked email. When I first started, I foolishly did it with my domain name but have since moved to creating it with @fastmail.com.
I can't speak for OP but I too use per-company or per-service emails, and no they have zero connection to my main email (not even the domain actually, domains are cheap so I have multiple ones for different purposes). Since I started doing so a very long time ago I did choose a standard scheme for it (making use of the company's domain), so it would certainly be possible to recognize it's a per-company domain given human attention or (more likely) AI. Ideally the email specifically would not be something I'd see but just a pointer that would be randomly/plausibly auto-generated, and then my email server (or client) could transparently disambiguate it via a db on my side to what the service was. Then it'd be undetectable. Unfortunately while it's clear enough how all the pieces of that could come together I don't know of any existing solution and haven't had time to try to hack on it myself. So far it hasn't given me any problems however.
> It's likely a single-digit percentage of requests that are real humans being [blocked], and we need to look at ways to get that number down, but at least the fallback positions are improved now.
The fallback suggestions mentioned in the article are "try clicking the box again" and "try reloading the page"
I'm slowly starting to wonder if I should start sending snail mail to companies that block me, instead of resigning to go somewhere else. HIBP is a free web service and shops have no obligation to serve a given individual, but it everyone puts CloudFlare Turnstile, Google Recaptcha, etc. in front of their services, a "single-digit percentage" of people simply cannot participate in modern society. Similar markers (IP address misclassified as bot range, unusual/old/infected browser, ...) will constantly be triggering for the same group
I got "radicalized" about these filter measures at my last job, where we operated a popular public-facing website, and we apparently adopted some third-party solution to reject otherwise valid logins based on some heuristics, with an intentionally vague "try again later"-style error message. Throughout a few months, I noticed a steady trickle of coworkers talking on the internal chat about being unable to log into the site citing that exact error, with varying degrees of urgency (eg. for myself, I noticed I couldn't log in using a private browsing window, but didn't worry too much because my long-lived session cookies were still fine). I like to think all of them were eventually pointed in the direction of the team working on the integration so that these false positives could be worked around, but definitely not everybody initially realized what was happening to them.
If even people within the same company fell victim to these filters, what chance would the wider public have? On the other side of my tenuous work/life balance, multiple friends that were long-time users of our product were also getting locked out of the site, and of course they had no means of understanding that they were false positives of a fraud detection heuristic, much less of getting individualized support. I know those people and that they were genuine good-faith users, but naturally, while I could pass on word of their struggle, I couldn't offer any actual help since that would disclose details about those heuristics that we were apparently paying good money for and wouldn't want the public to know anything about. I also saw social media discussions where other affected users were helplessly telling each other to try different browsers or reinstall Windows.
Of course, I understand the need to combat abuse of services (and I applaud this employer for many other measures taken in that effort), but it definitely did a number on my loyalty to the company and excitement to be part of the industry to realize that my friends and I would be readily sacrificed if push came to shove.
I was surprised I was failing to type this code over from my email but no, that wasn't the issue. In the developer tools, the server fesses up I'm detected as "bot" again. As it's an invisible process, there's nothing I can do about it. This is a clean browser because it's for pentesting websites at work. No add-ons installed, no uBlock, no noscript, no corporate configuration, nothing
Agreed, it seems like my (fixed) IP address is triggering Google and CF for some reason. I don't run any scrapers or so from home but do use NoScript, am I a bot for using NoScript? Perhaps.
Yeah, I have rather aggressive blocking on with uBlock Origin. Google started blocking me about a month ago, I have to solve captcha for literally every query. I know it's uBlock as things are back to normal when I disable it. Well, this helps me to learn new muscle memory to rely on DuckDuckGo and Brave Search instead.
Does anyone else feel like the new design feels less trustworthy? I've probably just been conditioned on too many templates that all look the same, and there's nothing inherently wrong with it, yet it makes me wonder if I've accidentally opened a ripoff instead of the real thing.
No, I agree. This new version looks like someone using a cheap template with cheap gradients (I don’t know how else to describe the gradients), and it immediately makes it look less trustworthy.
Yes. Maybe I'm just a grumpy old man, but I think website redesigns are just a marketing thing (and fun for web developers) and rarely benefit the user. Nasa ADS has a fantastic (if super old-looking) site for many years that was clean and fast and did the job, they spent a lot of time and effort jazzing it up with pictures and javascript, and now it still just does the same thing.
Amazing that even within the last decade a site as large as LinkedIn could be storing unsalted passwords. How does anyone fail at this in the modern era?
It's actually really easy to do unintentionally. For an intervening middleware, a password field in a JSON object is just like any other field in a JSON object.
You may have some kind of logging / tracking / analytics somewhere that logs request bodies. You don't even have to engage in marketing shenanigans for that to be a problem, an abuse prevention system (which is definitely a necessity at their scale) is enough.
Storing unsalted passwords in the "passwords database" is uncommon. Storing request logs from e.g. the Android app's API gateway, and forgetting to mark the `password` field in the forgot password flow as sensitive? Not so uncommon.
A company as big as LinkedIn should have bots continually accessing their site with unique generated passwords etc., and then be searching for those secrets in logging pipelines, bytes on disk, etc. to see where they get leaked. I know much smaller companies that do this.
Yes, it's easy to fuck up. But a responsible company implements mitigations. And LinkedIn can absolutely afford to do much more.
Would this be solved by providing the client with a (frequently rotated) public key to encrypt the password field specifically before submitting to the server, so that the only place it can be decrypted and stored is the authentication service at the very end of its journey through the network?
LinkedIn at one point were continually pressuring people into handing over their email credentials in the name of making it easy to find your contacts.
So yeah, LinkedIn have never been exactly a bastion of IT Security.
Same company that requires you upload a biometric scan of your face paired with your passport for ""verification"" (despite not needing it on signup) if you want to enable MFA, btw ;-)
On a related note, I no longer have an active linkedin account.
IIRC linkedin was one of the breaches where I got a spam email to my linkedin address, told them and they were like "can't be us - must be you who has been hacked". And then later "ah yeah was us, but no personal data was stolen". Like email address is not personal - lucky me for having a catch all domain and being able to just block the address I had used with linkedin.
I worked for a company with millions of users that had plaintext passwords in the DB. The login had been rolled from scratch in the days before you could get decent, tested off-the-shelf code for their particular stack. There were always so many fires to put out and projects to keep the wages being paid that it never got looked at. It got bought by Microsoft and eventually they just consumed the whole thing somehow, so it's gone now.
It did allow me to cheekily run a SQL GROUP BY once to see what the most common passwords were, though. Top password was actually "trustno1" IIRC, followed by all the usual suspects, e.g. abcdefg, 12345678 etc. (there were no meaningful password rules)
Most probably some ancient legacy mainframe or whatnot other integration that nobody really has the time and budget to clean up and migrate to something more modern.
The larger the company, the larger the risk for ossification of anything deemed "business critical" because even a minuscule outage of one hour now is six if not seven figures worth of "lost" time.
LinkedIn isn't old enough to have anything ancient. It was launched in 2003, and even then you'd get laughed at for suggesting storing passwords in plaintext.
For all the talk of AI Slop, I don’t hear much about the fact that we have been suffering from Outsourced Slop for decades now. I suspect that is how this kind of thing also fail at LinkedIn. I say that based on my experience dealing with outsourcing companies and the product they produce through outsourced programmers.
It’s really just been a similar problem as with AI code, that without strong and competent management that can set intelligent expectations and requirements and test for them, you will surely get what appears to all the business and leadership types like an equivalent product, without any sense that it’s slop underneath the surface.
I'm on board with the cheap offshore and bad incentives motiv, but feel this has to be augmented with a mention of the senior cowboy coder (who just went into retirement). Most likely in the future these stereotypes will be joined by vibe coders and AI-powered juniors, but as someone working this industry for a couple of decades give or take - we've learned how to deal with these by now.
I've seen coworkers at Big Tech Co™ make huge security blunders despite attending prestigious universities (Berkeley, Stanford, etc) and having 5+ years of industry experience. No LLM slop required. Just rushing to meet deadlines while requirements shift rapidly enough that details get overlooked.
Unfortunately the new UI does not allow to search for leaked phone numbers anymore. The old did (e.g. could check for facebook phone number leak, see https://www.troyhunt.com/the-facebook-phone-numbers-are-now-...). The new does not let it pass through the input field.
Edit: it's also statet in the announcement:
> Just one little thing first - we've dropped username and phone number search support from the website
But it's really a bad time to remove this feature since there's a ongoing law suite against facebook in germany (https://www.vzbv.de/pressemitteilungen/facebook-datenleck-be..., hgerman link) that utilized the search there to know if one can participate or not.
It shows you a vertically scrolling timeline (with logos and blurbs) of all the data breaches that have exposed your email. How delightfully horrifying.
Why not just use different passwords for different things. I'd recommend something like privacy.com so you can generate a bunch of one-use cc cards when doing shopping on sites you don't trust and the like.
Also don't willingly give up valuable personal information unless it's absolutely necessary, it's also not illegal to give online services outright false information (incorrect birthdates for example) which, in the event of a future data breach of that service, now at least those who would plan to benefit from your personal information might have some difficulties resetting important accs and the like.
You just gotta be smart, it's not about being powerless, HIBP and the service is just one tool to make you aware of what's out there before it gets used against you. (I would highly recommend setting up notifications for important e-mail addresses)
For anyone considering, here are the 3 opt-outions that appear after you email verify:
1. Just remove my email address from public search
No one using the public HIBP search feature will be able to see your email address in the results. You’ll still be able to search your own address through the notification service, which verifies that you control the email before showing any results. If your email is part of a domain monitored by someone else (e.g., your employer), the domain controller will still be able to see it in domain-level searches.
2. Remove my email address from public search and delete the list of breaches it appears in
Your email address is no longer searchable — neither through the public service nor by you, even if you verify ownership — because the associated breaches have been deleted from the database. However, your email address is still retained by HIBP to ensure it is excluded from any future breaches and not added to your record.
3. Delete my email address completely
The record containing your email address will be completely deleted, meaning it will no longer appear in search results — for you or the public — at the time of deletion. However, if your email address appears in future data breaches, it will become publicly searchable again, as the opt-out record itself has also been deleted.
I assume if that ever happens, someone will register https://haveibeenpwnedbyhaveibeenpwned.com. It'll be the top post of HN for a couple of says while everyone argues in the comments about how the state of online security is "fundamentally broken" while someone asks if they can sue. Then we'll all forget and move on.
I think there was an earlier blog post from Troy sometime ago describing that HIBP never stores unencrypted email addresses; i.e. they are all hashed and any lookups go against the hash, not the actual email address.
Readit News
Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)
Optional: Sell data of imminent lawsuits, to an investment firm.
Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.
Meanwhile in EU, we have laws like NIS2, where if negligent in non-compliance. Fines are 10mil. EUR or 2% of global annual revenue. Eg.: If Apple gets $8bil. fine, yep that changes quite a lot I think. :)
I'm not trying to make an argument against strong regulatory bodies. We need those for sure. It would just be nice if the users were compensated for the exploitation and abuse they're subjected to.
Basically, we have a high-corruption society, especially in 2025, but there's still vestiges of a system that can be leveraged in the public's interest, if you contort just so.
I wish I could easily donate my tiny settlements to a good cause. It might make it worth the time to register for the class.
Deleted Comment
Getting a company to publicly announce a breach is hard today. Your suggestion would make it even harder, and more data breaches would be kept from the public because of the consequences.
I would rather know that a company messed up and change my password, than not knowing
How? Disclosure should already be legally required--class-actions and lawsuits should already be a thing. The Have I Been Pwned data sets aren't volunteered by these companies. It's a catalog of leaked data.
The class-action response of "identity monitoring" is nonsense. More companies, if they can't afford to or don't want secure data, shouldn't collect it or should aggressively purge it. User data should be a liability.
and how long until that data is breached?
Deleted Comment
That's not much of a motivation, given that Troy already is a folk hero.
I bet companies even buyback after these dips.
Actually no, the end result of this will be a return to deny, deny, deny, because the worst case scenario then becomes the truth getting out.
IMHO we should be crucifying the liars and the truly negligent, but forgiving the honest and good faith efforts. At least for now, automating that judgment is pretty difficult and will result in more of the "customer service" like experiences that we already get from most big tech, except now it has the power to make or break companies.
Man we have sure moved on from the era of Blackstone's Ratio being a thing people united around. I'm not saying it should be applied literally, but punishing an innocent person should be considered a lot more wrong than not punishing a guilty person IMHO.
https://oag.ca.gov/system/files/Partnership%20HealthPlan%20o...
“Based on the investigation into this incident, it was determined that the information involved may include your name, Social Security number, date of birth, Driver’s License number (if provided), Tribal ID number (if provided), medical record number, treatment, diagnosis, prescription and other medical information, health insurance information, member portal username and password, email address, and address.”
It’s not about innocence or guilt. If you leak so much information these people will have to monitor every single account, credit card, etc for life, on top of all their personal sensitive info being leaked and possibly accessed by unscrupulous employers. The damage is incredible. It’s not about innocence. It’s about responsibility.
He is a Microsoft employee.
https://www.troyhunt.com/about/ says "I don't work for Microsoft"
Deleted Comment
I just added my domain to the site again and I see "2,243 Total Breached Addresses", and "18 Addresses excluding Spam Lists", but I have no idea what they are. Attempting to click the links shows me I need to "upgrade" to see them, and the download of excel and JSON result in 404 errors.
Too bad, I guess if you have only a single email address it might be good to get informed, but if you use a domain with multiple addresses it's way less useful.
And yes, the subscribe restrictions for domain searches are annoying.
But Troy and family also need to eat, so I understand the need for a payment part, especially for companies.
We just ended up in the grey zone in between. I wish there were some more nuances, but then again, HIBP can't cater for every edge case unless they want to hire lots of devs and customer services.
I ended up signing up for a subscription, checked my domains, and then cancelled the subscription. It felt a little cumbersome, but ok. A non-recurring 2-day access would have worked for me...
If so, this is called “email tumbling” and services exist to strip the “per-company” part to expose your main email.
The fallback suggestions mentioned in the article are "try clicking the box again" and "try reloading the page"
I'm slowly starting to wonder if I should start sending snail mail to companies that block me, instead of resigning to go somewhere else. HIBP is a free web service and shops have no obligation to serve a given individual, but it everyone puts CloudFlare Turnstile, Google Recaptcha, etc. in front of their services, a "single-digit percentage" of people simply cannot participate in modern society. Similar markers (IP address misclassified as bot range, unusual/old/infected browser, ...) will constantly be triggering for the same group
If even people within the same company fell victim to these filters, what chance would the wider public have? On the other side of my tenuous work/life balance, multiple friends that were long-time users of our product were also getting locked out of the site, and of course they had no means of understanding that they were false positives of a fraud detection heuristic, much less of getting individualized support. I know those people and that they were genuine good-faith users, but naturally, while I could pass on word of their struggle, I couldn't offer any actual help since that would disclose details about those heuristics that we were apparently paying good money for and wouldn't want the public to know anything about. I also saw social media discussions where other affected users were helplessly telling each other to try different browsers or reinstall Windows.
Of course, I understand the need to combat abuse of services (and I applaud this employer for many other measures taken in that effort), but it definitely did a number on my loyalty to the company and excitement to be part of the industry to realize that my friends and I would be readily sacrificed if push came to shove.
I'm blocked logging into Slack due to an invisible captcha: https://snipboard.io/h1E86S.jpg
I was surprised I was failing to type this code over from my email but no, that wasn't the issue. In the developer tools, the server fesses up I'm detected as "bot" again. As it's an invisible process, there's nothing I can do about it. This is a clean browser because it's for pentesting websites at work. No add-ons installed, no uBlock, no noscript, no corporate configuration, nothing
Deleted Comment
You may have some kind of logging / tracking / analytics somewhere that logs request bodies. You don't even have to engage in marketing shenanigans for that to be a problem, an abuse prevention system (which is definitely a necessity at their scale) is enough.
Storing unsalted passwords in the "passwords database" is uncommon. Storing request logs from e.g. the Android app's API gateway, and forgetting to mark the `password` field in the forgot password flow as sensitive? Not so uncommon.
Yes, it's easy to fuck up. But a responsible company implements mitigations. And LinkedIn can absolutely afford to do much more.
So yeah, LinkedIn have never been exactly a bastion of IT Security.
On a related note, I no longer have an active linkedin account.
It did allow me to cheekily run a SQL GROUP BY once to see what the most common passwords were, though. Top password was actually "trustno1" IIRC, followed by all the usual suspects, e.g. abcdefg, 12345678 etc. (there were no meaningful password rules)
Most probably some ancient legacy mainframe or whatnot other integration that nobody really has the time and budget to clean up and migrate to something more modern.
The larger the company, the larger the risk for ossification of anything deemed "business critical" because even a minuscule outage of one hour now is six if not seven figures worth of "lost" time.
It’s really just been a similar problem as with AI code, that without strong and competent management that can set intelligent expectations and requirements and test for them, you will surely get what appears to all the business and leadership types like an equivalent product, without any sense that it’s slop underneath the surface.
Deleted Comment
Edit: it's also statet in the announcement:
> Just one little thing first - we've dropped username and phone number search support from the website
But it's really a bad time to remove this feature since there's a ongoing law suite against facebook in germany (https://www.vzbv.de/pressemitteilungen/facebook-datenleck-be..., hgerman link) that utilized the search there to know if one can participate or not.
The reasons for dropping the feature as outlined in the announcement seem very reasonable to me considering the larger implications.
Why not just use different passwords for different things. I'd recommend something like privacy.com so you can generate a bunch of one-use cc cards when doing shopping on sites you don't trust and the like.
Also don't willingly give up valuable personal information unless it's absolutely necessary, it's also not illegal to give online services outright false information (incorrect birthdates for example) which, in the event of a future data breach of that service, now at least those who would plan to benefit from your personal information might have some difficulties resetting important accs and the like.
You just gotta be smart, it's not about being powerless, HIBP and the service is just one tool to make you aware of what's out there before it gets used against you. (I would highly recommend setting up notifications for important e-mail addresses)
https://haveibeenpwned.com/OptOut
For anyone considering, here are the 3 opt-outions that appear after you email verify:
1. Just remove my email address from public search
No one using the public HIBP search feature will be able to see your email address in the results. You’ll still be able to search your own address through the notification service, which verifies that you control the email before showing any results. If your email is part of a domain monitored by someone else (e.g., your employer), the domain controller will still be able to see it in domain-level searches.
2. Remove my email address from public search and delete the list of breaches it appears in
Your email address is no longer searchable — neither through the public service nor by you, even if you verify ownership — because the associated breaches have been deleted from the database. However, your email address is still retained by HIBP to ensure it is excluded from any future breaches and not added to your record.
3. Delete my email address completely
The record containing your email address will be completely deleted, meaning it will no longer appear in search results — for you or the public — at the time of deletion. However, if your email address appears in future data breaches, it will become publicly searchable again, as the opt-out record itself has also been deleted.