There have been enough data breaches at this point that I'm sure all my info has been exposed multiple times (addresses, SSN, telephone number, email, etc). My email is in over a dozen breaches listed on the been pwned site. I've gotten legal letters about breaches from colleges I applied to, job boards I used, and other places that definitely have a good amount of my past personal information. And that's not even counting the "legal" big data /analytics collected from past social media, Internet browsing, and whatever else.
I now use strong passwords stored in bitwarden to try to at least keep on top of that one piece. I'm sure there are unfortunately random old accounts on services I don't use anymore with compromised passwords out there.
Not really sure what if anything can be done at this point. I wish my info wasn't out there but it is.
I used per-account email with alias services and password managers.
Also started migrating old accounts in free time.
Now its pretty easy to tell the source of leak by email addresses as well as sources of spam.
---
Per-account alias might sound much, but using sieve filtering [1] is amazing, and you can get a comprehensive filtering solution going with 'envelope to' (the actual address receiving the email) + 'header to' (the recipient address you see, sometimes filtering rules don't filter for BCC or sometimes recipients are alias instead of your actual email) that are more comprehensive than normal filtering rules to sort your emails into folders.
Amusingly, I've managed to recover old accounts from emails that contains my old passwords with demands for crypto payment, it just provided me enough help to recall old variations of my passwords.
> I used per-account email with alias services and password managers.
For people who want to do this, be sure to get it right. I run a SaaS with a free tier, and I see people register with "fancy+nospam+servicename@gmail.com" addresses. Many of those become undeliverable or are left unread forever because of filtering rules. So when my system sends a warning E-mail that the account will be deleted due to inactivity, it doesn't get read, which leads to suboptimal outcomes for everyone involved.
I just use <myname>+<service>@gmail.com
At the end of day day it’s all delivered to myname@gmail.com mailbox, but I can use filters based on part after “+”.
I do this also. I started doing it with physical mail before email existed to sort out the junk mail, so first and last name always contained a reference to the company you were dealing with. Paul Allen back in the 80s said in a Seattle Times interview that it was how he handled it.
> I used per-account email with alias services and password managers.
20-something-ish years ago I setup qmail in my VPS and a .qmail-default file captures all my me-sitename@vps emails. If they send me junk I echo '#' > .qmail-sitename and that's the end of it.
Other things that get a mixture like someone annoying who harvested my ebay/paypal addresses or something, I'll sift out the good (stuff I need) via maildrop and everything else gets junked.
Honestly one of the best, but annoying, things I've done, well worth the time invested as I have a nice clean mailbox.
> I used per-account email [addresses] with alias services
I do too (anything@mysubdomain.example.com), but but online services collude with data brokers to share so much information [0] that I don't doubt that many of these "separate" profiles have been aggregated.
Unfortunately the services that supposedly offer to have your personal data removed from data brokers don't seem to support aliasing, so no straightforward way to either find out or have the data removed.
[0] Just look at the scary list of third-party cookies you can't opt out of on Coursera [1], for example:
Match and combine data from other data sources
419 partners can use this feature
Always Active
Identify devices based on information transmitted automatically
546 partners can use this feature
Always Active
Link different devices
358 partners can use this feature
Always Active
Deliver and present advertising and content
582 partners can use this special purpose
Always Active
+1 for Bitwarden. It is literally the best solution out there. Been getting to increase uptake in personal circles with (very) limited success. The wife keeps trying to convince me that the ship has sailed in trying to protect info online. She's probably right.
Now that I'm not only using a Macbook and iPhone, I've been looking for cross-platform solutions.
For a week I've been using KeePassXC + Syncthing between four devices. Syncthing is also syncing my Obsidian vaults which has replaced Apple-only Notes.app.
Bitwarden is definitely more polished, and Syncthing is definitely (much) more fiddly than using Bitwarden's and Obsidian's ($5/mo) native syncing tools.
But I like the idea of having the same syncing solution across all apps on all devices. Curious if anybody can recommend this setup or if collisions will make it unbearable.
I use a similar service, I always wonder what sort of risk having one point of failure has though. I know 2FA helps, but a particularly motivated person with access to you physical still may be able to get both, espically if it for an investigation of some sort.
I switched from Bitwarden to Proton pass (because we got Proton family) and I find to be equally good. Ineven find sharing credentials a bit easier as it does not require organizations, you can just share with individuals.
I convinced my wife to start using a password manager, too (Bitwarden). Now she stores all of her very guessable, short, similar passwords in a manager. Sigh.
Addresses? Most of the time addresses are a matter of public record. I have used https://www.fastpeoplesearch.com/ a couple of times to search for people's addresses and it really works. One day a close friend excitedly told me she bought a new house and I told her the address before she told me about it.
Telephone number? There used to be phone books. And I still instinctively think they should be public.
An address can be dangerous if it's e.g. a social network site or blog, anywhere where you post under an alias. People make enemies, have stalkers, or say things online that certain regimes don't like. Granted, this is only really a thing for a minority, but if a minority isn't safe, nobody is.
> Telephone number? There used to be phone books. And I still instinctively think they should be public.
I used to think the same. Around here I feel until a few years ago most people I knew with secret phones were people I would prefer to have fewer interactions with: people who frequently got into trouble, tried to scam others etc.
These days I’m more in the camp of layered security. Whatever I can do to make it harder for an attacker, the better.
Addresses can lead you to public land and mortgage records, and phone numbers can lead you to names and addressed. I assume everyone can easily find that out about me once they know my name/phone number.
I think the headline is a bit vague, it includes passwords as well. Does anyone know if Troy's HIBP'd site reveals the passwords to verified users? I'd like to know if my current or what generation of passwords has been breached to evaluate if I have a current or past problem with my devices.
I'm in a similar situation, just make sure your credit is frozen with the 3 major US companies. I had someone steal like $50 of cable TV with my info in another state and it was a major pain to get off of my credit report.
Even better "please give us all the things which could be used by a foreign power to blackmail you, or apply pressure to relatives or other close contacts" and then poorly secure that database.
That is awful, but it doesn't lessen the impact of someone who right now has access to your email and or other accounts. China having your DNA profile is not near as impactful as someone actively stealing your identity and potentially ruining your finances. Use 2fa everywhere, and if your email is in this list, you should change your password.
I use unique email addresses per domain name, and I believe IHaveBeenPwned shows me at 39 unique email addresses breached! (So many that seeing which ones have been breached would now cost me $22 / month... IHaveBeenPwned is starting to feel like an extortion racket of its own..)
If you're using the same domain for each of your email address, HIBP has a domain-wide search feature which is free (but you need to register to validate your domain)
Even if you weren't breached, the sophistication is getting higher too. New hires get emails starting literally day one because email formats follow a pattern and they posted their new job on linkedin (or something).
To confirm, data/info leaks happened on the server/application side. How does a solution like Bitwarden on the client side helps with this situation?
As per my understanding the only possible threat it saves against is someone trying to brute force for your password against the application. And may be ease the cognitive burden of remembering different passwords.
I generally don't give my real address or real phone number to anyone who doesn't legally need it. I use a virtual address as the billing address on my credit cards and for registering for things that don't need to know where I sleep.
The government can have at my real info, but private companies have bad data security.
I bet now some corporations actually want to be exposed, have data breach. If you have not been in the news, it means you have not made it yet (not popular enough to be a target worth writing about).
Right to be removed/purged and maximum retention policy. One place I'm aware of purges accounts that have been inactive 18month. Historical billing info is offline and "gapped"
Right. Having some data leaked isn't really a boolean, leaked/unleaked. It's a list of leaks, and the implicit map betweenyl your datapoints, whether by intra or interprovider mapping
For example a forum might leak a map between your mail and a password; Implicitly your affinity for that forum's topic is also now on the public record, additionally if your posts were public but under a pseudonym, that might be now known by a sufficiently motivated attacker.
Finally this may be linked with other public datasources like your public tweets or public state records, or even other leaks.
This is why the meme about all ssn's being leaked or about a list of all valid phone numbers is so asinine.
It's probably more important to keep passwords safe, but lots of people treat their email address like some kind of "sensitive secret". "Oh but I don't want to get spam" - my dude you are going to get spam.
There's a guy who lives near me who, when he parks his car, very carefully puts tape over the number plate "because otherwise people might see my registration number". Because apparently if people can see your car's registration number they can somehow just steal your car and the police won't do anything because the number plate was visible. Mad, absolutely barking mad.
On the plus side, Troy can save a lot of DB space now. Instead of storing which emails have been compromised at this point he can replace that with just
If we're going to take my obviously unserious suggestion seriously, I'd suggest a bigger problem is that his stack isn't in Python and the code for whether an email is pwned probably isn't remotely structured as a function call like that...
This seems to include details from a Spotify data breach in or before early 2020 that, to my knowledge, was never reported on. They did have other, similar issues that year.
Reporting from the time seems to all be about one or multiple leaks/attacks involving:
- Credential stuffing with data from other breaches
- A leak of data (including email addresses) to "certain business partners" between April 9, 2020 and November 12, 2020.
On April 2, 2020 somebody logged in to my Spotify account (which had a very weak password) from a US IP address. This account used an email address only ever used to sign up to Spotify years earlier, and the account had been unused for years by that point. I changed the password minutes later. A few hours after that Spotify also sent an automatic password reset because of "suspicious activity". At no point have I ever been notified by Spotify that my data had been leaked, though it obviously had, and now said email finally shows up on HIBP.
I respect Troy Hunt's work. I searched for my email address on https://haveibeenpwned.com/, and my email was in the latest breach data set. But the site does not give me any way to take action. haveibeenpwned knows what passwords were breached, the people who breached the data knows what passwords were breached, but there does not seem to be any way for _me_, the person affected, to know what password were breached. The takeaway message is basically, "Yeah, you're at risk. Use good password practices."
There is no perfect solution. Obviously, we don't want to give everybody an easy form where you can enter an email address and see all of the password it found. But I'm not going to reset 500+ password because one of them might have been compromised. It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
> there does not seem to be any way for _me_, the person affected, to know what password were breached
You should be using a unique randomly-generated password for each website. That way, one breach doesn't lead to multiple accounts getting hijacked AND you'll know which passwords were breached solely based on the website list. The only passwords I still keep in my head are:
1. The password to my password manager
2. The password to my gmail account
3. The passwords for my full disk encryption
All of those passwords are unique and not used anywhere else. Everything else is in my password manager with a unique randomly generated password for each account. And for extra protection, I enable 2fa on any site that supports u2f/webauthn.
I used to reuse the same password for everything, and that lead to a pretty miserable month where suddenly ALL of my accounts were compromised. I'd log in to one account and see pizzas I never ordered. Then I'd open uber and see a ride actively in-progress on the other side of the country. It was not fun.
Yes! Me too. Not adding anything here except a confirmation on the above approach. You kind of need your email password as a "break glass" scenario. But mostly, you just need your password manager.
Nice. Now I'd like to know WHICH password got leaked.
That way the breach impact can quickly be limited.
Troy probably would share that information for a price. Not sure whom to pay though - the "good" guy who won't say a word, or a criminal who will happily share it with me?
Also if possible, use a unique email address for each site. I know that's not feasible for most people, and some sites (e.g. LinkedIn) are structured so that email addresses become linked, but it does provide useful isolation.
> It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
If you read the instructions, you will discover https://haveibeenpwned.com/Passwords which will let you enter a password and securely check if it has been published in a breach.
If it has, it is either a simple password that multiple people are using, or a complex secure password that can make you pretty confident it is your password that has been published.
1Password just does the same thing for all of your passwords - it doesn’t check against your account name either. That information isn’t stored so they can’t become a new source of breached accounts (as explained at the site).
The problem with breaches like the latest data set is that there's no source on where the breach came from, it's an aggregate from multiple breaches. They can't tell you that info because it's not in the initial data set.
> But the site does not give me any way to take action.
It gives you as much information as you should be given. Any more information would just be spreading around the hacked dataset.
It does give you an awful lot of information about the specific hacks that exposed your information, and what was the content of that exposure. You may have been owned, but the way you were owned doesn't really matter e.g. I don't care that my firstname.lastname@gmail.com was exposed as being me. I may not care that my username@yahoo.com account was exposed as being username at archive.org. If that's it, I can keep using them. But a lot of hacks are a lot worse, and you might have to rearrange things or close them down. haveibeenpwned gives you enough information to make all those decisions.
Also, your second paragraph seems to imply that the site doesn't tell you if passwords were compromised for an email address. It definitely does by identifying the hack and describing its extent. You don't need the actual password to know that you need to change it. Likely, the hacked site forced you to change it anyway.
Change the password for what account though? The dashboard doesn’t seem to list the actual website(s ) linked to the email/password breached, so how am I to know which password to rotate?
If I follow the recommended best practice, I have a different password for every website or service. That could be hundreds of them. Am I supposed to rotate all of them every time there’s a breach?
> It does give you an awful lot of information about the specific hacks
No it doesn't. Enter <old email address> → 5 data breaches → first one says:
> During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources
It doesn't tell me which site or which of the many passwords used together with that address. Just that it has been in a generic data dump.
So it gives me the information that my email has been exposed.
Where? In what service? Did my password got leaked too? I can't change password / delete the account if I don't know where.
Did any other data got leaked? Anything sensitive? Do I have to cancel my credit card? Were any files leaked as well? My home location?
At this point HIBP is next to useless.
And how showing me WHAT is in the database about the email I proved I own would be spreading it? At this point if I want to learn it I need to either try to find the torrent with it (spreading it further!) or pay the criminals.
At one point I responded to a haveibeenpwned notice by immediately having the user reset a password.
I've got over 200 users in a domain search (edit: for this particular incident), and nearly all of them were in previous credential breaches that were probably stuffed into this one. I'm not going to put them through a forced annoyance given how likely it is the breached password is not their current one, and I'm urging people to start moving in this direction unless you obtain a more concrete piece of advice.
This doesn't help. If the email address check says the address has been exposed it doesn't tell you which password that was used together with that has been exposed.
Was it one from 10 years ago you don't even remember? Or that's still actively in use? Which one of my hundreds of passwords?
One possible solution could be to give you an option to send the affected password as a list to the mail address you specify, then only people with access to that mail address will see them
The details about the “Stealer Logs” on the dashboard even state:
> The websites the stealer logs were captured against are searchable via the HIBP dashboard.
There is no way to use the HIBP dashboard to figure out what domains my email address appears against.
Am I meant to change all passwords associated with that email address? Or do I need to get a paid subscription to query the API to figure out exactly what password(s) to change?
This has always confused me. On the one hand, HIBP is an invaluable service, but, on the other, it does nothing more than stating you’re in trouble, with no clear way forward.
It's quite certainly a up selling attempt. I once spend a couple of hours to see what was actually exposed in the infostealer breach my email appeared (eg: payment data? Physical address? Government id ?) to no avail.
My data was exposed in one of the Facebook leaks and it turned out I had an old email on my Facebook account with a domain I had since let lapse and abandoned. Someone else registered the domain and tried to take over my Facebook account by sending a password reset request using it. Luckily I had 2FA and I guess Facebook's fraud alerts picked it up so It wasn't successful.
I guess what I want to say is beware that even something as innocuous as an email being leaked can cause problems, and make sure you delete any unused addresses from your accounts!
One of the drawbacks of using a custom domain for personal email is you essentially have to pay for it for life, otherwise anyone can just buy your old email address if the domain expires and start receiving mail, resetting accounts... I think some folks don't fully consider this consequence when setting up a fun vanity email address or similar etc, especially now both iCloud and gmail have made it so trivial to link a custom domain.
Conversely, if yahoo/google ever stop offering free email, I'll probably end up paying them much higher prices to keep going for a bit until I can transition.
If either ever stop period, especially one day to the next, FML...
Which is incredible because it means they paid to get the domain and try to access that account. I can't imagine why anyone would care that much about your Facebook (assuming you're not someone who's especially influential) and yet here we are
I totally respect Troy and the work he's doing, but I still can't justify to myself the risk of typing my passwords into his website because that would be the very first time that I would use any of those in places other than the ones where I normally use them.
Is there a way around this?
Edit: to answer my own question, I should read a bit more rather than click on the first link, the answer is here:
Many people here have echoed similar sentiments, but I really wish they would give you any sort of information so you could have any sort of idea of what got pwned and ideally when. Was it a bank account, or some random forum? As it stands the action of even processing this data was of very little utility.
As with roughly a quarter of the planet, I was in this breach. My 1Password Watchtower is green. I cycle important passwords regularly. Back 10-15 years ago my passwords like most peoples were much shorter and not randomly generated. All of them for everything show up in the passwords search.
The utility of Have I Been Pwned approaches zero the longer you have been on the internet, and I have been on the internet since the late 1990s.
We're left in a place where everyone but the victim knows the compromised account, and that's just kind of absurdly useless.
> The utility of Have I Been Pwned approaches zero the longer you have been on the internet, and I have been on the internet since the late 1990s.
I mean if your 1Password is green then HIBP has definitely helped.
First of all, without HIBP, you wouldn't have Watchtower.
HIBP has raised awareness on having unique passwords per site.
HIBP has achieved that multiple services now can and check if particular password is leaked or not.
Of course you could argue that since your security hygiene is so good you don't need HIBP. True. Let's pretend every people on planet will be generating unique passwords per service. Great. HIBP will have achieved enourmous job of making the planet more secure.
And still a notification if you appear in some breach that can be attributed to a service - good signal to change password.
Hats off for you cycling the password.. Have you ever ran into problems with that? Say you kinda rotated password but it no longer is accepted or something?
If there's no meaningful reward or punishment for keeping or leaking PII, companies won't do anything about it. They'll keep collecting sensitive inf unless they're educated or forced not to collect unnecessary PII.
Not just this but the lack of diligence by companies that allow accounts to be created, bills to go unpaid & then sent to collection agencies is something that needs to change.
Speaking as someone who has had companies give away my PII and then other companies open accounts with it without contacting me until bills are due.
None of this should be the fault of innocent individuals.
Readit News
I now use strong passwords stored in bitwarden to try to at least keep on top of that one piece. I'm sure there are unfortunately random old accounts on services I don't use anymore with compromised passwords out there.
Not really sure what if anything can be done at this point. I wish my info wasn't out there but it is.
Also started migrating old accounts in free time.
Now its pretty easy to tell the source of leak by email addresses as well as sources of spam.
---
Per-account alias might sound much, but using sieve filtering [1] is amazing, and you can get a comprehensive filtering solution going with 'envelope to' (the actual address receiving the email) + 'header to' (the recipient address you see, sometimes filtering rules don't filter for BCC or sometimes recipients are alias instead of your actual email) that are more comprehensive than normal filtering rules to sort your emails into folders.
[1]: https://datatracker.ietf.org/doc/html/rfc5228
---
Amusingly, I've managed to recover old accounts from emails that contains my old passwords with demands for crypto payment, it just provided me enough help to recall old variations of my passwords.
For people who want to do this, be sure to get it right. I run a SaaS with a free tier, and I see people register with "fancy+nospam+servicename@gmail.com" addresses. Many of those become undeliverable or are left unread forever because of filtering rules. So when my system sends a warning E-mail that the account will be deleted due to inactivity, it doesn't get read, which leads to suboptimal outcomes for everyone involved.
> Per-account alias might sound much
Not only does this not sound too much, this is a feature Apple offers called Hide My Email: https://support.apple.com/en-us/102548
It's super-easy to figure out who leaks my emails to whom, so I can easily disable both the leaker and the people who leaked.
Much more user-friendly than Apple's hide-my-email.
20-something-ish years ago I setup qmail in my VPS and a .qmail-default file captures all my me-sitename@vps emails. If they send me junk I echo '#' > .qmail-sitename and that's the end of it.
Other things that get a mixture like someone annoying who harvested my ebay/paypal addresses or something, I'll sift out the good (stuff I need) via maildrop and everything else gets junked.
Honestly one of the best, but annoying, things I've done, well worth the time invested as I have a nice clean mailbox.
I do too (anything@mysubdomain.example.com), but but online services collude with data brokers to share so much information [0] that I don't doubt that many of these "separate" profiles have been aggregated.
Unfortunately the services that supposedly offer to have your personal data removed from data brokers don't seem to support aliasing, so no straightforward way to either find out or have the data removed.
[0] Just look at the scary list of third-party cookies you can't opt out of on Coursera [1], for example:
Match and combine data from other data sources 419 partners can use this feature Always Active
Identify devices based on information transmitted automatically 546 partners can use this feature Always Active
Link different devices 358 partners can use this feature Always Active
Deliver and present advertising and content 582 partners can use this special purpose Always Active
[1] https://www.coursera.org/about/cookies-manage
For a week I've been using KeePassXC + Syncthing between four devices. Syncthing is also syncing my Obsidian vaults which has replaced Apple-only Notes.app.
Bitwarden is definitely more polished, and Syncthing is definitely (much) more fiddly than using Bitwarden's and Obsidian's ($5/mo) native syncing tools.
But I like the idea of having the same syncing solution across all apps on all devices. Curious if anybody can recommend this setup or if collisions will make it unbearable.
I've been on 1Password for years and am wondering if I'm missing anything.
Proton also has a separate 2fa totp app.
Best when paid for so you can do 2FA with TOTP codes!
Telephone number? There used to be phone books. And I still instinctively think they should be public.
"Forget Hackers! Phone Company Delivers Your Private Info—Including Your Home Address—Directly to Strangers!"
I used to think the same. Around here I feel until a few years ago most people I knew with secret phones were people I would prefer to have fewer interactions with: people who frequently got into trouble, tried to scam others etc.
These days I’m more in the camp of layered security. Whatever I can do to make it harder for an attacker, the better.
> I have used https://www.fastpeoplesearch.com/ a couple of times to search for people's addresses and it really works.
Tangential:
Sorry, you have been blocked You are unable to access fastpeoplesearch.com
(Safari on a stock iPhone, mobile broadband from the biggest and most well known telecom company in my country, ipv6 address.)
I'm in a similar situation, just make sure your credit is frozen with the 3 major US companies. I had someone steal like $50 of cable TV with my info in another state and it was a major pain to get off of my credit report.
They even got my kids social security numbers.
It was leaked through no fault of my own. There are 0 actual consequences to companies doing it. So what am I going to do - stew about it??
Does anyone still care?
I like how the Apple Password app informs you about Compromised Passwords so you can you know... go in and fix it, get a new password etc.
Nice little cute idea.
I got 717 warnings. Seven hundred seven teen.
No I will never be able to fix this
As per my understanding the only possible threat it saves against is someone trying to brute force for your password against the application. And may be ease the cognitive burden of remembering different passwords.
The government can have at my real info, but private companies have bad data security.
Dead Comment
For example a forum might leak a map between your mail and a password; Implicitly your affinity for that forum's topic is also now on the public record, additionally if your posts were public but under a pseudonym, that might be now known by a sufficiently motivated attacker.
Finally this may be linked with other public datasources like your public tweets or public state records, or even other leaks.
This is why the meme about all ssn's being leaked or about a list of all valid phone numbers is so asinine.
There's a guy who lives near me who, when he parks his car, very carefully puts tape over the number plate "because otherwise people might see my registration number". Because apparently if people can see your car's registration number they can somehow just steal your car and the police won't do anything because the number plate was visible. Mad, absolutely barking mad.
Dead Comment
The one I use for random crap has 9 hits though.
but other than that I'm sure it's a good idea.
Reporting from the time seems to all be about one or multiple leaks/attacks involving:
- Credential stuffing with data from other breaches
- A leak of data (including email addresses) to "certain business partners" between April 9, 2020 and November 12, 2020.
On April 2, 2020 somebody logged in to my Spotify account (which had a very weak password) from a US IP address. This account used an email address only ever used to sign up to Spotify years earlier, and the account had been unused for years by that point. I changed the password minutes later. A few hours after that Spotify also sent an automatic password reset because of "suspicious activity". At no point have I ever been notified by Spotify that my data had been leaked, though it obviously had, and now said email finally shows up on HIBP.
Deleted Comment
There is no perfect solution. Obviously, we don't want to give everybody an easy form where you can enter an email address and see all of the password it found. But I'm not going to reset 500+ password because one of them might have been compromised. It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
You should be using a unique randomly-generated password for each website. That way, one breach doesn't lead to multiple accounts getting hijacked AND you'll know which passwords were breached solely based on the website list. The only passwords I still keep in my head are:
All of those passwords are unique and not used anywhere else. Everything else is in my password manager with a unique randomly generated password for each account. And for extra protection, I enable 2fa on any site that supports u2f/webauthn.I used to reuse the same password for everything, and that lead to a pretty miserable month where suddenly ALL of my accounts were compromised. I'd log in to one account and see pizzas I never ordered. Then I'd open uber and see a ride actively in-progress on the other side of the country. It was not fun.
That way the breach impact can quickly be limited.
Troy probably would share that information for a price. Not sure whom to pay though - the "good" guy who won't say a word, or a criminal who will happily share it with me?
It's possible the latter would be cheaper too.
Yes.
If it has, it is either a simple password that multiple people are using, or a complex secure password that can make you pretty confident it is your password that has been published.
1Password just does the same thing for all of your passwords - it doesn’t check against your account name either. That information isn’t stored so they can’t become a new source of breached accounts (as explained at the site).
It gives you as much information as you should be given. Any more information would just be spreading around the hacked dataset.
It does give you an awful lot of information about the specific hacks that exposed your information, and what was the content of that exposure. You may have been owned, but the way you were owned doesn't really matter e.g. I don't care that my firstname.lastname@gmail.com was exposed as being me. I may not care that my username@yahoo.com account was exposed as being username at archive.org. If that's it, I can keep using them. But a lot of hacks are a lot worse, and you might have to rearrange things or close them down. haveibeenpwned gives you enough information to make all those decisions.
Also, your second paragraph seems to imply that the site doesn't tell you if passwords were compromised for an email address. It definitely does by identifying the hack and describing its extent. You don't need the actual password to know that you need to change it. Likely, the hacked site forced you to change it anyway.
If I follow the recommended best practice, I have a different password for every website or service. That could be hundreds of them. Am I supposed to rotate all of them every time there’s a breach?
No it doesn't. Enter <old email address> → 5 data breaches → first one says:
> During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources
It doesn't tell me which site or which of the many passwords used together with that address. Just that it has been in a generic data dump.
Where? In what service? Did my password got leaked too? I can't change password / delete the account if I don't know where.
Did any other data got leaked? Anything sensitive? Do I have to cancel my credit card? Were any files leaked as well? My home location?
At this point HIBP is next to useless.
And how showing me WHAT is in the database about the email I proved I own would be spreading it? At this point if I want to learn it I need to either try to find the torrent with it (spreading it further!) or pay the criminals.
I've got over 200 users in a domain search (edit: for this particular incident), and nearly all of them were in previous credential breaches that were probably stuffed into this one. I'm not going to put them through a forced annoyance given how likely it is the breached password is not their current one, and I'm urging people to start moving in this direction unless you obtain a more concrete piece of advice.
password: 46,628,605
your password: 609
good password: 22
long password: 2
secure password: 317
safe password: 29
bad password: 86
this password sucks: 1
i hate this website: 16
username: 83,569
my username: 4
your username: 1
let me login: 0
admin: 41,072,830
abcdef: 873,564
abcdef1: 147,103
abcdef!: 4,109
abcdef1!: 1,401
123456: 179,863,340
hunter2: 50,474
correct horse battery staple: 384
Correct Horse Battery Staple: 19
to be or not to be: 709
all your base are belong to us: 1
Dead Comment
> The websites the stealer logs were captured against are searchable via the HIBP dashboard.
There is no way to use the HIBP dashboard to figure out what domains my email address appears against.
Am I meant to change all passwords associated with that email address? Or do I need to get a paid subscription to query the API to figure out exactly what password(s) to change?
This has always confused me. On the one hand, HIBP is an invaluable service, but, on the other, it does nothing more than stating you’re in trouble, with no clear way forward.
This service is toxic tbh.
https://haveibeenpwned.com/API/v3
I know roughly what passwords were exposed because either I remember it, or the date of the leak or the associated email.
I know simple passwords are almost public and that leaks of say linkedin will be properly hashed, while a vb forum from 2006 might not be.
I guess what I want to say is beware that even something as innocuous as an email being leaked can cause problems, and make sure you delete any unused addresses from your accounts!
If either ever stop period, especially one day to the next, FML...
* blackmail the account owner
* make up an illness, create a donation page and get all their friends to donate
* find all connections over a certain age and disguise a phishing vector as literally anything!
* so many more
Is there a way around this?
Edit: to answer my own question, I should read a bit more rather than click on the first link, the answer is here:
https://haveibeenpwned.com/API/v3?ref=troyhunt.com#PwnedPass...
Which uses:
https://en.wikipedia.org/wiki/K-anonymity
As with roughly a quarter of the planet, I was in this breach. My 1Password Watchtower is green. I cycle important passwords regularly. Back 10-15 years ago my passwords like most peoples were much shorter and not randomly generated. All of them for everything show up in the passwords search.
The utility of Have I Been Pwned approaches zero the longer you have been on the internet, and I have been on the internet since the late 1990s.
We're left in a place where everyone but the victim knows the compromised account, and that's just kind of absurdly useless.
I mean if your 1Password is green then HIBP has definitely helped.
First of all, without HIBP, you wouldn't have Watchtower.
HIBP has raised awareness on having unique passwords per site.
HIBP has achieved that multiple services now can and check if particular password is leaked or not.
Of course you could argue that since your security hygiene is so good you don't need HIBP. True. Let's pretend every people on planet will be generating unique passwords per service. Great. HIBP will have achieved enourmous job of making the planet more secure.
And still a notification if you appear in some breach that can be attributed to a service - good signal to change password.
Hats off for you cycling the password.. Have you ever ran into problems with that? Say you kinda rotated password but it no longer is accepted or something?
Speaking as someone who has had companies give away my PII and then other companies open accounts with it without contacting me until bills are due.
None of this should be the fault of innocent individuals.