[gkafkg8y8]

I used to be somewhat interested by stats on passwords, etc. from breach data dumps.

haveibeenpwned is a helpful and legit site, though I think it should have used email confirmation instead of requiring only an email address.

I also respect Troy along with many other security researchers. Even those that are up to no good in the security world in some ways have contributed good things; after all, the rest of us are stronger and more vigilant now than we used to be because of their work.

However, this anonymized data will almost certainly be used by black hats more than white hats, and I don't see how this release is good for the majority of those that were affected by these breaches.

[Arcsech]

It does require email confirmation before showing "sensitive" data, like if an email was in the Ashley Madison or AdultFriendFinder breaches.

[problems]

Which in and of itself is silly. The raw dumps are already available to everyone, blackhats included. Personally I'm tempted to make a site that just lists it by domain and stuff. I found several people at my company with Ashley Madison accounts using a quick grep.

[hughes]

Even so, raising the barrier of entry to this data will prevent some people from casually looking up their peers. It's worth doing.

[problems]

Casually looking up your peers is exactly what you should be doing in my opinion. But I'm not a good person and I'd rather see details like that plastered everywhere. Be an idiot, get what you deserve.

[flashman]

I have a 2004 Gmail account which people like to use as a fake email address when signing up to things. So my address is in the Ashley Madison leak. This is not something I'm comfortable with people knowing without context, so even if it was a policy of "play stupid games, win stupid prizes" I'd get harmed.

[scrame]

You must be a blast to work with.

[Systemic]

I'm with you that haveibeenpwned should require email confirmation before listing the breaches an email address was in. As it is, it has become an easy to use dictionary of places to find personal data for any given email address. Yes it doesn't list the breaches that Troy has deemed "sensitive", but if you're trying to commit identity theft or fraud using personal data, it doesn't really matter if these search results don't include websites that deal with porn/adultery/children.

Doubtless there are black market tools that provide such a service but expose far more data, but haveibeenpwned lowers the barrier to entry significantly by being far more available to the public.

[Gaelan]

How will black hats use the data?