| In other words, they have publicized the existing tool to make it available to a broader audience without adding anything on top to improve its security. They're both in the wrong on this. The argument of "Others are being irresponsible, so we should be irresponsible as well" does not stand up very well. The only valid use case for providing this information is for when a user no longer has access to the email address in question. In this case, they should still require it to be sent via email, and they should still send a notification to the email address being requested which includes details about the request like the IP it is made from and the email it would forward to, perhaps with a delay-and-prevent option so that someone who still owns the email can prevent the exfiltration by responding to the notice quickly. Otherwise, this enables anyone to solicit unauthorized PII data about basically anyone else from Mozilla. Even HIBP somewhat acknowledge the potential damage this can do, from the way they censor some results like the Ashley Madison data breach. They've made the decision that some personal information linked to a person's email address is more worthy of protection than other bits of personal information, which really shouldn't be up to them. They get away with it because of weak data protection laws and the fact that this caters to individual users who are more likely to opt themselves out if they become aware of it than to file a lawsuit or otherwise apply pressure to make them change. |