[Nextgrid]

For the people that use unique per-merchant e-mail addresses (like someone+amazon@...), could you try some of those aliases on HaveIBeenPwned and see which ones come up in this breach? That might shed some light onto its origin.

[deng]

BTW, since many people don't seem to be aware of this: If you have your own domain, you can get informed by haveibeenpwned automatically if any mail address from that domain is in a breach. All that is required is that you're reachable on that domain through an address like 'postmaster'. This feature can be found under 'domain search'. Since I use a new address for pretty much anything this is very handy.

[mysterypie]

I have a large list of unique emails to test, but they are not from a domain I control. It seems that I can test these through the API, but is there any simpler way? I tried obvious things like putting a list of comma-separated email addresses in the search form, but it doesn't work.

[numpad0]

Kinda lets adversaries figure which account used which password from which breach and until which point

[koheripbal]

Unfotunately, it no longer seems to list the impacted email addresses in those domains have been comprimised, so it's not too useful.

[Jestar342]

I've found it does list them if you request the full report, but that the initial email doesn't. (note the last time I used this functionality was about 3 weeks ago, I accept it may have changed since then)

[rpadovani]

Wow, thanks, I've never used the notification alert service since I use a custom email for every site I sign up.

That's cool, thanks!

[ohlookabird]

Wow, thanks so much, that's really helpful!

[pricechild]

That's a brilliant tip, thank you!

[huhtenberg]

I am listed, but it's an address that was never used to register or subscribe to anything online. It's also under a year old.

It must've been vacuumed up from other people's contact or email data.

[luckylion]

Or from the email provider, if it's not your own server.

I know that e.g. GMX has had a leak at some point (or sold data), as an email I created there ages ago was used in phishing. Okay, that's lame, but they've also used the fake name I had given to GMX, spelled perfectly. I've never used that name anywhere when signing up, so it must come from the database.

[huhtenberg]

I use a private email server.

[css]

For me, the HaveIBeenPwned domain search only lists one item in this breach: my LinkedIn@... email. Searching my inbox shows that the only emails sent to that address are from LinkedIn, so it probably came from a company I sent a job application (LinkedIn Easy Apply) to at some point.

[devinegan]

This. My e-mail in the breach is a LinkedIn specific email. It has to be part of the clue to attribution. Social media scraping, possibly from multiple sources seems to be more likely than another LinkedIn breach.

[edent]

I use unique emails. My record in this breach is just a generic "contact@" address.

[Nextgrid]

Could it be from whois data? Seems like a reasonable place for which to submit such a generic address.

[jerome-jh]

Or could be the spammers sanitized them.

[Scoundreller]

How would they know which to sanitize???

[StavrosK]

I use the format you mention for almost everything, but my email address in this breach is one I haven't use in something like ten years.

[alberts00]

HaveIBeenPwned now has feature set to find e-mail addresses which were breached under a domain, there is normally no need to search for separate aliases if you own the e-mail domain.

https://haveibeenpwned.com/DomainSearch

[koheripbal]

Unfortunately the email notifications don't tell you WHICH email addresses leaked.

[funnybeam]

Yes they do, you just have to click the link in the email and request the full report

[willvarfar]

Does hibp know enough about the regular providers such as gmail that support this, to be able to attribute someone+amazon@gmail.com with someone@gmail.com?

[alias_neo]

That was my first though, I also use "company@mydomain" sometimes. Too many to go through... if only I could get hold of my record....

[Nextgrid]

I believe HIBP offers domain admins a way to get all their pwned users after domain verification.

[esnard]

Instructions are on this page: https://haveibeenpwned.com/DomainSearch

[jraph]

For people who care, it uses reCAPTCHA. I stopped there.

[smichel17]

Thanks for saving me a click. No desire to play "guess how many minutes I'll have to spend clicking sidewalks" today.

[noxford1]

If it takes you minutes to solve a recaptcha your problem might not be the recaptcha...

[alias_neo]

That's really useful info, thanks. I'll check it out this weekend.

[eganist]

I follow this pattern exclusively, though I haven't actually received any recent HIBP notifications. I'll do a manual check.

Edit: three personal domains registered nothing. One corporate domain registered a double digit hit. If I discern any clues I'll get back to the thread.

[m-p-3]

I'm waiting for Firefox Relay to become available just to better control who has my email address and the flow of emails, but I'm worried it will make the task more difficult to follow breaches.

Maybe Mozilla could partner with HaveIBeenPwned to help dealing with that?

[tinus_hn]

Remember that once you try an email on a service like that, it’s no longer unique to the merchant.

[Qwuke]

If hibp started using something that guarantees k-anonymity when checking for an email, like their password service does[1], then I think it'd be possible to keep the email unique.

1: https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

[VectorLock]

So many things disallow + in email addresses I don't even bother any more.

[multidim]

All services so far seem to accept dots, but the number of possible dot arrangements can be quite limited, and it is a pain to actually use (figure out next one to use, figure out associated service from dot arrangement, etc).

[VectorLock]

Gmail won't let you put anything arbitrary with dots. So if you're whatever@gmail.com you can use what.ever@gmail.com but not whatever+somemerchant@gmail.com. Other email system obviously can work however they want.

[Scoundreller]

Or accepts it at account creation, but not at login!

[mattlondon]

My gmail is on it, but not my burner-domain. So either the data is old (year or two), or they got my gmail from somewhere else.

I'd be interested to see the whole dump to see my full record...

[koheripbal]

a year is not "old"

[cr3ative]

It's got my generic one (firstname@), and an older Facebook login email address (facebook@, changed now since Kickstarter leaked that one). Interesting.

[PanMan]

I did, and I usually use site specific emails (eg amazon@username ) but it found my "generic" firstname@username email... So no insights there.

[simias]

I suspect that Troy Hunt would have noticed if there were many emails with "+someservice" in the dump since he can easily dump them all.

[blauditore]

Not sure of this, because I assume only a tiny fraction of people does this, and those who do probably aren't consistent. E.g. for Amazon Prime, some might use "+amazon-prime", some "+amazonprime", some "+amazon" etc., so there would be very few overall repetitions even in a large data set.

[simias]

Right but grepping for "+" in emails is also high on the list of things I'd do to identify an unknown information dump. Given that he's used to dealing with those I'd be surprised if he hadn't thought of that, although it probably doesn't hurt asking him if he did try it.