[huggingmouth]

Wouldn't bad actors just push their fake email addressess to haveibeenpwned in fake leaks? Steps:

1- periodically set up a legitimate looking service, possibly proxying real services. 2- wait a year or two for your fake service to premiate throughout the www and for seach engines to index it. 3. Mix your bot email addresses with legitimate previously pwned addresses. 4- proclame "woe is me, for thyself hasth been pwned"

You can set up this process so that you can inject a couple 100k bot email addresses periodically every couple of months.

This is an incredibly shortsighted idea with the potential to hurt a lot of innocent people.

[pygy_]

It is going to happen, and some people will make money off it by farming such addresses, but it raises the time and the cost to obtain a plausible email address for fraud.

[themoonisachees]

At that point you'd be better off making those emails and signing up to a bunch of services. Bot emails aren't fresh for 2 years, and if they are somebody isn't doing their job properly.

[fudgefactorfive]

I think the point is bot emails shouldn't be fresh.

Same way some people just set up businesses with random names in tax-shelter territories and sell the company 10 years later to add a sense if legitimacy.