[ano-ther]

> the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service

Do they? Why?

[Maxious]

Proves they really did hack something. There's other sites where hackers register defacements etc.

[richbell]

If Troy authenticates the data, they can use that as an 'endorsement' when trying to sell it.

[ianhawes]

This. Typically HIBP attribution includes the email of the "submitter". Various data aggregators will contact them and buy the stolen data. Everybody wins*.

* Exceptions apply.

[Thorrez]

Where on HIBP can I see the email of the submitter?

[ramimac]

It's not available in this case, or every case. When available, you can search "The data was provided by" in https://haveibeenpwned.com/PwnedWebsites

[Thorrez]

Thanks! Slight correction: only 2 breaches say "provided by" with a source, but a ton of breaches say "provided to" HIBP with a source.

[divbzero]

Is there a way to modify the HIBP reporting process to avoid aiding the sale of stolen data?

[RamRodification]

Doesn't the value drop dramatically if it has already been shared with Troy and the HIBP database? Or is there a time frame where it has been authenticated by Troy but not yet added to the database?

[richbell]

I don't think so.

Troy isnt publicly sharing the credentials and that's what's valuable — especially having "exclusive" access.

He blogged or tweeted about this at some point. Sadly, I can't find the link.

[xproot]

Anyone who buys it or finds it in the wild can also upload it.