[jimmar]

I respect Troy Hunt's work. I searched for my email address on https://haveibeenpwned.com/, and my email was in the latest breach data set. But the site does not give me any way to take action. haveibeenpwned knows what passwords were breached, the people who breached the data knows what passwords were breached, but there does not seem to be any way for _me_, the person affected, to know what password were breached. The takeaway message is basically, "Yeah, you're at risk. Use good password practices."

There is no perfect solution. Obviously, we don't want to give everybody an easy form where you can enter an email address and see all of the password it found. But I'm not going to reset 500+ password because one of them might have been compromised. It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.

[craftkiller]

> there does not seem to be any way for _me_, the person affected, to know what password were breached

You should be using a unique randomly-generated password for each website. That way, one breach doesn't lead to multiple accounts getting hijacked AND you'll know which passwords were breached solely based on the website list. The only passwords I still keep in my head are:

  1. The password to my password manager
  2. The password to my gmail account
  3. The passwords for my full disk encryption

All of those passwords are unique and not used anywhere else. Everything else is in my password manager with a unique randomly generated password for each account. And for extra protection, I enable 2fa on any site that supports u2f/webauthn.

I used to reuse the same password for everything, and that lead to a pretty miserable month where suddenly ALL of my accounts were compromised. I'd log in to one account and see pizzas I never ordered. Then I'd open uber and see a ride actively in-progress on the other side of the country. It was not fun.

[taftster]

Yes! Me too. Not adding anything here except a confirmation on the above approach. You kind of need your email password as a "break glass" scenario. But mostly, you just need your password manager.

[DaSHacka]

and root disk encryption, unless you have some alternative method set up.

[imp0cat]

That's the default in this day and age, no?

[taftster]

I mean, probably should be. But for me, no. Well, not my personal computer anyway. That's a mistake, I know. But corporate computer yes.

So no, I don't think "in this day and age" necessarily. And I believe that the vast majority of "normal" users don't do full drive encryption either. But yes, we should.

[akerl_]

Last I looked, windows and Mac installs both push the user to set up bitlocker or FileVault, respectively. You have to actively say no if you don’t want it.

[taftster]

I deliberately dodged there, as you noted. I do not have full disk encryption setup. I know that I'm probably have a very bad day if I come to lose my laptop, etc. I should do this, no doubt.

But I'm not sure. While maybe good password management is starting to soak into common computer usage, I don't think disk encryption is all that common just yet across the average user. It should be. But the average user is just moving to their phone anyway, with face id and encryption by default, instead of maintain their own personal device.

Corporate devices seem to be a bit better in this regard, though.

[subscribed]

Nice. Now I'd like to know WHICH password got leaked.

That way the breach impact can quickly be limited.

Troy probably would share that information for a price. Not sure whom to pay though - the "good" guy who won't say a word, or a criminal who will happily share it with me?

It's possible the latter would be cheaper too.

[Jaxan]

They don’t store email addresses with password in the database. That would be way too risky. These are separate databases, so you can lookup your email address, and separately check a password.

[cestith]

I think for passwords they only store a hashed version.

[tengwar2]

Also if possible, use a unique email address for each site. I know that's not feasible for most people, and some sites (e.g. LinkedIn) are structured so that email addresses become linked, but it does provide useful isolation.

[elzbardico]

> It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.

Yes.

[NetMageSCW]

If you read the instructions, you will discover https://haveibeenpwned.com/Passwords which will let you enter a password and securely check if it has been published in a breach.

If it has, it is either a simple password that multiple people are using, or a complex secure password that can make you pretty confident it is your password that has been published.

1Password just does the same thing for all of your passwords - it doesn’t check against your account name either. That information isn’t stored so they can’t become a new source of breached accounts (as explained at the site).

[donatj]

Letting me check my passwords one at a time is like letting me check my grains of rice individually for poison before eating.

[jve]

Use a tool

https://monitor.mozilla.org/

https://watchtower.1password.com/

https://bitwarden.com/help/reports/#exposed-passwords-report

[Jaxan]

There is also an API

[fckgw]

The problem with breaches like the latest data set is that there's no source on where the breach came from, it's an aggregate from multiple breaches. They can't tell you that info because it's not in the initial data set.

[pessimizer]

> But the site does not give me any way to take action.

It gives you as much information as you should be given. Any more information would just be spreading around the hacked dataset.

It does give you an awful lot of information about the specific hacks that exposed your information, and what was the content of that exposure. You may have been owned, but the way you were owned doesn't really matter e.g. I don't care that my firstname.lastname@gmail.com was exposed as being me. I may not care that my username@yahoo.com account was exposed as being username at archive.org. If that's it, I can keep using them. But a lot of hacks are a lot worse, and you might have to rearrange things or close them down. haveibeenpwned gives you enough information to make all those decisions.

Also, your second paragraph seems to imply that the site doesn't tell you if passwords were compromised for an email address. It definitely does by identifying the hack and describing its extent. You don't need the actual password to know that you need to change it. Likely, the hacked site forced you to change it anyway.

[froddd]

Change the password for what account though? The dashboard doesn’t seem to list the actual website(s ) linked to the email/password breached, so how am I to know which password to rotate?

If I follow the recommended best practice, I have a different password for every website or service. That could be hundreds of them. Am I supposed to rotate all of them every time there’s a breach?

[seb1204]

You buy you email in and then the result it a website that got breached. Together this should give you enough information.

[the8472]

> It does give you an awful lot of information about the specific hacks

No it doesn't. Enter <old email address> → 5 data breaches → first one says:

> During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources

It doesn't tell me which site or which of the many passwords used together with that address. Just that it has been in a generic data dump.

[subscribed]

So it gives me the information that my email has been exposed.

Where? In what service? Did my password got leaked too? I can't change password / delete the account if I don't know where.

Did any other data got leaked? Anything sensitive? Do I have to cancel my credit card? Were any files leaked as well? My home location?

At this point HIBP is next to useless.

And how showing me WHAT is in the database about the email I proved I own would be spreading it? At this point if I want to learn it I need to either try to find the torrent with it (spreading it further!) or pay the criminals.

[Jaxan]

Btw they are not storing more info along the email address, because that would be way too risky. Just imagine the HIBP database being leaked.

Also, they don’t always know where your info has leaked. Some datasets are aggregates.

[seb1204]

This information is given for each of the leaked incidents. Troy also explains this in his blog post.

[technion]

At one point I responded to a haveibeenpwned notice by immediately having the user reset a password.

I've got over 200 users in a domain search (edit: for this particular incident), and nearly all of them were in previous credential breaches that were probably stuffed into this one. I'm not going to put them through a forced annoyance given how likely it is the breached password is not their current one, and I'm urging people to start moving in this direction unless you obtain a more concrete piece of advice.

[kbrkbr]

Same here: reset on first beach (ROFB), but on subsequent ones only if it is no collection, eg a new infostealer breach.

[junon]

https://haveibeenpwned.com/Passwords

[the8472]

This doesn't help. If the email address check says the address has been exposed it doesn't tell you which password that was used together with that has been exposed. Was it one from 10 years ago you don't even remember? Or that's still actively in use? Which one of my hundreds of passwords?

[Thorrez]

You can use the API to check all of your passwords. Then you'll know the security state of all of your passwords.

https://haveibeenpwned.com/API/v3

[the8472]

Doesn't help. Some accounts are old and may not be in my current PW DB. Or they were memorized, or forgotten.

If the thing suggests the EMAIL (+ associated password) has been compromised for some unknown account then to do a risk assessment I would have find which account it belongs to, not which currently-in-use passwords match the same datasets.

Those are different queries, providing different bits of information.

[Thorrez]

Here's what I'm suggesting: query all your current passwords against the password API. Then you'll know which of your current password are compromised. Change them.

You don't need to query old passwords, only current passwords. If you're talking about accounts that you've forgotten the password to: then do you care about those accounts? If yes, probably best to do a password reset and set a new password. If you don't care about the account, then why bother?

As for why HIBP doesn't provide an API linking passwords to emails: HIBP has no database that links passwords and emails. So they can't provide any way to query that. They don't want to be in the business of linking passwords to emails.

[ekjhgkejhgk]

Of course it helps.

How's this for making it actionable:

Regardless of whether or not someone can associate it with your email, if your password has been seen in the wild, change it.

There you go.

[junon]

It doesn't matter, don't use passwords that have been compromised. Period.

[AlienRobot]

my password: 2,408

password: 46,628,605

your password: 609

good password: 22

long password: 2

secure password: 317

safe password: 29

bad password: 86

this password sucks: 1

i hate this website: 16

username: 83,569

my username: 4

your username: 1

let me login: 0

admin: 41,072,830

abcdef: 873,564

abcdef1: 147,103

abcdef!: 4,109

abcdef1!: 1,401

123456: 179,863,340

hunter2: 50,474

correct horse battery staple: 384

Correct Horse Battery Staple: 19

to be or not to be: 709

all your base are belong to us: 1

[latexr]

Spaces are skewing the numbers lower. Remove them from any of those and see the number increase at least an order of magnitude. That “let me login” goes from 0 to 4,714 just by removing spaces (“letmelogin”).

[AlienRobot]

I guess this means passwords with spaces are safer!

[neogodless]

correcthorsebatterystaple (no spaces) 4,163

[e12e]

Password2020: 109,729

Edit:

louvre: 7,219

[zahlman]

> all your base are belong to us: 1

Only 1, really?

[Sohcahtoa82]

Because of the spaces.

Without spaces, it's 681.

[bdcravens]

I was trying random phrases just out of curiosity, and couldn't help but chuckle when it said "epsteinfiles" wasn't found :-)

[karencarits]

One possible solution could be to give you an option to send the affected password as a list to the mail address you specify, then only people with access to that mail address will see them

[bobmcnamara]

Hash of the affected password? People share these things and don't always run their own mail servers.

[elwebmaster]

That would be a great idea!

[froddd]

The details about the “Stealer Logs” on the dashboard even state:

> The websites the stealer logs were captured against are searchable via the HIBP dashboard.

There is no way to use the HIBP dashboard to figure out what domains my email address appears against.

Am I meant to change all passwords associated with that email address? Or do I need to get a paid subscription to query the API to figure out exactly what password(s) to change?

This has always confused me. On the one hand, HIBP is an invaluable service, but, on the other, it does nothing more than stating you’re in trouble, with no clear way forward.

[subscribed]

It's quite certainly a up selling attempt. I once spend a couple of hours to see what was actually exposed in the infostealer breach my email appeared (eg: payment data? Physical address? Government id ?) to no avail.

This service is toxic tbh.

[Thorrez]

The API is free.

https://haveibeenpwned.com/API/v3

[subscribed]

Respectfully, in context of my claim (that this is upselling attempt), your answer is untrue.

"You need an active subscription in order to provision an API key".

This is minimum $4.50 pm. Of course it's not a lot but let's not move the goalposts by discussing whether it's a fair price or not.

I don't want to say it's a lie, because I assume you didn't know.

API is a paid service, not free.

Separately, if I open the dashboard link while being logged out, the Web page promises:

"viewing stealer log entries that captured your email address"

Needless to say, this is also false (maybe true with a paid subscription?). If I click on the Stealer Logs in the dashboard it only shows "discord.com" (old account I used with this email was deleted years ago), and nothing else. Even though Breaches suggests there's something else.

This is not "logs" by any stretch of imagination.

[Thorrez]

You don't need a paid subscription. The API is free.

https://haveibeenpwned.com/API/v3

[froddd]

The API is not free.

https://haveibeenpwned.com/API/v3#Authorisation

[Thorrez]

Only if you want to search by account. If you want to search by password, it's free. You can query all your passwords to see which ones are breached, and change those.

> Authorisation is required for all APIs that enable searching HIBP by email address or domain, namely retrieving all breaches for an account, retrieving all pastes for an account, retrieving all breached email addresses for a domain and retrieving all stealer log domains for a breached email addresses. There is no authorisation required for the free Pwned Passwords API.

And searching by account wouldn't tell you anything useful. It would just say "Synthient Credential Stuffing Threat Data". It wouldn't tell you what password to change, because HIBP doesn't know what site the password(s) that it found in "Synthient Credential Stuffing Threat Data" were associated with, and HIBP doesn't maintain a database linking passwords to emails.

[froddd]

The only part of the API that is free is the passwords API, which would not help for this use case.

Every other endpoint requires a subscription. This is very far from “The API is free”.

> searching by account wouldn't tell you anything useful

The API can return the domains listed in stealer logs for a specific email address: https://haveibeenpwned.com/API/v3#StealerLogsForEmail

[Thorrez]

Sorry, I missed that you were talking about stealer logs. This specific credential dump of 2B emails wasn't a stealer log, so stealer log info will not tell you anything about this specific credential dump.

You're right that the API for stealer log info isn't free.

However, the dashboard can provide you information about stealer logs for free.

https://haveibeenpwned.com/Dashboard#StealerLogs

[chinathrow]

Yeah and I am confused by his new setup private vs business. I got that mail too but can simply not see what addresses were affected by that breach.

[TZubiri]

What? You expect the guy to tell you your password? Lol, lmao even.

I know roughly what passwords were exposed because either I remember it, or the date of the leak or the associated email.

I know simple passwords are almost public and that leaks of say linkedin will be properly hashed, while a vb forum from 2006 might not be.