[pessimizer]

> But the site does not give me any way to take action.

It gives you as much information as you should be given. Any more information would just be spreading around the hacked dataset.

It does give you an awful lot of information about the specific hacks that exposed your information, and what was the content of that exposure. You may have been owned, but the way you were owned doesn't really matter e.g. I don't care that my firstname.lastname@gmail.com was exposed as being me. I may not care that my username@yahoo.com account was exposed as being username at archive.org. If that's it, I can keep using them. But a lot of hacks are a lot worse, and you might have to rearrange things or close them down. haveibeenpwned gives you enough information to make all those decisions.

Also, your second paragraph seems to imply that the site doesn't tell you if passwords were compromised for an email address. It definitely does by identifying the hack and describing its extent. You don't need the actual password to know that you need to change it. Likely, the hacked site forced you to change it anyway.

[froddd]

Change the password for what account though? The dashboard doesn’t seem to list the actual website(s ) linked to the email/password breached, so how am I to know which password to rotate?

If I follow the recommended best practice, I have a different password for every website or service. That could be hundreds of them. Am I supposed to rotate all of them every time there’s a breach?

[seb1204]

You buy you email in and then the result it a website that got breached. Together this should give you enough information.

[the8472]

> It does give you an awful lot of information about the specific hacks

No it doesn't. Enter <old email address> → 5 data breaches → first one says:

> During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources

It doesn't tell me which site or which of the many passwords used together with that address. Just that it has been in a generic data dump.

[subscribed]

So it gives me the information that my email has been exposed.

Where? In what service? Did my password got leaked too? I can't change password / delete the account if I don't know where.

Did any other data got leaked? Anything sensitive? Do I have to cancel my credit card? Were any files leaked as well? My home location?

At this point HIBP is next to useless.

And how showing me WHAT is in the database about the email I proved I own would be spreading it? At this point if I want to learn it I need to either try to find the torrent with it (spreading it further!) or pay the criminals.

[Jaxan]

Btw they are not storing more info along the email address, because that would be way too risky. Just imagine the HIBP database being leaked.

Also, they don’t always know where your info has leaked. Some datasets are aggregates.

[seb1204]

This information is given for each of the leaked incidents. Troy also explains this in his blog post.