Hacker News new | ask | show | jobs
by froddd 221 days ago
The details about the “Stealer Logs” on the dashboard even state:

> The websites the stealer logs were captured against are searchable via the HIBP dashboard.

There is no way to use the HIBP dashboard to figure out what domains my email address appears against.

Am I meant to change all passwords associated with that email address? Or do I need to get a paid subscription to query the API to figure out exactly what password(s) to change?

This has always confused me. On the one hand, HIBP is an invaluable service, but, on the other, it does nothing more than stating you’re in trouble, with no clear way forward.
2 comments
subscribed 221 days ago
It's quite certainly a up selling attempt. I once spend a couple of hours to see what was actually exposed in the infostealer breach my email appeared (eg: payment data? Physical address? Government id ?) to no avail.

This service is toxic tbh.

link
Thorrez 221 days ago
The API is free.

https://haveibeenpwned.com/API/v3

link
subscribed 218 days ago
Respectfully, in context of my claim (that this is upselling attempt), your answer is untrue.

"You need an active subscription in order to provision an API key".

This is minimum $4.50 pm. Of course it's not a lot but let's not move the goalposts by discussing whether it's a fair price or not.

I don't want to say it's a lie, because I assume you didn't know.

API is a paid service, not free.

Separately, if I open the dashboard link while being logged out, the Web page promises:

"viewing stealer log entries that captured your email address"

Needless to say, this is also false (maybe true with a paid subscription?). If I click on the Stealer Logs in the dashboard it only shows "discord.com" (old account I used with this email was deleted years ago), and nothing else. Even though Breaches suggests there's something else.

This is not "logs" by any stretch of imagination.

link
Thorrez 221 days ago
You don't need a paid subscription. The API is free.

https://haveibeenpwned.com/API/v3

link
froddd 221 days ago
The API is not free.

https://haveibeenpwned.com/API/v3#Authorisation

link
Thorrez 221 days ago
Only if you want to search by account. If you want to search by password, it's free. You can query all your passwords to see which ones are breached, and change those.

> Authorisation is required for all APIs that enable searching HIBP by email address or domain, namely retrieving all breaches for an account, retrieving all pastes for an account, retrieving all breached email addresses for a domain and retrieving all stealer log domains for a breached email addresses. There is no authorisation required for the free Pwned Passwords API.

And searching by account wouldn't tell you anything useful. It would just say "Synthient Credential Stuffing Threat Data". It wouldn't tell you what password to change, because HIBP doesn't know what site the password(s) that it found in "Synthient Credential Stuffing Threat Data" were associated with, and HIBP doesn't maintain a database linking passwords to emails.

link
froddd 221 days ago
The only part of the API that is free is the passwords API, which would not help for this use case.

Every other endpoint requires a subscription. This is very far from “The API is free”.

> searching by account wouldn't tell you anything useful

The API can return the domains listed in stealer logs for a specific email address: https://haveibeenpwned.com/API/v3#StealerLogsForEmail

link
Thorrez 220 days ago
Sorry, I missed that you were talking about stealer logs. This specific credential dump of 2B emails wasn't a stealer log, so stealer log info will not tell you anything about this specific credential dump.

You're right that the API for stealer log info isn't free.

However, the dashboard can provide you information about stealer logs for free.

https://haveibeenpwned.com/Dashboard#StealerLogs

link