| "Today, I loaded the 1,000th data breach into Have I Been Pwned. Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed?" Maybe it isn't needed Originally HIBP and other websites used data breach dumps to solicit further data collection^1, e.g., with a fear-based, clickbaity title like "Have I been pwned?" Maybe HIBP serves the author, maybe that's why it's "needed" For example, it brings him notoriety For example, he can promote his other cybersecurity website via HIBP and paid speaking engagements The author has expressed dissatisfaction that companies are being penalised for data breaches through class action litigation, including any compensation users might receive as part of these settlements He believes there is no user injury https://www.troyhunt.com/data-breaches-class-actions-and-amb... If that's his position, if he believes users are unharmed by data breaches, then what's the point of HIBP Is it to support the companies who are collecting data and then being breached (not the users to whom the data belongs) 1. Data collection being the root cause of the data breach problem |
2. He validates the breaches through a network of volunteers who check if the credentials are real.
3. He provides an easy-to-use service for free.
What is your alternative? Having each person run their own agent scanning the corners of the internet, downloading breaches, and looking for their own accounts? What the point of that?