top | item 45840447

(no title)

jimmar | 3 months ago

I respect Troy Hunt's work. I searched for my email address on https://haveibeenpwned.com/, and my email was in the latest breach data set. But the site does not give me any way to take action. haveibeenpwned knows what passwords were breached, the people who breached the data knows what passwords were breached, but there does not seem to be any way for _me_, the person affected, to know what password were breached. The takeaway message is basically, "Yeah, you're at risk. Use good password practices."

There is no perfect solution. Obviously, we don't want to give everybody an easy form where you can enter an email address and see all of the password it found. But I'm not going to reset 500+ password because one of them might have been compromised. It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.

discuss

craftkiller|3 months ago

> there does not seem to be any way for _me_, the person affected, to know what password were breached

You should be using a unique randomly-generated password for each website. That way, one breach doesn't lead to multiple accounts getting hijacked AND you'll know which passwords were breached solely based on the website list. The only passwords I still keep in my head are:

  1. The password to my password manager
  2. The password to my gmail account
  3. The passwords for my full disk encryption

All of those passwords are unique and not used anywhere else. Everything else is in my password manager with a unique randomly generated password for each account. And for extra protection, I enable 2fa on any site that supports u2f/webauthn.

I used to reuse the same password for everything, and that lead to a pretty miserable month where suddenly ALL of my accounts were compromised. I'd log in to one account and see pizzas I never ordered. Then I'd open uber and see a ride actively in-progress on the other side of the country. It was not fun.

taftster|3 months ago

Yes! Me too. Not adding anything here except a confirmation on the above approach. You kind of need your email password as a "break glass" scenario. But mostly, you just need your password manager.

subscribed|3 months ago

Nice. Now I'd like to know WHICH password got leaked.

That way the breach impact can quickly be limited.

Troy probably would share that information for a price. Not sure whom to pay though - the "good" guy who won't say a word, or a criminal who will happily share it with me?

It's possible the latter would be cheaper too.

tengwar2|3 months ago

Also if possible, use a unique email address for each site. I know that's not feasible for most people, and some sites (e.g. LinkedIn) are structured so that email addresses become linked, but it does provide useful isolation.

elzbardico|3 months ago

> It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.

Yes.

NetMageSCW|3 months ago

If you read the instructions, you will discover https://haveibeenpwned.com/Passwords which will let you enter a password and securely check if it has been published in a breach.

If it has, it is either a simple password that multiple people are using, or a complex secure password that can make you pretty confident it is your password that has been published.

1Password just does the same thing for all of your passwords - it doesn’t check against your account name either. That information isn’t stored so they can’t become a new source of breached accounts (as explained at the site).

donatj|3 months ago

Letting me check my passwords one at a time is like letting me check my grains of rice individually for poison before eating.

fckgw|3 months ago

The problem with breaches like the latest data set is that there's no source on where the breach came from, it's an aggregate from multiple breaches. They can't tell you that info because it's not in the initial data set.

pessimizer|3 months ago

> But the site does not give me any way to take action.

It gives you as much information as you should be given. Any more information would just be spreading around the hacked dataset.

It does give you an awful lot of information about the specific hacks that exposed your information, and what was the content of that exposure. You may have been owned, but the way you were owned doesn't really matter e.g. I don't care that my firstname.lastname@gmail.com was exposed as being me. I may not care that my username@yahoo.com account was exposed as being username at archive.org. If that's it, I can keep using them. But a lot of hacks are a lot worse, and you might have to rearrange things or close them down. haveibeenpwned gives you enough information to make all those decisions.

Also, your second paragraph seems to imply that the site doesn't tell you if passwords were compromised for an email address. It definitely does by identifying the hack and describing its extent. You don't need the actual password to know that you need to change it. Likely, the hacked site forced you to change it anyway.

froddd|3 months ago

Change the password for what account though? The dashboard doesn’t seem to list the actual website(s ) linked to the email/password breached, so how am I to know which password to rotate?

If I follow the recommended best practice, I have a different password for every website or service. That could be hundreds of them. Am I supposed to rotate all of them every time there’s a breach?

the8472|3 months ago

> It does give you an awful lot of information about the specific hacks

No it doesn't. Enter <old email address> → 5 data breaches → first one says:

> During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources

It doesn't tell me which site or which of the many passwords used together with that address. Just that it has been in a generic data dump.

subscribed|3 months ago

So it gives me the information that my email has been exposed.

Where? In what service? Did my password got leaked too? I can't change password / delete the account if I don't know where.

Did any other data got leaked? Anything sensitive? Do I have to cancel my credit card? Were any files leaked as well? My home location?

At this point HIBP is next to useless.

And how showing me WHAT is in the database about the email I proved I own would be spreading it? At this point if I want to learn it I need to either try to find the torrent with it (spreading it further!) or pay the criminals.

technion|3 months ago

At one point I responded to a haveibeenpwned notice by immediately having the user reset a password.

I've got over 200 users in a domain search (edit: for this particular incident), and nearly all of them were in previous credential breaches that were probably stuffed into this one. I'm not going to put them through a forced annoyance given how likely it is the breached password is not their current one, and I'm urging people to start moving in this direction unless you obtain a more concrete piece of advice.

kbrkbr|3 months ago

Same here: reset on first beach (ROFB), but on subsequent ones only if it is no collection, eg a new infostealer breach.

junon|3 months ago

https://haveibeenpwned.com/Passwords

the8472|3 months ago

This doesn't help. If the email address check says the address has been exposed it doesn't tell you which password that was used together with that has been exposed. Was it one from 10 years ago you don't even remember? Or that's still actively in use? Which one of my hundreds of passwords?

AlienRobot|3 months ago

my password: 2,408

password: 46,628,605

your password: 609

good password: 22

long password: 2

secure password: 317

safe password: 29

bad password: 86

this password sucks: 1

i hate this website: 16

username: 83,569

my username: 4

your username: 1

let me login: 0

admin: 41,072,830

abcdef: 873,564

abcdef1: 147,103

abcdef!: 4,109

abcdef1!: 1,401

123456: 179,863,340

hunter2: 50,474

correct horse battery staple: 384

Correct Horse Battery Staple: 19

to be or not to be: 709

all your base are belong to us: 1

bdcravens|3 months ago

I was trying random phrases just out of curiosity, and couldn't help but chuckle when it said "epsteinfiles" wasn't found :-)

ekjhgkejhgk|3 months ago

[deleted]

karencarits|3 months ago

One possible solution could be to give you an option to send the affected password as a list to the mail address you specify, then only people with access to that mail address will see them

bobmcnamara|3 months ago

Hash of the affected password? People share these things and don't always run their own mail servers.

elwebmaster|3 months ago

That would be a great idea!

froddd|3 months ago

The details about the “Stealer Logs” on the dashboard even state:

> The websites the stealer logs were captured against are searchable via the HIBP dashboard.

There is no way to use the HIBP dashboard to figure out what domains my email address appears against.

Am I meant to change all passwords associated with that email address? Or do I need to get a paid subscription to query the API to figure out exactly what password(s) to change?

This has always confused me. On the one hand, HIBP is an invaluable service, but, on the other, it does nothing more than stating you’re in trouble, with no clear way forward.

subscribed|3 months ago

It's quite certainly a up selling attempt. I once spend a couple of hours to see what was actually exposed in the infostealer breach my email appeared (eg: payment data? Physical address? Government id ?) to no avail.

This service is toxic tbh.

Thorrez|3 months ago

You don't need a paid subscription. The API is free.

https://haveibeenpwned.com/API/v3

chinathrow|3 months ago

Yeah and I am confused by his new setup private vs business. I got that mail too but can simply not see what addresses were affected by that breach.

TZubiri|3 months ago

What? You expect the guy to tell you your password? Lol, lmao even.

I know roughly what passwords were exposed because either I remember it, or the date of the leak or the associated email.

I know simple passwords are almost public and that leaks of say linkedin will be properly hashed, while a vb forum from 2006 might not be.