He should partner with a law firm, for class action lawsuits, for every breach due to negligence (which is probably all of them).
Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)
Optional: Sell data of imminent lawsuits, to an investment firm.
Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.
Like many people I have a "main" email address, and I use per-company addresses for almost everything else. Now that the domain-searches require subscriptions this site has become much less useful.
I just added my domain to the site again and I see "2,243 Total Breached Addresses", and "18 Addresses excluding Spam Lists", but I have no idea what they are. Attempting to click the links shows me I need to "upgrade" to see them, and the download of excel and JSON result in 404 errors.
Too bad, I guess if you have only a single email address it might be good to get informed, but if you use a domain with multiple addresses it's way less useful.
> It's likely a single-digit percentage of requests that are real humans being [blocked], and we need to look at ways to get that number down, but at least the fallback positions are improved now.
The fallback suggestions mentioned in the article are "try clicking the box again" and "try reloading the page"
I'm slowly starting to wonder if I should start sending snail mail to companies that block me, instead of resigning to go somewhere else. HIBP is a free web service and shops have no obligation to serve a given individual, but it everyone puts CloudFlare Turnstile, Google Recaptcha, etc. in front of their services, a "single-digit percentage" of people simply cannot participate in modern society. Similar markers (IP address misclassified as bot range, unusual/old/infected browser, ...) will constantly be triggering for the same group
Does anyone else feel like the new design feels less trustworthy? I've probably just been conditioned on too many templates that all look the same, and there's nothing inherently wrong with it, yet it makes me wonder if I've accidentally opened a ripoff instead of the real thing.
Unfortunately the new UI does not allow to search for leaked phone numbers anymore. The old did (e.g. could check for facebook phone number leak, see https://www.troyhunt.com/the-facebook-phone-numbers-are-now-...). The new does not let it pass through the input field.
Edit: it's also statet in the announcement:
> Just one little thing first - we've dropped username and phone number search support from the website
But it's really a bad time to remove this feature since there's a ongoing law suite against facebook in germany (https://www.vzbv.de/pressemitteilungen/facebook-datenleck-be..., hgerman link) that utilized the search there to know if one can participate or not.
Amazing that even within the last decade a site as large as LinkedIn could be storing unsalted passwords. How does anyone fail at this in the modern era?
It shows you a vertically scrolling timeline (with logos and blurbs) of all the data breaches that have exposed your email. How delightfully horrifying.
Lots of regular people use Have I Been Pwned and sending them to 1Password is probably the single best thing you could do for them (I know it's a sponsorship - but it's a very complimentary one).
I'd make the language around that promo banner stronger (ie. "We strongly recommend") and make it stand out more on the page.
So many social media accounts get hacked[0] because of shared passwords and those affected users often end up on the site - funnelling them to a password manager and a reason why it's good hygiene is great.
ps. congrats on the relaunch!
[0] I've probably assisted 20+ such cases in the past ~12 months
Does it feel like this site is itself a vulnerability? It seems like being able to go type in anybody's email address and just get a list of sites where it was found would be part of an OSINT process.
Shouldn't it at least send you a link to verify that you control the address before showing your results?
> I wanted to make a quick note of this here, as AI seems to be either constantly overblown or denigrated.
This just gestures at middle-of-the-road thinking.
So what’s this begrudging note about? To set us on the correct course in the middle of the road?
> I'd say it was right 90% of the time, too, and if you're not using AI aggressively in your software development work now (and I'm sure there are much better ways, too) I'm pretty confident in saying "you're doing it wrong".
Well done. AI plug done.
I don’t see how that statement fulfills the implied middle-of-the-road opinion though.
Who has the record for being in the most breaches? My main email seems to currently be in 40 breaches, earliest one in from June 2011 (HackForums, don't even remember what that is), and last one in September 2024 (FrenchCitizens, although I'm not French nor have I ever lived in France).
The ';-- in front of Pwned is a brilliant idea but less brilliant execution. Missed opportunity, I'm wondering how many people don't realize what it is
I’ve never been able to figure out how haveibeenpwned.com can be useful to me, since I have had the same email address for many years and I don’t want to give it up. Do people get a new primary email address every time their address shows up in a breach list like haveibeenpwned ?
The new design looks great, and I always love following Troy's updates (although sometimes with semi-morbid curiosity).
I do find the timeline to be a little confusing- it seems to be ordered from earliest breach to most recent, but the dates on the timeline don't match that, as they seem to be when the data was leaked?
Display: breach date
Ordering: breach published date?
I think it might be clearer to order + display the published date, and in the cards themselves show the breach date in a standard way.
I was always frustrated by this service because it is good to tell you that you have been pwned and your email appears in a breach but sadly it is more often than not more scary than useful as you can't see exactly what has been leaked about you. Especially your password.
I understand the rational to hide the details, but bad actors like criminal probably have the source file with the details anyway.
What annoys me is that it is good to know that your email appears in a random pastebin agglomerating hundreds of leaks but if they don't give the exact name and date of the site, and without seeing the password it is hard to know who leaked your data and which password to change.
The worse is that I was used to use a very shitty simple password for all the sites that ask one without needing one (let's say media with free subscription needed to read a single article, Free conference or online webinar), ... and these one are the best targets to have leaks despite them being totally harmless if you take care to not give your personal info inside.
Small bug report: I've been pwnd a few dozens times, and my timeline is not in calendar order. I see Adobe (October 2013), then LinkedIn (May 2012), then Dropbox (June 2012), then Lastfm (March 2012), then some 2016 ones, then Kickstarter in 2014, and then after that they start being more in order of the listed dates.
When it mentions that your password has been leaked for a service, is this the plain text pwd (that service somehow stored that way) or is it a hash? Was the website salting the passwords (so no rainbow-table attack could happen)? What key derivation function were they using? Etc...
I feel the red circle with "Password compromised" is way too simplistic if this wants to be a TRUE trusty site regarding cybersecurity. If they just want to show fear and sell 1Password ads, I understand it, I won't consult it anymore. But if they want to really step up their game from a technical perspective, they should include more details.
This is a great site. Thanks for making it! I wish governments would take this kind of thing seriously though. Identity theft/stealing accounts/etc etc all starts with breaches like this and in the modern world it is often less devastating to have someone break into your house than to break into your digital life. With a break in you will get actual support in the form of a phone number to call (911 in the US) and real people doing real work to track down who did it and stop them. With the digital world you have nobody to call and even if you did I doubt much followup would happen. Society needs to change gears on this stuff and actually take it seriously.
Ok, one of my email addresses is in a bunch of leaks. What is interesting is that most services on this list I have never used. How did they get my email in the first place? What is the accuracy of that whole business?
What's the best service or app for tracking data breaches where your username and password are leaked? I'm trying to mitigate some leaks through ProtonPass but it's very frustrating as they simply say "password ****123 was found on the dark web" (they actually redact the full password) so then I manually have to go through my 100+ passwords and look for that particular password.
I keep wondering if its smart to just roll over an email address when it gets compromised, and limit your exposure, as well as force you to change your password while you're on every website ditching your former email.
I know some people use email tags, but maybe just rolling a new email might be better, followed by deleting unused dead accounts you will never use again.
I love this site! Though I do wonder how much this site also helps amateur hackers find where to search for a specific person's password. One way to deal with it could be to email the person their pwns.
I regularly use plus codes on my email addresses when I sign up for services, is there a way to search for an email address and all associated plus codes? Last I checked I couldn’t find that functionality.
I just verified that this database does not include the Vultr breach, or, at least it does not include email addresses that are unique to the Vultr service.
There's something interesting in the domain search: some breaches contain addresses that... simply don't exist. Like B2BUSABusinesses has sales@mydomain.
i like the new design, but it feels that the "stats" like the cache hit ratio and edge locations won't matter to the vast majority of visitors, who are just trying to check for potential breaches.
on the other hand, they will be great for the api/business pages
I really wish Troy would've put a little more thought in to this before deciding to host using a for-profit corporation based in the US that wants to be a monopoly.
Will Cloudflare sell data to US TLA agencies? Probably.
Really impressive evolution of a crucial service. The architectural and UX improvements are well thought out, especially the focus on resilience and scalability. Love the transparency around the decision-making process, too-Troy’s commitment to keeping HIBP fast, free, and useful is a great example of public-interest software done right. The migration to .NET 8 and use of Cloudflare for caching shows how mature and modern the stack is becoming.
Have I Been Pwned 2.0
(troyhunt.com)866 points by LorenDB 19 May 2025 | 300 comments
Comments
Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)
Optional: Sell data of imminent lawsuits, to an investment firm.
Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.
I just added my domain to the site again and I see "2,243 Total Breached Addresses", and "18 Addresses excluding Spam Lists", but I have no idea what they are. Attempting to click the links shows me I need to "upgrade" to see them, and the download of excel and JSON result in 404 errors.
Too bad, I guess if you have only a single email address it might be good to get informed, but if you use a domain with multiple addresses it's way less useful.
The fallback suggestions mentioned in the article are "try clicking the box again" and "try reloading the page"
I'm slowly starting to wonder if I should start sending snail mail to companies that block me, instead of resigning to go somewhere else. HIBP is a free web service and shops have no obligation to serve a given individual, but it everyone puts CloudFlare Turnstile, Google Recaptcha, etc. in front of their services, a "single-digit percentage" of people simply cannot participate in modern society. Similar markers (IP address misclassified as bot range, unusual/old/infected browser, ...) will constantly be triggering for the same group
Edit: it's also statet in the announcement:
> Just one little thing first - we've dropped username and phone number search support from the website
But it's really a bad time to remove this feature since there's a ongoing law suite against facebook in germany (https://www.vzbv.de/pressemitteilungen/facebook-datenleck-be..., hgerman link) that utilized the search there to know if one can participate or not.
I'd make the language around that promo banner stronger (ie. "We strongly recommend") and make it stand out more on the page.
So many social media accounts get hacked[0] because of shared passwords and those affected users often end up on the site - funnelling them to a password manager and a reason why it's good hygiene is great.
ps. congrats on the relaunch!
[0] I've probably assisted 20+ such cases in the past ~12 months
Shouldn't it at least send you a link to verify that you control the address before showing your results?
https://haveibeenpwned.com/OptOut
> I wanted to make a quick note of this here, as AI seems to be either constantly overblown or denigrated.
This just gestures at middle-of-the-road thinking.
So what’s this begrudging note about? To set us on the correct course in the middle of the road?
> I'd say it was right 90% of the time, too, and if you're not using AI aggressively in your software development work now (and I'm sure there are much better ways, too) I'm pretty confident in saying "you're doing it wrong".
Well done. AI plug done.
I don’t see how that statement fulfills the implied middle-of-the-road opinion though.
I do find the timeline to be a little confusing- it seems to be ordered from earliest breach to most recent, but the dates on the timeline don't match that, as they seem to be when the data was leaked?
Display: breach date Ordering: breach published date?
I think it might be clearer to order + display the published date, and in the cards themselves show the breach date in a standard way.
I understand the rational to hide the details, but bad actors like criminal probably have the source file with the details anyway.
What annoys me is that it is good to know that your email appears in a random pastebin agglomerating hundreds of leaks but if they don't give the exact name and date of the site, and without seeing the password it is hard to know who leaked your data and which password to change.
The worse is that I was used to use a very shitty simple password for all the sites that ask one without needing one (let's say media with free subscription needed to read a single article, Free conference or online webinar), ... and these one are the best targets to have leaks despite them being totally harmless if you take care to not give your personal info inside.
Small bug report: I've been pwnd a few dozens times, and my timeline is not in calendar order. I see Adobe (October 2013), then LinkedIn (May 2012), then Dropbox (June 2012), then Lastfm (March 2012), then some 2016 ones, then Kickstarter in 2014, and then after that they start being more in order of the listed dates.
I feel the red circle with "Password compromised" is way too simplistic if this wants to be a TRUE trusty site regarding cybersecurity. If they just want to show fear and sell 1Password ads, I understand it, I won't consult it anymore. But if they want to really step up their game from a technical perspective, they should include more details.
Maybe I'm reading it wrong but it looks like it might be a little off. I get:
- October 2013
- June 2008
- ...a bunch more...
- November 2021
- December 2020
I know some people use email tags, but maybe just rolling a new email might be better, followed by deleting unused dead accounts you will never use again.
2) When clicking "details" on one of the search results, and then the back button, the search results disappear.
3) Other than that, thanks man great service!
Can we make it so that companies I've never heard of before don't have my data in the first place?
The ultimate tracking tool
on the other hand, they will be great for the api/business pages
Checking the passwords, "password" has been pwned >21 million times. I don't know what I expected.
I think we’re backed to hacked
Will Cloudflare sell data to US TLA agencies? Probably.