[HN Gopher] Two billion email addresses were exposed
___________________________________________________________________
Two billion email addresses were exposed
Author : esnard
Score : 243 points
Date : 2025-11-06 20:20 UTC (2 hours ago)
(HTM) web link (www.troyhunt.com)
(TXT) w3m dump (www.troyhunt.com)
| gausswho wrote:
| Amidst all of these pwnings, we still don't have a standard way
| to update our passwords from our password managers automatically.
| throawayonthe wrote:
| if we could have standardization like that, we wouldn't need
| passwords
| phoronixrly wrote:
| We also wouldn't be having an issue with password leaks as I
| expect it would be simpler to move on to passkeys (or
| something else) than implementing a standard way of password
| rotation...
| XorNot wrote:
| Except passkeys are an opaque, awful solution.
|
| They're hard to explain to users, the implementations want
| to lock people to specific devices and phones, you can't
| tell someone a passkey nor type it in easily over a serial
| link or between two devices which don't have electronic
| connectivity.
| bl4ck1e wrote:
| If there was a standard, do you know how long it would take to
| get adopted across the interwebs.
| DANmode wrote:
| 10 years.
| goalieca wrote:
| I feel like we missed the chance to have a standard http
| resource for this stuff.
| berkes wrote:
| yes!
|
| It's a shame, IMO, that the Basic Auth never got updated or
| superceded by something with a better UX and with modern
| security.
| mbesto wrote:
| Passkeys essentially solve this, however they are not backwards
| compatible. If they were backwards compatible (e.g. an
| automated way to change passwords) then you might as well just
| enable Passkey as a replacement. Thats the conundrum.
| worldfoodgood wrote:
| The downside to having many vanity urls and giving out a unique
| email address to each website you visit is that you cannot use
| haveibeenpwned without paying (despite being a single human). I
| have no idea how many email addresses I've given out over the
| years, probably hundreds across at least 6 or 7 domains, and they
| want to charge me a monthly fee to see which of those have been
| pwned.
|
| I understand they gotta make a buck, but I find it interesting
| this is the first real negative to running a unique email address
| per company/site I work with.
| SoftTalker wrote:
| Just assume they have all been exposed.
|
| Email addresses are not secrets under any stretch of the
| meaning of that word.
| worldfoodgood wrote:
| It's not the email address itself that I care about, and
| that's not the service that the site provides. It tells you
| for which email addresses a related password has been pwned.
| EvanAnderson wrote:
| I'm in the same boat. I track all of the unique addresses I use
| (via my password manager) so I guess I could just check them
| all against HiBP's database. Kind of a pain in the ass, though.
| warkdarrior wrote:
| My password manager (Bitwarden) does that automatically.
| EvanAnderson wrote:
| I use Bitwarden with a Vaultwarden server so I have some
| familiarity. Bitwarden checks new passwords against HiBP.
| I'm not aware of functionality where it can retroactively
| check old email addresses or passwords to see if they're
| included in a breach.
| lern_too_spel wrote:
| It's under Reports: https://bitwarden.com/help/reports/
| EvanAnderson wrote:
| Ahh, okay. I assume that's a part of the Bitwarden
| offering, presumably happening server-side. I'm just
| using their official client w/ a Vaultwarden server.
| jorams wrote:
| It is also available in the Vaultwarden web interface
| (which is just a rebranded Bitwarden web interface).
| Beijinger wrote:
| enpass.io does this automatically if you selected the option.
| huijzer wrote:
| Isn't the idea that you don't need haveibeenpowned since you'll
| see mails coming in and then know your details have leaked?
|
| For ID fraud, more than an email address has to be leaked.
| worldfoodgood wrote:
| Have I been pwned will tell me if the associated password for
| that site leaked. I create unique passwords per site, but
| lets say my mastercard login gets pwned -- that'd be one I
| want to change the password for right away.
|
| I might not get an email if someone gets that account info.
| dpoloncsak wrote:
| In theory, I agree.
|
| In practice, anything that high-profile will be plastered
| all over every tech news site, twitter, reddit, probably
| even the news. It would be difficult for MasterCard/Visa to
| have dataleaks, even just email/pass, fly under the radar
| (I imagine...)
|
| Oracle _tried_ to cover up a data leak, and it didn 't go
| great. Oracle touches nowhere near as many every-day people
| as MasterCard does
| kccqzy wrote:
| The domain search feature on haveibeenpwned is/was free. I
| registered my domain on haveibeenpwned back in 2017 and I got
| two emails about breaches, one in 2020 and another in 2022. I
| did not pay.
| EvanAnderson wrote:
| It tells you that an address in your domain has been included
| in a breach. It doesn't tell you which address was included.
| That's what the OP and I are opining about.
| osculum wrote:
| It does. I just checked mine today. I can see exactly which
| individual email addresses in my domain where exposed and
| in which data leak. I have never paid for it.
| EvanAnderson wrote:
| Interesting. I'd love to see where you're seeing that.
| I'll go poke at the site a little more.
|
| Edit: When I try to do a domain search I get told:
|
| > Domain search restricted: You don't have an active
| subscription so you're limited to searching domains with
| up to 10 breached addresses (excluding addresses in spam
| lists).
|
| My domain has 11 breached addresses.
| osculum wrote:
| I log in. Click on Business -> Domains. Then click on the
| looking glass under "Actions" on my domain. I can there
| see all my addresses an Pwned Sites.
|
| But I think you are right, because I only have 3 breached
| addresses under my domain (I do see the 10 addresses
| wording under subscriptions)
| username44 wrote:
| I wasn't aware of this feature, but can confirm. Just tried
| and it is free.
|
| Log into dashboard, under business there is a domains tab.
| Enter your domain there and verify ownership. Didn't ask for
| payment.
| chinathrow wrote:
| But I can't find the old list of what address was affected
| where. I only see my own address.
| ekjhgkejhgk wrote:
| I don't understand... The password is the secret, right? If
| your mastercard login ends up in some breach, your password is
| protecting. You without or without vanish urls, if you have
| strong passwords you'll be fine.
| XorNot wrote:
| Cybercrime has a logistics pipeline.
|
| Harvesting potential targets is one part of it i.e.
| establishing someone was using an email address is the entry
| point. There's a lot of emails, so associating them to any
| particular website is right near the start. Establishing that
| they're _active_ increases their value further.
|
| The people responding to Troy here for example are
| technically doing that: they clearly monitor the email or
| still use it, so addresses which respond to up in value.
| guelo wrote:
| I have the more typical one email used with hundreds of
| passwords on many websites. haveibeenpwned is also useless for
| me, it will tell me that my email was compromised but not which
| sites or passwords. I guess I could check each password
| individually, hope each password is globally unique to me, and
| then try to match it back to the website where I used it so I
| can change the password.
| TZubiri wrote:
| You need a domain, and possibly a paid mail provider with catch
| all support.
|
| So cost was always part of this strategy
| joe5150 wrote:
| It's honestly very hard to even care at that scale.
| imgabe wrote:
| My data was exposed in one of the Facebook leaks and it turned
| out I had an old email on my Facebook account with a domain I had
| since let lapse and abandoned. Someone else registered the domain
| and tried to take over my Facebook account by sending a password
| reset request using it. Luckily I had 2FA and I guess Facebook's
| fraud alerts picked it up so It wasn't successful.
|
| I guess what I want to say is beware that even something as
| innocuous as an email being leaked can cause problems, and make
| sure you delete any unused addresses from your accounts!
| esafak wrote:
| What a lot of work to capture one account.
| twodave wrote:
| I can think of a lot of ways that would be worth it.
|
| * blackmail the account owner
|
| * make up an illness, create a donation page and get all
| their friends to donate
|
| * find all connections over a certain age and disguise a
| phishing vector as literally anything!
|
| * so many more
| morshu9001 wrote:
| A real FB account with real friends who trust it (and are
| rich) is worth a lot
| guywithahat wrote:
| Which is incredible because it means they paid to get the
| domain and try to access that account. I can't imagine why
| anyone would care that much about your Facebook (assuming
| you're not someone who's especially influential) and yet here
| we are
| giobox wrote:
| One of the drawbacks of using a custom domain for personal
| email is you essentially have to pay for it for life, otherwise
| anyone can just buy your old email address if the domain
| expires and start receiving mail, resetting accounts... I think
| some folks don't fully consider this consequence when setting
| up a fun vanity email address or similar etc, especially now
| both iCloud and gmail have made it so trivial to link a custom
| domain.
| hn_acc1 wrote:
| Conversely, if yahoo/google ever stop offering free email,
| I'll probably end up paying them much higher prices to keep
| going for a bit until I can transition.
|
| If either ever stop period, especially one day to the next,
| FML...
| digisign wrote:
| Accounts can most often be closed or deleted permanently when
| one wants to stop or move. Some can change your address.
| giobox wrote:
| Speaking for myself, the "blast radius" of my email address
| is some 600+ accounts... (just looking in my password
| manager). The chances of me sitting down and closing every
| single one are non-existent. Many won't even have the
| luxury of having diligently tracked their login accounts in
| a password manager either.
| zwnow wrote:
| Can anyone enlighten me why an exposed email address is an issue?
| I get it if its some kinda admin@foo.com but my private mail, why
| would I care? Its not like they have my password?
| dylan604 wrote:
| Until they figure out the password to that email and then take
| over everything else in your life. They are not collecting
| email address because they are useless.
| worldfoodgood wrote:
| > Oh - and 1.3 billion unique passwords, 625 million of which
| we'd never seen before either.
|
| It's not just email addresses. It's address + password combos.
|
| But also, how did 2 billion email addresses get exposed?
| Assuming I give an email address to a company (and only that
| company) if someone gets access to that email addresss they
| either got it from me or that company. Knowing the company has
| sold, lost, or poorly protected my email address tells me they
| are maybe not worth working with in the future.
| zwnow wrote:
| Yea a combo is more problemtic, I could see why thats an
| issue. Most important stuff in my life has 2FA with my phone
| thankfully. My banking password got breached like 3 years ago
| and i still didnt change it... nothing ever happened. I am
| guessing tech companies that could have huge negative
| influence on your life should have additional security
| measures in place, like not allowing a login from a different
| country unless some kinda mobile code is provided or stuff
| like that. I'm pretty naive with all that tbh.
| buzer wrote:
| > But also, how did 2 billion email addresses get exposed?
|
| The list contains emails which have been part of some other
| breaches. In my domain I have 2 emails that were exposed that
| weren't my normal email address. One of them was a typo that
| I used sign up for one service which was later breached. The
| other one was something someone used to register to service
| that I have never used & that service was later breached.
| Those emails have never been used for anything else as far as
| I'm aware.
|
| Of course judging from what posted there are likely some
| other services as well which were breached but wasn't
| noticed/published until now.
| santiagobasulto wrote:
| Could leave to massive impersonation attempts. All the folks
| here on HN are probably very tech savvy, so we'll likely have a
| strong password + 2FA. But mom and pops that just got their
| email addresses leaked? Probably not. So they might start just
| trying out a rainbow table of common passwords and getting
| access to peoples emails. Once you're there getting to home
| banking and other privileged resources is not hard.
| 295fge wrote:
| Troy Hunt's brand is to exaggerate secret risk.
| elorant wrote:
| One reason is spam. The other is that in many cases passwords
| are leaked too.
| ddxv wrote:
| Yeah, I agree. I consider them like public keys or IPs.
| clickety_clack wrote:
| It's not the email address itself that's important, it's that
| the email address is a key identifying users in data breaches.
| The email addresses are presumably linked to breaches of pii or
| passwords etc.
| zkmon wrote:
| I think we should stop seeing email address as a secret or
| something that can be "stolen". Password? who is still storing
| passwords on their servers, instead of a hash?
| gretch wrote:
| Given enough time, hashes are reversible via brute force.
|
| If the attacker steals the entire password table undetected,
| they have a large amount of time to generate soft collisions.
| After all they don't need to hack any particular account, just
| some 50% of the accounts.
|
| The time can be increased by some coefficient via salting, but
| the principles remain the same.
| MattSteelblade wrote:
| For password hashing, only short-output or broken hash
| functions have practical collision concerns. The odds of any
| random collision with a 256-bit hash, and not with a specific
| hash, is 50% at 2^128 inputs. Salting is a defense against
| precomputation attacks like rainbow tables and masking
| password reuse. Attackers crack password dumps by trying
| known password combinations, previously compromised
| passwords, brute force up to a certain length, etc. and using
| the hashing algorithm to compare the output.
| berkes wrote:
| A _lot_ of companies and services are storing _unsalted hashes_
| of passwords. Which is not much better than storing plain-text
| passwords.
|
| It's becoming less and even languages with a "strong legacy
| body" like PHP have sane defaults nowadays, but I do see them
| around when I do consultancy or security reports.
|
| "Never fix something that aint broken" also means that after
| several years or a decade or more, your "back then best
| security practices" are now rediculously outdated and insecure.
| That Drupal setup from 2011 at apiv1docs.example.com could very
| well have unsalted hashes now. The PoC KPI dashboard that long
| gone freelancer built in flask 8 years ago? probably unsalted
| hashes. And so on.
| hirvi74 wrote:
| I have really started to use the 'Hide my email' feature from
| iCloud. It's been so nice. If an email gets pwned, which often
| happens from a service I stopped using many moons ago, then I
| just deactivate or delete the email address. I imagine many other
| services provide this feature as well, but it's what's most
| convenient for me at this time.
| rkagerer wrote:
| Can anyone recommend a good third party service that provides
| similar functionality and a great user experience?
|
| For those of us who don't want to entrust this to Apple and
| who'd like to use our own domain?
| hylaride wrote:
| There are several options to choose from, but most data
| brokers will know that small custom domains go back to a
| certain or small group of people.
|
| That being said, this is a good list:
|
| https://www.reddit.com/r/privacy/comments/108wzvg/what_is_th.
| ..
|
| Not sure I trust the longevity of some of them, though. I do
| use https://temp-mail.org/en/ or other similar services for
| some logins for some services I'm not afraid to lose access
| to, though (especially for places likely to spam me).
| jlund-molfese wrote:
| Post should've been titled "1.3 billion passwords were exposed",
| because, even though the number is slightly smaller, it actually
| represents something much more important.
| layer8 wrote:
| The number of passwords is probably smaller. ;)
| naet wrote:
| There have been enough data breaches at this point that I'm sure
| all my info has been exposed multiple times (addresses, SSN,
| telephone number, email, etc). My email is in over a dozen
| breaches listed on the been pwned site. I've gotten legal letters
| about breaches from colleges I applied to, job boards I used, and
| other places that definitely have a good amount of my past
| personal information. And that's not even counting the "legal"
| big data /analytics collected from past social media, Internet
| browsing, and whatever else.
|
| I now use strong passwords stored in bitwarden to try to at least
| keep on top of that one piece. I'm sure there are unfortunately
| random old accounts on services I don't use anymore with
| compromised passwords out there.
|
| Not really sure what if anything can be done at this point. I
| wish my info wasn't out there but it is.
| kccqzy wrote:
| Addresses? Most of the time addresses are a matter of public
| record. I have used https://www.fastpeoplesearch.com/ a couple
| of times to search for people's addresses and it really works.
| One day a close friend excitedly told me she bought a new house
| and I told her the address before she told me about it.
|
| Telephone number? There used to be phone books. And I still
| instinctively think they should be public.
| animex wrote:
| I think the headline is a bit vague, it includes passwords as
| well. Does anyone know if Troy's HIBP'd site reveals the
| passwords to verified users? I'd like to know if my current
| or what generation of passwords has been breached to evaluate
| if I have a current or past problem with my devices.
| birdman3131 wrote:
| They do not want to have such a list as it makes them a
| target.
|
| What they do have is a searchable password list not
| connected to any usernames.
| NoahZuniga wrote:
| *searchable list of password hashes
| lotsofpulp wrote:
| Addresses can lead you to public land and mortgage records,
| and phone numbers can lead you to names and addressed. I
| assume everyone can easily find that out about me once they
| know my name/phone number.
| kulahan wrote:
| I was in the military. China stole my freaking _DNA profile_. I
| 've given up on worrying about this stuff.
| rdl wrote:
| Even better "please give us all the things which could be
| used by a foreign power to blackmail you, or apply pressure
| to relatives or other close contacts" and then poorly secure
| that database.
| smsm42 wrote:
| [delayed]
| harvey9 wrote:
| Gonna be a very weird day for you when China's clone army
| invades us.
| WaitWaitWha wrote:
| The number of years I got "free credit monitoring" I can pass
| it down to my children . . .
| eyeundersand wrote:
| +1 for Bitwarden. It is literally the best solution out there.
| Been getting to increase uptake in personal circles with (very)
| limited success. The wife keeps trying to convince me that the
| ship has sailed in trying to protect info online. She's
| probably right.
| stronglikedan wrote:
| > Bitwarden
|
| Best when paid for so you can do 2FA with TOTP codes!
| troyvit wrote:
| I self-host through Vaultwarden but I think I miss this.
| Besides, I feel like paying these guys anyway just for the
| great product. We use 1Password at $dayjob and it's so
| primitive by comparison.
| shinypants wrote:
| What is lacking in 1Password by comparison? I pay for a
| family plan but maybe I should switch next year.
| jnrk wrote:
| Really? I find it to be the complete opposite.
| chinathrow wrote:
| Is this sarcasm?
| smsm42 wrote:
| [delayed]
| Xerox9213 wrote:
| I convinced my wife to start using a password manager, too
| (Bitwarden). Now she stores all of her very guessable, short,
| similar passwords in a manager. Sigh.
| NewsaHackO wrote:
| I use a similar service, I always wonder what sort of risk
| having one point of failure has though. I know 2FA helps, but
| a particularly motivated person with access to you physical
| still may be able to get both, espically if it for an
| investigation of some sort.
| teekert wrote:
| I switched from Bitwarden to Proton pass (because we got
| Proton family) and I find to be equally good. Ineven find
| sharing credentials a bit easier as it does not require
| organizations, you can just share with individuals.
|
| Proton also has a separate 2fa totp app.
| smsm42 wrote:
| Bitwarden supports TOTP too, even though it's not entirely
| obvious from the UI.
| neogodless wrote:
| I use unique email addresses per domain name, and I believe
| IHaveBeenPwned shows me at 39 unique email addresses breached!
| (So many that seeing which ones have been breached would now
| cost me $22 / month... IHaveBeenPwned is starting to feel like
| an extortion racket of its own..)
| mrbluecoat wrote:
| I feel you. The aggregate email breach list just feels like a
| rainbow table at this point.
| esnard wrote:
| If you're using the same domain for each of your email
| address, HIBP has a domain-wide search feature which is free
| (but you need to register to validate your domain)
| Razengan wrote:
| So by this point, if anyone does anything naughty online they
| could just pin it on an hacker using their identity, no?
| TZubiri wrote:
| Right. Having some data leaked isn't really a boolean,
| leaked/unleaked. It's a list of leaks, and the implicit map
| betweenyl your datapoints, whether by intra or interprovider
| mapping
|
| For example a forum might leak a map between your mail and a
| password; Implicitly your affinity for that forum's topic is
| also now on the public record, additionally if your posts were
| public but under a pseudonym, that might be now known by a
| sufficiently motivated attacker.
|
| Finally this may be linked with other public datasources like
| your public tweets or public state records, or even other
| leaks.
|
| This is why the meme about all ssn's being leaked or about a
| list of all valid phone numbers is so asinine.
| sixothree wrote:
| Even if you weren't breached, the sophistication is getting
| higher too. New hires get emails starting literally day one
| because email formats follow a pattern and they posted their
| new job on linkedin (or something).
| NegativeLatency wrote:
| > what if anything can be done at this point
|
| I'm in a similar situation, just make sure your credit is
| frozen with the 3 major US companies. I had someone steal like
| $50 of cable TV with my info in another state and it was a
| major pain to get off of my credit report.
| submeta wrote:
| I have a throwaway email adresses for every website that requires
| signup. And a new password for every signup. Using Fastemail and
| a password manager. When emails adresses/passwords leak, I know
| which one I have to replace.
| hypeatei wrote:
| Cynicism is everywhere these days but these events really don't
| register for me anymore. Companies aren't punished by the
| government for these leaks and they aren't punished by consumers
| either. What incentive is there to reduce this data collection in
| the first place or to lock down your databases?
|
| Even if someone's security is awful as the consumer and their
| account gets hacked because of these leaks, what are the actual
| consequences of that? Oh bummer, they need to reset their
| password and make a few phone calls to their bank to reverse the
| fraudulent charges then life goes on. Techies view that as
| unacceptable but most don't really care.
| morshu9001 wrote:
| I don't care for most things, but banking is one place I've
| been bitten pretty hard without even getting hacked. Not going
| to extremes to protect it, just gonna make sure it's decent.
| eckesicle wrote:
| Is there any real drawback to just never giving your real name or
| address to service providers to minimise the chance of identity
| theft? Most likely it's against terms of service, but other than
| account suspension are you likely to suffer any legal
| consequences?
| bigbuppo wrote:
| The ad tech companies can associate any fake identity with your
| real identity. So no, there is no problem. Good thing that all
| ad tech companies are fully on the up-and-up and have never
| been compromised to spread malware.
| Aurornis wrote:
| Service providers generally use your name and address to
| validate your billing method.
|
| If you can pay by some method that doesn't require name or
| address then go ahead and use a fake name.
| legitster wrote:
| Depending on the service, the billing data may be in its own
| database outside of the user tables.
| rkagerer wrote:
| Anonimity on the Internet is going out of vogue.
|
| The only way to fix the ToS issue you raised is through
| regulation protecting it.
|
| Unfortunately we're going the other direction, with efforts
| like verified ID gaining traction in some parts of the world.
|
| It's ironic because in most cases anonymity (or allowing an
| alternate identity that has its own built-up reputation) would
| offer real protection, while the verification systems are
| arguably security theatre.
|
| I don't care what technical genius is built into your
| architecture, as soon as you force a user to plug their ID
| information into it, they've forked over control along with any
| agency to protect their own safety.
| hn_acc1 wrote:
| I mean, for some services, likes banks / credit cards, it's
| required..
|
| For others, I try to stay anonymous / aliased where possible.
| rkagerer wrote:
| The bit at the end about email deliverability was also
| interesting:
|
| _Notifying our subscribers is another problem... in terms of not
| ending up on a reputation naughty list or having mail throttled
| by the receiving server .... Not such a biggy for sending breach
| notices, but a major problem for people trying to sign into their
| dashboard who can no longer receive the email with the "magic"
| link._
|
| And this observation he got from someone:
|
| _the strategy I 've found to best work with large email delivery
| is to look at the average number of emails you've sent over the
| last 30 days each time you want to ramp up, and then increase
| that volume by around 50% per day until you've worked your way
| through the queue_
| legitster wrote:
| This is also known as "warming a domain" in the email world. A
| large rush of emails from an email server is an indicator of a
| hack or takeover, so anti-spam software may flag an IP address
| that surges in activity.
| jimmar wrote:
| I respect Troy Hunt's work. I searched for my email address on
| https://haveibeenpwned.com/, and my email was in the latest
| breach data set. But the site does not give me any way to take
| action. haveibeenpwned knows what passwords were breached, the
| people who breached the data knows what passwords were breached,
| but there does not seem to be any way for _me_, the person
| affected, to know what password were breached. The takeaway
| message is basically, "Yeah, you're at risk. Use good password
| practices."
|
| There is no perfect solution. Obviously, we don't want to give
| everybody an easy form where you can enter an email address and
| see all of the password it found. But I'm not going to reset 500+
| password because one of them might have been compromised. It
| seems like we must rely on our password managers (BitWarden,
| 1Password, Chrome's built-in manager, etc.) to tell us if
| individual passwords have been compromised.
| junon wrote:
| https://haveibeenpwned.com/Passwords
| ekjhgkejhgk wrote:
| Right, I'm going to put my password into some website. You
| people will believe anything.
| jolmg wrote:
| > Passwords are protected with an anonymity model, so we
| never see them (it's processed in the browser itself), but
| if you're wary, just check old ones you may suspect.
|
| That could mean one might be able to disconnect from the
| internet while checking.
| ekjhgkejhgk wrote:
| No, it doesn't mean that, that's ridiculous. How would
| that work? Magic?
| bobmcnamara wrote:
| Download all the hashes first - not practical.
| zahlman wrote:
| The above post
| https://news.ycombinator.com/item?id=45840724 links to
| 71.3 KiB of data; since it's a 5-nybble prefix (20 bits)
| we may easily estimate a size of 71.3 GiB assuming that's
| a representative sample. Not unfeasible nowadays, but it
| seems you do have to make separate requests and would
| presumably be rate-limited on them.
|
| If you only download the hash pages corresponding to
| passwords you hold, even supposing that everything else
| is fully compromised, an attacker would have to reverse a
| couple thousand SHA-1 hashes, dodge hash collisions, and
| brute-force with the results (yes, yes: arson, murder and
| jaywalking) to pwn you.
| sunaookami wrote:
| HaveIBeenPwned has been around for ages and it does not
| send your password to the server - you can check it with
| the browser console. It hashes it, sends a range of the
| hash to the server, server replies with a list of hashes
| that match that range and it's checked locally for a match.
| smokel wrote:
| Still, I would not trust that. The password could be
| leaked through other means, for example by setting a
| timer, and exfiltrating fragments of it across future
| requests.
|
| The website loads some external fonts and spits out many
| warnings in the console by default. Does not instill
| confidence in the truly paranoid hacker.
| turnsout wrote:
| You can check it yourself by looking up the hash prefix
| and searching for your hashed password.
| TZubiri wrote:
| That level of care is warranted, but you'll find that you
| are given the tools to audit and it will pass.
| drexlspivey wrote:
| You can hash yourself and check against the api with 5
| lines of python
| bobmcnamara wrote:
| Man, there's a ton of non-obvious ways they could
| exfiltrate that. I'm not going to read their code.
| MattSteelblade wrote:
| You can check against the API with just the first
| characters of your hashed password (SHA-1 or NTLM), for
| example: https://api.pwnedpasswords.com/range/21BD1 or you
| can download the entire dataset.
| zahlman wrote:
| Second line I already notice:
|
| > 000F6468C6E4D09C0C239A4C2769501B3DD:5894
|
| ... Does the 5894 mean what I think it does?
| esnard wrote:
| 5894 means that the password appeared 5894 times in the
| dataset.
|
| 5894 is not the password associated with the hash.
| zahlman wrote:
| Yes, it did mean what I thought, then.
|
| But I guess some passwords appear far more often than
| that in the dataset.
| AlienRobot wrote:
| my password: 2,408
|
| password: 46,628,605
|
| your password: 609
|
| good password: 22
|
| long password: 2
|
| secure password: 317
|
| safe password: 29
|
| bad password: 86
|
| this password sucks: 1
|
| i hate this website: 16
|
| username: 83,569
|
| my username: 4
|
| your username: 1
|
| let me login: 0
|
| admin: 41,072,830
|
| abcdef: 873,564
|
| abcdef1: 147,103
|
| abcdef!: 4,109
|
| abcdef1!: 1,401
|
| 123456: 179,863,340
|
| hunter2: 50,474
|
| correct horse battery staple: 384
|
| Correct Horse Battery Staple: 19
|
| to be or not to be: 709
|
| all your base are belong to us: 1
| zahlman wrote:
| > all your base are belong to us: 1
|
| Only 1, really?
| e12e wrote:
| Password2020: 109,729
|
| Edit:
|
| louvre: 7,219
| bdcravens wrote:
| I was trying random phrases just out of curiosity, and
| couldn't help but chuckle when it said "epsteinfiles" wasn't
| found :-)
| elzbardico wrote:
| > It seems like we must rely on our password managers
| (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell
| us if individual passwords have been compromised.
|
| Yes.
| karencarits wrote:
| One possible solution could be to give you an option to send
| the affected password as a list to the mail address you
| specify, then only people with access to that mail address will
| see them
| elwebmaster wrote:
| That would be a great idea!
| bobmcnamara wrote:
| Hash of the affected password? People share these things and
| don't always run their own mail servers.
| technion wrote:
| At one point I responded to a haveibeenpwned notice by
| immediately having the user reset a password.
|
| I've got over 200 users in a domain search (edit: for this
| particular incident), and nearly all of them were in previous
| credential breaches that were probably stuffed into this one.
| I'm not going to put them through a forced annoyance given how
| likely it is the breached password is not their current one,
| and I'm urging people to start moving in this direction unless
| you obtain a more concrete piece of advice.
| kbrkbr wrote:
| Same here: reset on first beach (ROFB), but on subsequent
| ones only if it is no collection, eg a new infostealer
| breach.
| fckgw wrote:
| The problem with breaches like the latest data set is that
| there's no source on where the breach came from, it's an
| aggregate from multiple breaches. They can't tell you that info
| because it's not in the initial data set.
| chinathrow wrote:
| Yeah and I am confused by his new setup private vs business. I
| got that mail too but can simply not see what addresses were
| affected by that breach.
| craftkiller wrote:
| > there does not seem to be any way for _me_, the person
| affected, to know what password were breached
|
| You should be using a unique randomly-generated password for
| each website. That way, one breach doesn't lead to multiple
| accounts getting hijacked AND you'll know which passwords were
| breached solely based on the website list. The only passwords I
| still keep in my head are: 1. The password to
| my password manager 2. The password to my gmail account
| 3. The passwords for my full disk encryption
|
| All of those passwords are unique and not used anywhere else.
| Everything else is in my password manager with a unique
| randomly generated password for each account. And for extra
| protection, I enable 2fa on any site that supports
| u2f/webauthn.
|
| I used to reuse the same password for everything, and that lead
| to a pretty miserable month where suddenly ALL of my accounts
| were compromised. I'd log in to one account and see pizzas I
| never ordered. Then I'd open uber and see a ride actively in-
| progress on the other side of the country. It was not fun.
| TZubiri wrote:
| What? You expect the guy to tell you your password? Lol, lmao
| even.
|
| I know roughly what passwords were exposed because either I
| remember it, or the date of the leak or the associated email.
|
| I know simple passwords are almost public and that leaks of say
| linkedin will be properly hashed, while a vb forum from 2006
| might not be.
| jerf wrote:
| On the plus side, Troy can save a lot of DB space now. Instead of
| storing which emails have been compromised at this point he can
| replace that with just def
| email_compromised(email): return True
| Havoc wrote:
| Not necessarily. Both my main addresses still come back clean
| after years in use.
|
| The one I use for random crap has 9 hits though.
| brikym wrote:
| It boggles my mind that most email providers don't have a way to
| generate aliases for sign ups. Looks like proton and fastmail
| support it.
| cryptoegorophy wrote:
| -Setup a website with article that 3 billion emails were exposed
| -Offer a form to check if your email was leaked -start getting
| confirmed emails list
| sfilmeyer wrote:
| Troy Hunt has been running Have I Been Pwned for years. He even
| uses the k-anonymity model to allow you to search if a password
| has been pwned without giving him the password if you don't
| trust him.
|
| I get your general point, but he's been a leader in this space
| and walking the walk for a decade. I'm not even into security
| stuff or anything particularly related to this, and I still
| recognized his name in the OP domain.
| kmeisthax wrote:
| More importantly, since HIBP sells monitoring services to
| 1Password, if they were maliciously collecting this data they
| would be immediately sued to oblivion.
| gorgoiler wrote:
| I've always had a bit of a chip on my shoulder about HIBP's
| switch to charging for domain searches. It felt a bit like those
| travel visa scalpers who charge 50 CURRENCY_UNIT to file an
| otherwise gratis form on your behalf.
|
| Law enforcement should provide this kind of service as a public
| good. They don't, but if you do instead, I don't think it's cool
| to unilaterally privatize the service and turn it into a
| commercial one.
|
| I voted with my feet but this post feels like a good enough place
| to soapbox a bit!
| debugnik wrote:
| > However, none of the other passwords associated with my address
| were familiar.
|
| Could at least some of those cracked passwords be hash collisions
| for really weak choices of hash? I once looked up an email of
| mine on a database leak, and found an actual outdated password
| except for random typos that I suspect hashed the same.
| ptrl600 wrote:
| Are there any email services which allow basically unlimited
| aliases with long, random names?
|
| I'm using my own domain right now, but that can only uncover who
| has leaked my data; does not provide additional privacy.
| bootlooped wrote:
| I know you can set up "catch-all" email with a custom domain
| through Proton Mail.
|
| I don't think there's any limit on gmail + codes.
| mac-attack wrote:
| duckduckgo's free email aliases. Can use it as a front-end and
| keep your existing domain
| gostsamo wrote:
| check simple login. they were both by Proton, but you can use
| them without the parent.
| mapper32 wrote:
| https://simplelogin.io/
| mkl wrote:
| Use a catch-all inbox. Fastmail supports them well in its web
| interface. I use unique addresses for every organisation.
| gostsamo wrote:
| I checked a few of my passwords and a few random ideas. It turns
| out that I'm not the only one who finds the Star wars drone names
| a good inspiration for a password, but the rest were okay. Proud
| that I found a password which leaked in only one breech. Whoever
| has used "feromancer" as a pass, congrats, you might be unique
| among a big part of humanity.
| sloped wrote:
| I switched to using masked emails with Fastmail primarily so I
| could see who sold my data. The potential security benefit was
| not really a driver. Having 1Password be able to generate a
| unique email makes it a no-brainer these days. For those services
| that require a username that is not your email, they can usually
| be used without the domain part. Works really well.
|
| I even wrote a tiny little local only web app that I can use to
| generate a masked email on my phone, so when I need an email for
| an in person thing I can just show them my brand new weird email
| directly on my phone.
| digiconfucius wrote:
| Any interesting finds on companies that tried to sell your
| data?
| sloped wrote:
| Not really any places where things get sold, but opt-in in
| the background for newsletters is bad in certain sectors.
| Ticket platforms are terrible. I like to use a new email for
| every event and boy does that lead to new round of clicking
| opt-out until I can deactivate the email after the event has
| concluded.
| frankdvn wrote:
| I just learned that FastMail provides an iOS shortcut to
| "Create Masked Email".
|
| Just be careful, you must press Save after or else you'll lose
| it.
| layer8 wrote:
| Interestingly, the HIBP data seems to have an expiration date. My
| email address from the Dropbox data breach [0] is now shown as
| having no recorded breaches, although it did back in 2016 after
| HIBP acquired that dataset.
|
| [0] https://haveibeenpwned.com/breach/Dropbox
| zahlman wrote:
| From what HIBP tells me (from an email address; I am not about to
| put any site's password in there, I don't care that they don't
| know who I am or what it's for):
|
| > During 2025, the threat-intelligence firm Synthient aggregated
| 2 billion unique email addresses disclosed in credential-stuffing
| lists found across multiple malicious internet sources. Comprised
| of email addresses and passwords from previous data breaches,
| these lists are used by attackers to compromise other, unrelated
| accounts of victims who have reused their passwords. The data
| also included 1.3 billion unique passwords, which are now
| searchable in Pwned Passwords.
|
| (Edit: this is also directly linked in TFA. Well, I guess the
| site was still somewhat successfully advertised here...)
|
| So, this doesn't seem to comprise new information, and doesn't
| imply that your email _has been associated with_ your password by
| the hackers.
|
| Although they probably do have passwords for a couple of services
| I don't use any more, which I have not reused.
| elwebmaster wrote:
| Why are we still using passwords? Why can't all login be done
| with asymmetric keys: your public keys are stored on the server,
| your private keys on the device. Carry a backup pair on your USB
| and treat it as a key to your house. Any of them got lost? Just
| delete the respective public key from the service.
| magackame wrote:
| That's passkeys. Google and Microsoft are pushing in that
| direction.
| layer8 wrote:
| Amusingly, hunter2 is listed with over 50.000 breaches.
| waynesonfire wrote:
| Another ad for have i been owned? ... How much does it cost to
| advertise on hackernews?
| galaxyLogic wrote:
| What about "pass-codes"? Weren't they supposed replace passwords?
| anonu wrote:
| > we run on Azure SQL Hyperscale, which we maxed out at 80 cores
| for almost two weeks
|
| the data challenge is interesting here. there's clearly a lot of
| data - but really its just emails and passwords you need to keep
| track of. SQL feels like overkill that will be too slow and cost
| you too much. are there better solutions?
|
| 15 billion records of email+password, assume ~40bytes thats
| roughly 600GB
|
| should be searchable with a an off-the-shelf server.
|
| of course, im oversimplifying the problem. but I'm not clear why
| any solution to insert new records would take 2 weeks...
| jiggawatts wrote:
| > we run on Azure SQL Hyperscale
|
| Definitely the wrong technology, and was almost certainly
| picked only because Troy Hunt is a "Microsoft Regional Director
| and MVP".
|
| Many other technologies scale better for this kind of workload.
| Heck, you could ask ChatGPT to write a short C# CLI tool to
| process the data on one machine, you don't even need a huge
| box.
|
| This kind of thing comes up here regularly on HN for problems
| such as duplicate password detection, leaked password
| filtering, etc...
|
| After previous brainstorming sessions the general consensus was
| that it's _really_ hard to beat a binary file that contains the
| sorted SHA hashes. I.e.: if you have 1 billion records to
| search and you 're using a 20-byte SHA1 hash, then create a
| file that is exactly 20 billion bytes in size. Lookup is
| (naively) just binary search, but you can do even better by
| guessing where in the file a hash is likely to be by utilising
| the essentially perfectly random distribution of hashes. I.e.:
| a hash with a first byte value of "25" is almost certainly
| going to be 10% of the way into the file, etc...
|
| It's possible to create a small (~1 MB) lookup table that can
| _guarantee_ lookups into the main file with only one I /O
| operation of a fixed size, such as 64 KB.
|
| Sorting the data is a tiny bit fiddly, because it won't fit
| into memory for any reasonably interesting data size. There's
| tricks to this, such as splitting the data in 65,536 buckets
| based on the first two bytes, then sorting the chunks using a
| very ordinary array sort function from the standard library.
|
| On blob storage this is super cheap to implement and host,
| about 50x cheaper than Azure SQL Hyperscale, even if it is
| scaled down to the minimum CPU count.
| jorams wrote:
| This seems to include details from a Spotify data breach in or
| before early 2020 that, to my knowledge, was never reported on.
| They did have other, similar issues that year.
|
| Reporting from the time seems to all be about one or multiple
| leaks/attacks involving:
|
| - Credential stuffing with data _from other breaches_
|
| - A leak of data (including email addresses) to "certain business
| partners" between April 9, 2020 and November 12, 2020.
|
| On April 2, 2020 somebody logged in to my Spotify account (which
| had a very weak password) from a US IP address. This account used
| an email address only ever used to sign up to Spotify years
| earlier, and the account had been unused for years by that point.
| I changed the password minutes later. A few hours after that
| Spotify also sent an automatic password reset because of
| "suspicious activity". At no point have I ever been notified by
| Spotify that my data had been leaked, though it obviously had,
| and now said email finally shows up on HIBP.
| ChrisMarshallNY wrote:
| I think, at this point, we should just assume that our emails are
| out there. Can't put the candy back in the pinata.
|
| My main email addy is an OG mac.com address. I registered it
| about five minutes after Steve announced it. My wife got her
| first name, but I suspect that Chris Espinosa already had
| chris@mac.com.
|
| In any case, it was compromised back when Network Solutions sold
| their database to spammers (or some other scumbags sold their
| database), and it's been feral, ever since. Basically, most of
| this century.
|
| I've survived it. I maintain Inbox Zero, frequently.
|
| One of the saving graces, is that mac.com has "aged out," so most
| of the spammers switched over to icloud.com, and that means I can
| just set up a rule to bin anything that comes into icloud.com.
| 1970-01-01 wrote:
| Giving out fake information is the only solution. Real name is
| only for the government and your employer.
___________________________________________________________________
(page generated 2025-11-06 23:00 UTC)