HaveIbeenpwned site is a useful tool about data breaches

In some topics the haveIbeenpwned (HIBP) website has been referred to. So I decided to give it’s own topic on this site.

HIBP is a site where you can check whether your details have been involved in data breaches (possibly false positives). You can search each email address you “own” and see if any sites show results. It isn’t a complete list of breaches for various reasons but it is a great start to addressing your security. When you find a site that appears to have lost control of your data you can at least take steps to change passwords, delete accounts if warranted and other actions as required.

You can also list your email address/es with the HIBP site so any future possible breaches involving your data can be notified to you as soon as possible.

The breach may not really have occurred for reasons as explained on the site (https://haveibeenpwned.com/FAQs#SpamList) but when your email address appears as pawned it is because it has been found in the lists, spam lists, & pastes provided on various sites by the “culprits”. The HIBP site then generates an email to you explaining which site potentially lost control of it’s data. You can’t always find or see your raw data if included in a paste as pastes can be very transient, nor does HIBP store pastes.

As explained in the FAQs (https://haveibeenpwned.com/FAQs#SpamList) some usage of your email address/es may not mean a breach but forewarned is fore-armed.

Also If you don’t recognise a site:


I suppose the next question is what should I do should one of my emails show up in haveIbeenpwned.

If you haven’t changed your password to access your email recently, then you should seriously consider changing it now. The other thing to do in addition to changing you password is to consider using one of the secondary security options offered by your email host (such as receiving a text code) as well. This reduces the risk of your email being able to be accessed and exploited in the future.

The ABC Checkout Series 6 Episode 5 had some good information on selecting and managing passwords. If you are interested, this episode can be found here:

Also, don’t forget if you change your password, any device which is used to access your email (using email software or app) will also need to be updated with the new password.


Fantastic… 2 breaches… one from when Linkedin lost all their user data and one when Adobe lost theirs… can’t recall receiving any compensation from either… so pleased I trusted the big corporate companies.


Indeed but also be aware this may not have been a breach of your email account but may have been a breach of another site where you use your email address as an account identifier or as your contact address. In those cases it is important you change your passwords for the affected sites and take any other needed action for that/those site/s, and may not require that you change your email password (though regularly changing that as well is good security practice).

Having disposable email addresses for using on sites can also help when breaches occur. You can quickly dispose of the old address and if wanted can create a new one. This way you do not compromise your real email address, which can help limit spam and other unneeded effects.


Who has endorsed this website? It seems to me to be just a baited hook to get your email…

Well among others, the Australian and NZ governments now use this site.

Also the guy who created/runs the site is a security researcher that even the white house has had over to talk them through cyber security.

Edit: oops, it’s actually the UK and Australian governments


… a guy who works for Microsoft wouldn’t have to go far to find security (issues) to research! but since he works for Microsoft, of course you can trust him :wink:


Hehe, indeed. Though maybe w10 was so secure they didn’t need him anymore /sarcarm


In a test when I first registered my email addresses at this site I provided a new disposable address that had been generated for the site. I have never received any spam nor any other emails since for this address, which to me indicates no leaking of my details.

Also with this site no other identifying data is provided other than your email address. Name, mail address, phone contact, date of birth, Country, etc are all unwanted and unrequired detail. If you want to find out if your email address has been “pwned” you have to enter it. Many other sites that ask for your email address require much more detail even when it obviously isn’t required and they make me doubt that it is just for their sites’ purposes.

As has been stated above the UK and Australian Govts are now using HIBP to monitor their addresses and Mr Hunt has also provided testimony to the US House of Reps and you can read his submission here:

or at the US Govt document repository

Hopefully this helps assuage your suspicions regarding the site’s intentions.


I endorse it. You don’t have to sign up, but it is a useful service. You can also read what Mr Hunt says he will do with your email address(es), and read what IT security experts say about him and his service (generally along the lines of ‘this is great’).

Some of the biggest online brands - like WordPress - have enabled the haveibeenpwned API to assist in their customers’ security (e.g. by checking whether a password has been previously used). That is a huge user-base, and a ringing endorsement of the service.

It is an amazing service, provided by a prominent White Hat for free - up to you whether you see a need for it.


From the link:

My Commitments for the Future of HIBP

So what does it mean if HIBP is acquired by another company? In all honesty, I don’t know precisely what that will look like so let me just candidly share my thoughts on it as they stand today and there are a few really important points I want to emphasise:

  1. Freely available consumer searches should remain freely available. The service became this successful because I made sure there were no barriers in the way for people searching their data and I absolutely, positively want that to remain the status quo. That’s number 1 on the list here for a reason.
  2. I’ll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP’s brand is intrinsically tied to mine and at present, it needs me to go along with it.
  3. I want to build out much, much more capabilities wise. There’s a heap of things I want to do with HIBP which I simply couldn’t do on my own. This is a project with enormous potential beyond what it’s already achieved and I want to be the guy driving that forward.
  4. I want to reach a much larger audience than I do at present. The numbers are massive as they are, but it’s still only a tiny slice of the online community that’s learning of their exposure in data breaches.
  5. There’s much more that can be done to change consumer behaviour. Credential stuffing, for example, is a massive problem right now and it only exists due to password reuse. I want HIBP to play a much bigger role in changing the behaviour of how people manage their online accounts.
  6. Organisations can benefit much more from HIBP. Following on from the previous point, the services people are using can do a much better job of protecting their customers from this form of attack and data from HIBP can (and for some organisations, already does) play a significant role in that.
  7. There should be more disclosure - and more data. I mentioned earlier how responsible disclosure was massively burdensome and Svalbard gives me the chance to fix that. There’s a whole heap of organisations out there that don’t know they’ve been breached simply because I haven’t had the bandwidth to deal with it all.

In considering which organisations are best positioned to help me achieve this, there’s a solid selection that are at the front of my mind. There’s also a bunch that I have enormous respect for but are less well-equipped to help me achieve this. As the process plays out, I’ll be working with KPMG to more clearly identify which organisations fit into the first category. As I’m sure you can imagine, there are some very serious discussions to be had: where HIBP would fit into the organisation, how they’d help me achieve those bullet-pointed objectives above and frankly, whether it’s the right place for such a valuable service to go. There are also some major personal considerations for me including who I’d feel comfortable working with, the impact on travel and family and, of course, the financial side of the whole thing. I’ll be honest - it’s equal parts daunting and exciting.


Eek! I understand the rationales and the need, but can only think of takeovers where the original design was subsumed. Microsoft weakened Skype security, Facebook did the same with Messenger… unfortunately, a company you trust today is not necessarily one you would trust in five years.


The reality of HIBP is that Troy Hunt is a human being, and while it will be a sad day he will die at some time. Then HIBP will under it’s current form, as owned by him, will either disappear or will be taken over by somebody without any support from Troy Hunt.

If/When he sells the system we can hope he remains the decision maker for the time being, this might and hopefully does lead to continued ethical outcomes. I would also hope he retains the right to publically criticise once HIBP is acquired, any adverse changes he feels are, or that are being considered to be, made. A well planned transition with good protections is what we can hope for.

If some business buys the product they obviously want some outcome that benefits them, whether this is financial or for rating/prominence/renown or a mix. I hope it remains a free service for non commercial users and see no issue if commercial or Govt users are required to pay a fee for the service. My main concern is what protection is given to those who supply their addresses but don’t want them sold as a commodity to third parties.