Two billion email addresses were exposed
troyhunt.com626 points by esnard 4 days ago
626 points by esnard 4 days ago
There have been enough data breaches at this point that I'm sure all my info has been exposed multiple times (addresses, SSN, telephone number, email, etc). My email is in over a dozen breaches listed on the been pwned site. I've gotten legal letters about breaches from colleges I applied to, job boards I used, and other places that definitely have a good amount of my past personal information. And that's not even counting the "legal" big data /analytics collected from past social media, Internet browsing, and whatever else.
I now use strong passwords stored in bitwarden to try to at least keep on top of that one piece. I'm sure there are unfortunately random old accounts on services I don't use anymore with compromised passwords out there.
Not really sure what if anything can be done at this point. I wish my info wasn't out there but it is.
I used per-account email with alias services and password managers.
Also started migrating old accounts in free time.
Now its pretty easy to tell the source of leak by email addresses as well as sources of spam.
---
Per-account alias might sound much, but using sieve filtering [1] is amazing, and you can get a comprehensive filtering solution going with 'envelope to' (the actual address receiving the email) + 'header to' (the recipient address you see, sometimes filtering rules don't filter for BCC or sometimes recipients are alias instead of your actual email) that are more comprehensive than normal filtering rules to sort your emails into folders.
[1]: https://datatracker.ietf.org/doc/html/rfc5228
---
Amusingly, I've managed to recover old accounts from emails that contains my old passwords with demands for crypto payment, it just provided me enough help to recall old variations of my passwords.
> I used per-account email with alias services and password managers.
For people who want to do this, be sure to get it right. I run a SaaS with a free tier, and I see people register with "fancy+nospam+servicename@gmail.com" addresses. Many of those become undeliverable or are left unread forever because of filtering rules. So when my system sends a warning E-mail that the account will be deleted due to inactivity, it doesn't get read, which leads to suboptimal outcomes for everyone involved.
It was infuriating to me when normal_email+site_name@gmail.com stopped working for registration on some sites.
Fucked up my Costco registration, a variety of other things.
This sort of quasi-pseudonymity is required for basic security/privacy in 2025; It's the only way to get a handle on who's allowed to send you email, since we've never bothered to fix spoofing or impose a cost on spam. I've been trying to use it since Sneakemail was a free service back in the pre-Gmail days.
Many spammers will strip the +xxxx out of the emails anyway to not reveal the source of their data so it doesn't matter too much really.
I just use <myname>+<service>@gmail.com At the end of day day it’s all delivered to myname@gmail.com mailbox, but I can use filters based on part after “+”.
I'd be really surprised if Gmail's + behaviour isn't so well known by spammers that they just strip them off?
Conversely, I'd assume this pattern is used rarely enough for spammers to even bother fighting it.
But I've seen service providers who insisted on creating some account with a valid email who wouldn't accept a `+` it in their forms...
My favorite was that I could sign-up with the + address but couldn't sign-in. And the support desk rejected that + address too.
The phone support person was confused about that symbol too, what an odd email.
This is one of the reasons I switched to a different provider using a custom domain. I can make new addresses in any format I want. There's zero risk of a spammer stripping them down to a base address for the primary account. They also don't get rejected by broken validators.
What’s your plan for when you no longer own your custom domain (think bus factor)? Someone else register your domain and now has access to all your accounts.
Everyone has their own risk profiles, mine assumes I retain control over my domains and emails. I prepay for them several months in advance to make sure I don't lose ownership. any service provider worth their salt will have a human factor for customer support who can help you if any such issues show up.
Thank you for expanding. Sure you can prepay up to a certain extent. Eventually your domain will be available to others for purchase and therefore your accounts will become vulnerable. Maybe this isn’t an issue if in the worst situation you’re not around but if this could cause chaos for your friends and family I would suggest taking it into account.
yep, i use fastmail with a custom domain. i have a catch all email set up, so i just register any account on sitename.com as "sitename@mydomain" and it all gets sorted into a catch all folder. I can then run rules if i want it to go into a certain category like "bills" or just straight to the garbage.
Not sure about normalizing recipients' emails but some are definitely aware of it because I've seen spam that asked to "reply back to defi.n.it.ely.not.shady+email@gmail.com" or something.
even better: those will be spam guaranteed and can just be filtered by rule then
With Gmail, also note that firstname.lastname@gmail.com is equivalent to firstnamelastname@gmail.com or fi.rs.tn.am.el.as.tn.am.e@gmail.com
As some other comment suggested, these rules are easy to tackle by motivated spammers.
I do this as well, but there are a number of service providers that just do not handle subaddressing at all. Like creating an account will result in never receiving a confirmation or verification code because the system failed to parse the address.
I've started using grouped aliases instead for a bunch of things.
The downside is that https://haveibeenpwned.com/ can only find "exact email" addressed, as in, you must search for myname@gmail.com, myname+service1@gmail.com, etc.
As someone who deals in breach data this is a simple regex to strip out.
>As someone who deals in breach data this is a simple regex to strip out.
Sure it is, but at least you do get later, post leak, a slight chance find out where leak originated.
Data stealers seldom strip out that +extension part before the selling or otherwise dump it somewhere. And while it's passed on, you get to see address as you gave to that party that had leak. Reason seller don't strip of it is perhaps because they sell by number of unique addresses and while +extension usage is quite rare they make more money when they don't strip it off too.
Information where it leaked can be very useful information to pass leaker at least up till point they have announced they know about the compromise happened. I've done that since turn of century too many times I've lost count already and been quite many times the first to get them know that they had a problem there.
And sure I've received thank you emails that I gave them early head-up info about the issue.
Careful with this method. I was unable to purchase plane tickets from Southwest or even change my email address because they changed their parsing rules on me and silently dropped the plus. I found out most airlines don't have a ticket counter to buy a ticket the old fashioned way! But the premier help can issue tickets. Took me two months to have CS get someone to run a DML to remove my "bad" email address.
It's probably easier to tell them "I lost access to that email, I need to set up a new account". People do this all the time.
On some level, my employer uses emails as the primary key for customer accounts, the baseline identifier which all information is filed under. It's quite ridiculous.
> On some level, my employer uses emails as the primary key for customer accounts, the baseline identifier which all information is filed under. It's quite ridiculous.
I've lost track of the number of places that use the e-mail as an unchangeable identifier. Bonus points for my company liking to change domain names for sport, which just confuses support.
And even big tech companies, who should know better, do this. Like the big blue CDN that's in the middle of half the web's traffic. Who also, for some reason, can't be arsed to send e-mails reliably if you need to change your account.
I did, but the CS agent kept trying to change the email to a new one when I told them I had lost access, and the validation failed because it wanted to send an email to the old address about the email being updated and couldn't. They didn't have the right tools to fix it.
Had to get an engineer involved.
I tried to start doing this. The first site I tried to sign up to said it was an invalid email address.
I would say they could fuck all the way off, but there are legitimate reasons to not let people sign up with an alias (like one person signing up for multiple free trials)
Right. Because it's oh so difficult to set up a separate e-mail account with one of the free providers.
I have such a hard time understanding why people think e-mail addresses are some kind of special thing hard to come by.
When I'm signing up for one service, I don't want to have to sign up for another service, no matter how easy it is. It's not a question of difficulty, it's a question of convenience.
That's why services like Firefox Relay exists. Just generates a new email address for you whose inbox gets relayed to your regular email, no fuss needed. I don't personally pay for it but I do use the heck out of the free email addresses they provided.
Anyone who’s looked at breach data knows to try yourname+service for any service.
This does help in filtering spam though
It doesn't have to be literally the service name. Can be any unique alphanumeric suffix you make up randomly. As long as you use a password manager you don't have to remember it.
Indeed, it needs to be more than just the company name if you want it to be useful later. If the email address used is company@example.com, any idiot could guess company. But receiving email to company_wkhx46@example.com is clearly gotta be from them, or they got hacked.
That's why you have to salt the + portion (look up an old email from the service if you forgot the alias).
> Anyone who’s looked at breach data knows to try yourname+service for any service
Since we're all using a unique password for every service - <cough> we are doing that, aren't we (!!) - then how does that help?
(the keyboard smash username is apropos)
> Per-account alias might sound much
Not only does this not sound too much, this is a feature Apple offers called Hide My Email: https://support.apple.com/en-us/102548
And one day you've had it with Apple's latest user-hostile shenanigans and switch to Linux. What now? Do you just keep paying for iCloud+ forever?
In my experience the overwhelming majority of services permit me to change my email address.
Of course. But I have hundreds of user accounts, as probably many people do. I would not enjoy changing all those email addresses.
wouldnt this be the case for any vendor you choose?
Indeed. But some are easier to change than others. I switched my e-mail provider, and it took all of five minutes to launch the copy of my data. Since I kept the same domain, everyone sending me e-mails didn't notice anything.
With Apple's approach, I'd have to go through each account and move it from something@icloud to something@new-domain.
However, for people who don't want to mess around with custom domain names and e-mail providers, apple's approach is very practical. You just need to tell it to "hide your email" when you register somewhere and you're good to go.
As someone who uses both, I much rather prefer aliases to hide-my-email for the more important stuff. For one, I can choose the email address "username", which I cannot with Apple's solution. Plus, what happens when I move on from Apple to something else?
But aliases can be easily mapped back to your normal email address, unlike Apple's which are opaque. I, too, am afraid of vendor lock-in though. Sadly, couldn't find a good alternative yet
There's no solution to lock-in because there must be some massively shared domain that the email address exists on for the anonymity of the service to properly work. However if you are simply looking for an alternative to Apple, Fastmail offers a masked email service too.
Not sure where you're coming from - my original email address is not being shown in headers, so those seem fairly opaque. Probably depends on your email provider?
I do this also. I started doing it with physical mail before email existed to sort out the junk mail, so first and last name always contained a reference to the company you were dealing with. Paul Allen back in the 80s said in a Seattle Times interview that it was how he handled it.
I also use per-account emails, but not sieve filtering. Catch-all is helpful for throw-aways, aliases for the more important stuff.
It's super-easy to figure out who leaks my emails to whom, so I can easily disable both the leaker and the people who leaked.
Much more user-friendly than Apple's hide-my-email.
> I used per-account email with alias services and password managers.
20-something-ish years ago I setup qmail in my VPS and a .qmail-default file captures all my me-sitename@vps emails. If they send me junk I echo '#' > .qmail-sitename and that's the end of it.
Other things that get a mixture like someone annoying who harvested my ebay/paypal addresses or something, I'll sift out the good (stuff I need) via maildrop and everything else gets junked.
Honestly one of the best, but annoying, things I've done, well worth the time invested as I have a nice clean mailbox.
did exactly same. the only difference is that i use compromised emails to train spam filter
> I used per-account email [addresses] with alias services
I do too (anything@mysubdomain.example.com), but but online services collude with data brokers to share so much information [0] that I don't doubt that many of these "separate" profiles have been aggregated.
Unfortunately the services that supposedly offer to have your personal data removed from data brokers don't seem to support aliasing, so no straightforward way to either find out or have the data removed.
[0] Just look at the scary list of third-party cookies you can't opt out of on Coursera [1], for example:
Match and combine data from other data sources 419 partners can use this feature Always Active
Identify devices based on information transmitted automatically 546 partners can use this feature Always Active
Link different devices 358 partners can use this feature Always Active
Deliver and present advertising and content 582 partners can use this special purpose Always Active
+1 for Bitwarden. It is literally the best solution out there. Been getting to increase uptake in personal circles with (very) limited success. The wife keeps trying to convince me that the ship has sailed in trying to protect info online. She's probably right.
Now that I'm not only using a Macbook and iPhone, I've been looking for cross-platform solutions.
For a week I've been using KeePassXC + Syncthing between four devices. Syncthing is also syncing my Obsidian vaults which has replaced Apple-only Notes.app.
Bitwarden is definitely more polished, and Syncthing is definitely (much) more fiddly than using Bitwarden's and Obsidian's ($5/mo) native syncing tools.
But I like the idea of having the same syncing solution across all apps on all devices. Curious if anybody can recommend this setup or if collisions will make it unbearable.
If you have a nas, I highly recommend you set up a VPN back to your network. It's been a bit of a game changer for me. I don't fiddle around with Dropbox or gdrive anymore, it's just on my nas and it just works. I was even mounting /home from it but that was a bit of overkill and still caused some hassles when I was completely offline- like on an airplane. Vpn has other advantages as well like no longer really having to worry about sketchy wifi networks. It felt annoying and like overkill at first, but I'm never going back to relying on any sync apps again.
> I was even mounting /home from it but that was a bit of overkill and still caused some hassles when I was completely offline- like on an airplane.
I solved this by having /home for desktops/workstations on my NAS, but laptops had their own /home (with the NAS /home mounted somewhere locally). It’s not perfect but was way easier than dealing with the offline case.
Yes, I'm using Tailscale, and you're basically always on your home network. Very convenient.
I have used this setup for 6 years or so with KeePassXC and it's fine. Just being mindful of not editing stuff on other devices before the first one has had the chance to sync has been enough to avoid pretty much all sync conflicts. I have only had to resolve those a few times so far, iirc my android client was misconfigured at the time or something.
I still recommend Bitwarden for password management for any "laypeople" since it will just work. Also worth noting that the basic functionality is free.
I do something similar with Syncthing, except I use pass and go-pass on my and my spouse's devices. Those utilities store their data in a git repo already by default, but rather than syncing those repos directly, I have set their upstream remotes to local bare repos which is what Syncthing actually syncs. This avoids contention internal to the git repos which I could see causing some problems through normal git operation and the actual sync between devices should be mostly atomic.
(go-)pass automatically does a push/pull due to several operations which keeps the password store in sync and Syncthing does its thing with the bare repos.
This has reduced my maintenance burden on my spouse's devices down to practically zero. The worst case to fix things is I need to `git pull --rebase` in the bare repo. The pass repo format uses individual encrypted files for each password entry (for better or worse) so I have yet to run into a conflict in the same entry.
Why not just push/pull git branches normally? I had previously been doing that but if you want devices to sync that may not always be online, then you must involve an always online git server (which isn't a great idea due to one of pass's weaknesses).
Even when you do get a sync conflict, Syncthing will rename one of the copies and then you can have KeePassXC merge the two files back into one. So that's still pretty much hassle-free.
Probably due to Obsidian's aggressive autosaving, I did cause a syncthing collision my first day by clicking into a note that I was editing on my other device. Kinda wish desktop Obsidian had a save system more like code editors and less like smartphone apps.
I suppose I can avoid the issue with some discipline.
This is the same setup I used for years with no issues, both KeePassXC and multiple Obsidian vaults, along with some other random files and folders. Syncthing is pretty much rock solid. Now I have the KeePassXC database stored on my NAS which is even simpler.
The cool thing with KeePass is that each client is also a local backup. It's pretty neat.
I use a similar setup, but with Onedrive instead of Syncthing (and, before that, Dropbox).
In the almost 10 years I've been running this setup, I think I hit a conflict one single time. I don't quite remember the details, but I think I accidentally edited something in the mobile app, and before saving, edited something else in the desktop app or vice-versa. So it was pretty much my fault.
Other than that, literally never had an issue. Password managers are by their nature mostly reads, and very occasional writes, so it's very hard to put yourself in a situation where conflicts happen, even if you don't pay attention to it. I've made an identical setup for my (fairly savvy but non-technical) fiancee, and she's never hit an issue either. I had to insist a bit for her to get on board, but years later she actually loves using KeePass. She's thanked me multiple times for how convenient it is not having to remember passwords anymore!
Not sure about Obsidian sync, but for Bitwarden you can self-host Vaultwarden.
> Now that I'm not only using a Macbook and iPhone, I've been looking for cross-platform solutions.
1password works in all the places, it's just not open source.
One consideration is that Bitwarden seems to not work fully in an offline state the same way your setup would. I constantly try to edit or add a password while offline and can't. I think this somewhat negates the collision situation though.
That came up during my research and it's one of the reasons I couldn't choose it.
Forcing a read/write right before and after each edit probably simplifies the sync scenario for them but I don't like relying on permanent internet access in my life since it's just not the case.
I have almost the exact same setup! Hit me up if you have any Qs as I've been a happy user of this for a few years now.
I originally started using Bitwarden to achieve sync across Mac, Windows, and Linux machines, along with all major browser platforms. It's been great!
You can throw a keepass vault on OneDrive or Dropbox and it works just fine everywhere. Not fiddly at all except Linux and OneDrive support.
strongbox is a reasonable app for iOS and you can set it up for sftp to your main self hosted server.
Unfortunately strongbox was sold a few months ago to a somewhat notorious app firm that has the nasty habit of buying popular apps and adding a whole bunch of telemetry. Not something I'd want in a password app.
I've switched to KeePassium. Not quite as polished UX, but works for me
I'm using KeePassium and SyncTrain for the syncthing integration on iOS.
SyncTrain has been working well, but all the knobs in the advanced folder settings definitely reminds me that I would never recommend it over Dropbox/iCloud/etc to almost anyone, heh.
But as long as I don't run into frequent problems, I like the idea of p2p device syncing over LAN. The phone in my pocket ends up passing around the latest copy since my other devices are almost never on at the same time. It's kinda cute.
> Not quite as polished UX
Huh, this is interesting… If you have any specific UX pain points, feel free to reach out.
Why not just run a vaultwarden instance at that point?
No matter how you sync, a Keepass file is a file. I can't be logged out. It will still be on my phone if my house burns down. Every device it's synced to is an additional backup copy.
The Bitwarden client will sometimes log you out if something happens on the server side, which has the potential to make worst case recovery from annoying to impossible. The circular dependency of having my cloud backup password in the vault made me nervous.
Yes, you can back your vault up, but it's a manual step and likely to be forgotten.
Can anyone with experience with 1Password and Bitwarden share their opinions on each.
I've been on 1Password for years and am wondering if I'm missing anything.
1password has better UI/UX and is faster but Bitwarden is cheaper, supports prompting of the master password for specific passwords, and better security options (such as app idle settings instead of just device idle)
I just trialled it but got a refund
I started paying for 1Password years ago when an annual family plan was $48, and to their credit, they've kept me grandfathered in to that price this whole time.
1P is closed source and have had a number of breaches in the past. Bitwarden have had none that I'm aware of, and they're FOSS. I however have been preferring ProtonPass lately (also FOSS) and really like the layout over BW.
> and have had a number of breaches in the past
Do you have a source for this claim of multiple past breaches? The only one I know of is the Okta breach.
For me they're still firmly in the 'one of the best options out there' category because cross-platform usability is incredibly good imho. I will admit it's been quite a while since I migrated from KeyPass so maybe these other options have improved too.
This is either ignorance or throwing shade at 1Password. Outside of their Okta thing (which didn't impact vaults as far as I'm aware, and was more Okta's fault) they never had a compromise. They are definitely an excellent provider.
I might be that guy soon. I really don't like Bitwarden's extensions, they have clunky UX, are slow and often don't even respect my settings. Autofill is a crapshoot, especially on Android. And they have performance issues with the Firefox and Chrome(-based) extensions so it's not even platform specific.
I use a similar service, I always wonder what sort of risk having one point of failure has though. I know 2FA helps, but a particularly motivated person with access to you physical still may be able to get both, espically if it for an investigation of some sort.
I switched from Bitwarden to Proton pass (because we got Proton family) and I find to be equally good. Ineven find sharing credentials a bit easier as it does not require organizations, you can just share with individuals.
Proton also has a separate 2fa totp app.
Bitwarden Families plan is $40 a year and supports up to 6 users. It has TOTP built-in, is open source[1] and has been audited multiple times[2].
The individual plan is $10 a year. I've been a happy user for many years. I converted the last business I was at to exclusively using Bitwarden for Business as well.
Bitwarden supports TOTP too, even though it's not entirely obvious from the UI.
TOTP inside a password manager doesn't make much sense to me. What's the point of two factor auth if both factors are stored together?
Mostly for the sites that insist on MFA and I need to use daily. Using two separate stores would be too annoying, and the increase in security is minimal - I consider Bitwarden to be secure enough (password + yubikey), and the main scenario somebody could get to my account would be on the server side, or phishing. For that, MFA helps somewhat, but storing MFA code in a separate app doesn't do much.
I don’t know the “correct” answer, but here’s my answer as someone whose TOTP are split across a YubiKey and Bitwarden: I store TOTP in Bitwarden when the 2FA is required and I just want it to shut up. My Vault is already secured with a passphrase and a YubiKey, both of which are required in sequence, and to actually use a cred once the Vault is authenticated, requires a PIN code (assuming the Vault has been unlocked during this run of the browser, otherwise it requires a master password again).
At that point, frankly, I am gaining nearly nothing from external TOTP for most services. If you have access to my Vault, and were able to fill my password from it, I am already so far beyond pwned that it’s not even worth thinking about. My primary goal is now to get the website to stop moaning at me about how badly I need to configure TOTP (and maybe won’t let me use the service until I do). If it’s truly so critical I MUST have another level of auth after my Vault, it needs to be a physical security key anyway.
I was begging every site ever to let me use TOTP a decade ago, and it was still rare. Oh the irony that I now mostly want sites to stop bugging me for multiple factors again.
2FA most commonly thwarts server-side compromised passwords. An API can leak credentials and an attacker still can’t access the account without the 2FA app, regardless of which app that is. The threat vector it does open you up to are a) a compromised device or b) someone with access to your master password, secret key and email account. Those are both much harder to do and you’re probably screwed in either case unless you use a ubikey or similar device.
How is it possible to have compromised password but not compromised the second factor? I don't understand the theory of leaking not enough factors. What is stopping webmasters from using 100FA?
> How is it possible to have compromised password but not compromised the second factor?
Server-side (assuming weak password storage or weak in-transit encryption) or phishing (more advanced phishers may get the codes too but only single instance of the code, not the base key).
> What is stopping webmasters from using 100FA?
The users would hunt them down and beat them mercilessly?
My Bitwarden account is protected with YubiKey as the 2FA. I then store every other TOTP in Bitwarden right next to the password.
I get amazing convince with this setup, and it’s still technically two factor. To get into my Bitwarden account you need to know both my Bitwarden password and have my yubikey. If you can get into my Bitwarden, then I am owned. But for most of us who are not say, being specifically targeted by state agents, this setup provides good protection with very good user experience.
Why do we need a separate 2FA TOTP app for anything? :| I have a feeling too many people have no idea what TOTP is, and how easy it is to implement.
> Bitwarden
Best when paid for so you can do 2FA with TOTP codes!
I self-host through Vaultwarden but I think I miss this. Besides, I feel like paying these guys anyway just for the great product. We use 1Password at $dayjob and it's so primitive by comparison.
What is lacking in 1Password by comparison? I pay for a family plan but maybe I should switch next year.
Here are the things that get me, and maybe it's because I haven't configured it well yet.
1. On firefox first start-up is slow after unlocking to actually find a password for a site. The interface says, "No logins for xyz.com" for maybe 5 seconds before the login loads.
2. Along those lines when I open it first thing in FF the box for its password isn't focused and I have to click it.
3. The keyboard combo to open it also only works in Chrome.
4. To add a new login I have to go to the site. I haven't figured out how to do it from within the plugin.
5. We get alerts at least once a week about service disruptions but they don't seem to actually affect me.
6. I like Bitwarden's command line tool but I bet 1Password has something at least as good that I haven't found yet.
How is 1password primitive? It does totp. It integrates with TPM in Windows hello. It does sh keys and has its own agent which is a huge help. It's sync is nearly instantaneous. It handles multiple accounts with ease.
The moment you put TOTP in Bitwarden it is no longer a 'second factor'. Pretty bad security advice to be honest. Better to use hardware tokens or a secure phone (with enclave) instead (never SMS though).
In most cases a true second factor isn't really what any involved party cares about.
My bank (I mean, they use SMS, but pretend they use TOTP) just care about not having to spend money on support because I used "password1!" as my password for every account and lose all my money.
I just want to log in to my bank.
If I've got a long, random, unique, securely-stored password, I don't actually care about having a second factor, I'm just enabling TOTP so that I don't have to copy/paste codes from my email or phone.
> If I've got a long, random, unique, securely-stored password, I don't actually care about having a second factor
I'm not comfortable with my entire online identity being protected by a single line of defence which is a company that I'm paying a few dollars a month to. Not having to type 6 digits off a phone is a pretty minor convenience for me.
Do you then avoid syncing any passwords to your phone to avoid having your two factors in the same place? (And similarly, avoid syncing SMS to any devices where you do have passwords.)
I think it’s mostly nice for places that require TOTP but don’t actually rate carrying around/plugging in a yubikey for.
It costs $10/year, so there's really no reason to not pay for it.
I have two reasons not to pay for it: 1) Aegis is free. 2) I rather not have my second factor be stored in the same database as my first factor.
You can just not store the TOTP tokens in Bitwarden? I don’t see how this is an argument against.
If I only store passwords in Bitwarden, not TOTP tokens, then I don't have to pay for it. So, it's an argument for spending less money while being more secure.
I convinced my wife to start using a password manager, too (Bitwarden). Now she stores all of her very guessable, short, similar passwords in a manager. Sigh.
So happy to not have to remember whether the [firstname][lastname][number] password ended with a 4 or 5
Addresses? Most of the time addresses are a matter of public record. I have used https://www.fastpeoplesearch.com/ a couple of times to search for people's addresses and it really works. One day a close friend excitedly told me she bought a new house and I told her the address before she told me about it.
Telephone number? There used to be phone books. And I still instinctively think they should be public.
I was thinking the same thing. Can you imagine the headline?
"Forget Hackers! Phone Company Delivers Your Private Info—Including Your Home Address—Directly to Strangers!"
An address can be dangerous if it's e.g. a social network site or blog, anywhere where you post under an alias. People make enemies, have stalkers, or say things online that certain regimes don't like. Granted, this is only really a thing for a minority, but if a minority isn't safe, nobody is.
> Telephone number? There used to be phone books. And I still instinctively think they should be public.
I used to think the same. Around here I feel until a few years ago most people I knew with secret phones were people I would prefer to have fewer interactions with: people who frequently got into trouble, tried to scam others etc.
These days I’m more in the camp of layered security. Whatever I can do to make it harder for an attacker, the better.
> I have used https://www.fastpeoplesearch.com/ a couple of times to search for people's addresses and it really works.
Tangential:
Sorry, you have been blocked You are unable to access fastpeoplesearch.com
(Safari on a stock iPhone, mobile broadband from the biggest and most well known telecom company in my country, ipv6 address.)
Addresses can lead you to public land and mortgage records, and phone numbers can lead you to names and addressed. I assume everyone can easily find that out about me once they know my name/phone number.
I think the headline is a bit vague, it includes passwords as well. Does anyone know if Troy's HIBP'd site reveals the passwords to verified users? I'd like to know if my current or what generation of passwords has been breached to evaluate if I have a current or past problem with my devices.
They do not want to have such a list as it makes them a target.
What they do have is a searchable password list not connected to any usernames.
> what if anything can be done at this point
I'm in a similar situation, just make sure your credit is frozen with the 3 major US companies. I had someone steal like $50 of cable TV with my info in another state and it was a major pain to get off of my credit report.
I was in the military. China stole my freaking DNA profile. I've given up on worrying about this stuff.
Gonna be a very weird day for you when China's clone army invades us.
If nothing else, I guess one should at least be kinda proud that of all stolen DNAs, yours is the one they end up making a clone army out of.
5,000,000 Kulahans invading America would not be very effective thus I have defeated China myself, no thanks are necessary.
Even better "please give us all the things which could be used by a foreign power to blackmail you, or apply pressure to relatives or other close contacts" and then poorly secure that database.
Those are the same guys who told us we must give them backdoor keys to every encryption algorithm, because nothing can go wrong with it and otherwise terrorists win.
DNA, blood type, fingerprints, and anything else on your background checks...
They even got my kids social security numbers.
That is awful, but it doesn't lessen the impact of someone who right now has access to your email and or other accounts. China having your DNA profile is not near as impactful as someone actively stealing your identity and potentially ruining your finances. Use 2fa everywhere, and if your email is in this list, you should change your password.
The number of years I got "free credit monitoring" I can pass it down to my children . . .
I feel like only in the US is credit monitoring something sold as an optional service.
I got a confirmation mail from System76, because apparently they feel the need to validate my credit card can’t be used without my approval, but my back does this by default…
Yes. US residents' ability to obtain credit (cards, cars, houses) is based on three shadowy for-profit organizations who each keep a secret score on each resident.
One's employment history is not a factor in the score at all (contrast this with Europe).
Furthermore, privacy in the USA is so bad, the leaking of one's personal details which criminals can use to fraudulently obtain credit and ruin said score and possibly also one's finances is a major concern. Hence, "credit monitoring" exists in order to catch this kind of criminal activity in the act, and I don't know, become completely exasperated with the amount of ass pain that dealing with this then causes.
Credit monitoring has nothing to do with Credit Cards.
Most banks in America indeed do offer (for free) the option to be notified for each transactions if you want.
DNA is actually almost impossible to keep secret if someone really wants it - you basically shed your entire DNA every time you touch anything
Wow! Didn't hear about this. What test did you get done? I'm hoping it wasn't whole genome or exome?
It wasn't an actual DNA test, but the military takes blood samples of every recruit. I'm referring to this hack:
https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
edit: the relevant text is below
> The data breach compromised highly sensitive 127-page Standard Form 86 (SF 86) (Questionnaire for National Security Positions).[8][18] SF-86 forms contain information about family members, college roommates, foreign contacts, and psychological information. Initially, OPM stated that family members' names were not compromised,[18] but the OPM subsequently confirmed that investigators had "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel, and those for whom a federal background investigation was conducted, may have been exfiltrated."
I use unique email addresses per domain name, and I believe IHaveBeenPwned shows me at 39 unique email addresses breached! (So many that seeing which ones have been breached would now cost me $22 / month... IHaveBeenPwned is starting to feel like an extortion racket of its own..)
If you're using the same domain for each of your email address, HIBP has a domain-wide search feature which is free (but you need to register to validate your domain)
I've registered (years and years ago) and I get emails saying how many, but to see which emails they want lots of money.
(If I'm wrong their interface is very confusing and I cannot find the free access.)
Specifically it says this:
> Insufficient subscription. Only subscription-free breaches will be returned for this domain.
So I'm able to see 37 email addresses on my domain have been breaches, but I can't see which without paying $22 / month - https://haveibeenpwned.com/Subscription
> Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists). Only results for subscription-free breaches are shown below, upgrade your subscription to run a complete domain search. If you believe you're seeing this message in error, make sure you're signing in to the dashboard with the correct email address (check your latest receipt if you're unsure).
Quoting Troy from a thread beneath the article:
> The easiest approach in that case is to take out the subscription, then immediately cancel it. It'll still last the full month, more here: https://support.haveibeenpwned.com/hc/en-au/articles/7707041...
I feel you. The aggregate email breach list just feels like a rainbow table at this point.
Same, and I find it really difficult to care about it anymore.
It was leaked through no fault of my own. There are 0 actual consequences to companies doing it. So what am I going to do - stew about it??
Even if you weren't breached, the sophistication is getting higher too. New hires get emails starting literally day one because email formats follow a pattern and they posted their new job on linkedin (or something).
Exactly this.
Does anyone still care?
I like how the Apple Password app informs you about Compromised Passwords so you can you know... go in and fix it, get a new password etc.
Nice little cute idea.
I got 717 warnings. Seven hundred seven teen.
No I will never be able to fix this
To confirm, data/info leaks happened on the server/application side. How does a solution like Bitwarden on the client side helps with this situation?
As per my understanding the only possible threat it saves against is someone trying to brute force for your password against the application. And may be ease the cognitive burden of remembering different passwords.
I generally don't give my real address or real phone number to anyone who doesn't legally need it. I use a virtual address as the billing address on my credit cards and for registering for things that don't need to know where I sleep.
The government can have at my real info, but private companies have bad data security.
Right to be removed/purged and maximum retention policy. One place I'm aware of purges accounts that have been inactive 18month. Historical billing info is offline and "gapped"
I bet now some corporations actually want to be exposed, have data breach. If you have not been in the news, it means you have not made it yet (not popular enough to be a target worth writing about).
Those CISOs / CTOs / CIOs attached to those companies do not want to be in the news.
So by this point, if anyone does anything naughty online they could just pin it on an hacker using their identity, no?
It's probably more important to keep passwords safe, but lots of people treat their email address like some kind of "sensitive secret". "Oh but I don't want to get spam" - my dude you are going to get spam.
There's a guy who lives near me who, when he parks his car, very carefully puts tape over the number plate "because otherwise people might see my registration number". Because apparently if people can see your car's registration number they can somehow just steal your car and the police won't do anything because the number plate was visible. Mad, absolutely barking mad.
Right. Having some data leaked isn't really a boolean, leaked/unleaked. It's a list of leaks, and the implicit map betweenyl your datapoints, whether by intra or interprovider mapping
For example a forum might leak a map between your mail and a password; Implicitly your affinity for that forum's topic is also now on the public record, additionally if your posts were public but under a pseudonym, that might be now known by a sufficiently motivated attacker.
Finally this may be linked with other public datasources like your public tweets or public state records, or even other leaks.
This is why the meme about all ssn's being leaked or about a list of all valid phone numbers is so asinine.
On the plus side, Troy can save a lot of DB space now. Instead of storing which emails have been compromised at this point he can replace that with just
def email_compromised(email):
return TrueNot necessarily. Both my main addresses still come back clean after years in use.
The one I use for random crap has 9 hits though.
If we're going to take my obviously unserious suggestion seriously, I'd suggest a bigger problem is that his stack isn't in Python and the code for whether an email is pwned probably isn't remotely structured as a function call like that...
but other than that I'm sure it's a good idea.
The downside to having many vanity urls and giving out a unique email address to each website you visit is that you cannot use haveibeenpwned without paying (despite being a single human). I have no idea how many email addresses I've given out over the years, probably hundreds across at least 6 or 7 domains, and they want to charge me a monthly fee to see which of those have been pwned.
I understand they gotta make a buck, but I find it interesting this is the first real negative to running a unique email address per company/site I work with.
The domain search feature on haveibeenpwned is/was free. I registered my domain on haveibeenpwned back in 2017 and I got two emails about breaches, one in 2020 and another in 2022. I did not pay.
I wasn’t aware of this feature, but can confirm. Just tried and it is free.
Log into dashboard, under business there is a domains tab. Enter your domain there and verify ownership. Didn’t ask for payment.
But I can't find the old list of what address was affected where. I only see my own address.
It tells you that an address in your domain has been included in a breach. It doesn't tell you which address was included. That's what the OP and I are opining about.
It does. I just checked mine today. I can see exactly which individual email addresses in my domain where exposed and in which data leak. I have never paid for it.
Interesting. I'd love to see where you're seeing that. I'll go poke at the site a little more.
Edit: When I try to do a domain search I get told:
> Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists).
My domain has 11 breached addresses.
I log in. Click on Business -> Domains. Then click on the looking glass under "Actions" on my domain. I can there see all my addresses an Pwned Sites.
But I think you are right, because I only have 3 breached addresses under my domain (I do see the 10 addresses wording under subscriptions)
Yep, if you have the good fortune of having many breaches while using companname@example.org, the service requires that either you pay up or you have to guess and check.
I understand, but it's frustrating.
Isn’t the idea that you don’t need haveibeenpowned since you’ll see mails coming in and then know your details have leaked?
For ID fraud, more than an email address has to be leaked.
Have I been pwned will tell me if the associated password for that site leaked. I create unique passwords per site, but lets say my mastercard login gets pwned -- that'd be one I want to change the password for right away.
I might not get an email if someone gets that account info.
In theory, I agree.
In practice, anything that high-profile will be plastered all over every tech news site, twitter, reddit, probably even the news. It would be difficult for MasterCard/Visa to have dataleaks, even just email/pass, fly under the radar (I imagine...)
Oracle tried to cover up a data leak, and it didn't go great. Oracle touches nowhere near as many every-day people as MasterCard does
Troy's response [1] on this use case from a couple of years ago was that you should buy a monthly fee and then cancel it.
[1]: https://www.troyhunt.com/welcome-to-the-new-have-i-been-pwne...
I'm in the same boat. I track all of the unique addresses I use (via my password manager) so I guess I could just check them all against HiBP's database. Kind of a pain in the ass, though.
Me too. It used to work for whole domains. Then I guess the limit was added as part of some kind of monetization push. I don't derive enough value to pay for a monthly subscription any time it occurs to me to check, nor figure out how to check addresses one-by-one programatically. So the site is basically dead to me now. It's a shame because there were a few breached lists where people were speculating on where exactly they came from, and I was able to add to the discussion based on which of my tagged addresses were in the list.
I've had that experience re: my personalized addresses being used to more closely identify the source and time of a breach. When I start getting spam to one of my personalized addresses I'll usually reach out to the party for whom the address was created to let them know. Usually I get treated like a crank but occasionally I get somebody who understands and appreciates the help.
My password manager (Bitwarden) does that automatically.
I use Bitwarden with a Vaultwarden server so I have some familiarity. Bitwarden checks new passwords against HiBP. I'm not aware of functionality where it can retroactively check old email addresses or passwords to see if they're included in a breach.
It's under Reports: https://bitwarden.com/help/reports/
Ahh, okay. I assume that's a part of the Bitwarden offering, presumably happening server-side. I'm just using their official client w/ a Vaultwarden server.
It is also available in the Vaultwarden web interface (which is just a rebranded Bitwarden web interface).
Just assume they have all been exposed.
Email addresses are not secrets under any stretch of the meaning of that word.
It's not the email address itself that I care about, and that's not the service that the site provides. It tells you for which email addresses a related password has been pwned.
I don't understand... The password is the secret, right? If your mastercard login ends up in some breach, your password is protecting. You without or without vanish urls, if you have strong passwords you'll be fine.
Cybercrime has a logistics pipeline.
Harvesting potential targets is one part of it i.e. establishing someone was using an email address is the entry point. There's a lot of emails, so associating them to any particular website is right near the start. Establishing that they're active increases their value further.
The people responding to Troy here for example are technically doing that: they clearly monitor the email or still use it, so addresses which respond to up in value.
You need a domain, and possibly a paid mail provider with catch all support.
So cost was always part of this strategy
The problem with catch-all inbox is when you have to reply to an email. Then you have to create the email address to be able to send emails from it. Or are there other solutions?
True, I simplify it a bit based on the capacity of my mail provider. I have like 4 or 5 generic addresses that I give out and use for sending. Sometimes I mix up when sending, but my mail provider (zoho) is pretty decent at keeping track of the addresses anyways.
In a way if I reply, the other party gets upgraded to one of my 5 addresses, so if they send an email to ContosoCoffeeShop@myname.com I might reply from whatever flavour I'm using nowadays or is more appropriate like hello@myname.com
It's like a 3 layer security system, the least privileged get access to one very specific address, if they send me an email which makes sense and I reply, they get upgraded to a bucket. I might sign up directly with a bucket email and skip the most paranoid layer, that's fine.
In general I try to take more care of the newest alias and become more liberal with my older more ruined addresses, alias1@ has like 8 years of signups, while alias5@ has just 1 if any. And I'm sure the list will grow.
Downside is that if there's a leak it's harder to attribute exactly, but at least I can check the recipient to get some kind of hint.
It's more like art than it is a water-tight security protocol. You paint the world with your wacky addresses and occasionally surprise the observant employee with the inverted expectations (usually the name comes before the at)
Thank you for coming to my ted talk.
I have those things? Did you miss the part where I have multiple vanity URLs and hundreds of email addresses? Of course I have a paid mail provider and catch all. The problem is the cost of haveibeenpwned is too much for me as an individual.
Yeah I get it.
I meant that you are already paying for those, so being charged by providers to support our hacky email addresses is not a novelty introduced by Troy's service
I have the more typical one email used with hundreds of passwords on many websites. haveibeenpwned is also useless for me, it will tell me that my email was compromised but not which sites or passwords. I guess I could check each password individually, hope each password is globally unique to me, and then try to match it back to the website where I used it so I can change the password.
If you don’t know which web site uses a particular password, how do you ever login to that website?
Reread the parent post more closely. It does not tell them: A) which site nor B) which password.
The parent can log in because they have a map of site<->password. But without either the site or the password, the notification that an email address is compromised is useless.
This seems to include details from a Spotify data breach in or before early 2020 that, to my knowledge, was never reported on. They did have other, similar issues that year.
Reporting from the time seems to all be about one or multiple leaks/attacks involving:
- Credential stuffing with data from other breaches
- A leak of data (including email addresses) to "certain business partners" between April 9, 2020 and November 12, 2020.
On April 2, 2020 somebody logged in to my Spotify account (which had a very weak password) from a US IP address. This account used an email address only ever used to sign up to Spotify years earlier, and the account had been unused for years by that point. I changed the password minutes later. A few hours after that Spotify also sent an automatic password reset because of "suspicious activity". At no point have I ever been notified by Spotify that my data had been leaked, though it obviously had, and now said email finally shows up on HIBP.
You'd think spotify as a mature company would have had obligations to report this stuff!
I respect Troy Hunt's work. I searched for my email address on https://haveibeenpwned.com/, and my email was in the latest breach data set. But the site does not give me any way to take action. haveibeenpwned knows what passwords were breached, the people who breached the data knows what passwords were breached, but there does not seem to be any way for _me_, the person affected, to know what password were breached. The takeaway message is basically, "Yeah, you're at risk. Use good password practices."
There is no perfect solution. Obviously, we don't want to give everybody an easy form where you can enter an email address and see all of the password it found. But I'm not going to reset 500+ password because one of them might have been compromised. It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
> there does not seem to be any way for _me_, the person affected, to know what password were breached
You should be using a unique randomly-generated password for each website. That way, one breach doesn't lead to multiple accounts getting hijacked AND you'll know which passwords were breached solely based on the website list. The only passwords I still keep in my head are:
1. The password to my password manager
2. The password to my gmail account
3. The passwords for my full disk encryption
I used to reuse the same password for everything, and that lead to a pretty miserable month where suddenly ALL of my accounts were compromised. I'd log in to one account and see pizzas I never ordered. Then I'd open uber and see a ride actively in-progress on the other side of the country. It was not fun.
Yes! Me too. Not adding anything here except a confirmation on the above approach. You kind of need your email password as a "break glass" scenario. But mostly, you just need your password manager.
and root disk encryption, unless you have some alternative method set up.
That's the default in this day and age, no?
I mean, probably should be. But for me, no. Well, not my personal computer anyway. That's a mistake, I know. But corporate computer yes.
So no, I don't think "in this day and age" necessarily. And I believe that the vast majority of "normal" users don't do full drive encryption either. But yes, we should.
Last I looked, windows and Mac installs both push the user to set up bitlocker or FileVault, respectively. You have to actively say no if you don’t want it.
I deliberately dodged there, as you noted. I do not have full disk encryption setup. I know that I'm probably have a very bad day if I come to lose my laptop, etc. I should do this, no doubt.
But I'm not sure. While maybe good password management is starting to soak into common computer usage, I don't think disk encryption is all that common just yet across the average user. It should be. But the average user is just moving to their phone anyway, with face id and encryption by default, instead of maintain their own personal device.
Corporate devices seem to be a bit better in this regard, though.
Nice. Now I'd like to know WHICH password got leaked.
That way the breach impact can quickly be limited.
Troy probably would share that information for a price. Not sure whom to pay though - the "good" guy who won't say a word, or a criminal who will happily share it with me?
It's possible the latter would be cheaper too.
They don’t store email addresses with password in the database. That would be way too risky. These are separate databases, so you can lookup your email address, and separately check a password.
Also if possible, use a unique email address for each site. I know that's not feasible for most people, and some sites (e.g. LinkedIn) are structured so that email addresses become linked, but it does provide useful isolation.
> It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
Yes.
If you read the instructions, you will discover https://haveibeenpwned.com/Passwords which will let you enter a password and securely check if it has been published in a breach.
If it has, it is either a simple password that multiple people are using, or a complex secure password that can make you pretty confident it is your password that has been published.
1Password just does the same thing for all of your passwords - it doesn’t check against your account name either. That information isn’t stored so they can’t become a new source of breached accounts (as explained at the site).
Letting me check my passwords one at a time is like letting me check my grains of rice individually for poison before eating.
The problem with breaches like the latest data set is that there's no source on where the breach came from, it's an aggregate from multiple breaches. They can't tell you that info because it's not in the initial data set.
> But the site does not give me any way to take action.
It gives you as much information as you should be given. Any more information would just be spreading around the hacked dataset.
It does give you an awful lot of information about the specific hacks that exposed your information, and what was the content of that exposure. You may have been owned, but the way you were owned doesn't really matter e.g. I don't care that my firstname.lastname@gmail.com was exposed as being me. I may not care that my username@yahoo.com account was exposed as being username at archive.org. If that's it, I can keep using them. But a lot of hacks are a lot worse, and you might have to rearrange things or close them down. haveibeenpwned gives you enough information to make all those decisions.
Also, your second paragraph seems to imply that the site doesn't tell you if passwords were compromised for an email address. It definitely does by identifying the hack and describing its extent. You don't need the actual password to know that you need to change it. Likely, the hacked site forced you to change it anyway.
Change the password for what account though? The dashboard doesn’t seem to list the actual website(s ) linked to the email/password breached, so how am I to know which password to rotate?
If I follow the recommended best practice, I have a different password for every website or service. That could be hundreds of them. Am I supposed to rotate all of them every time there’s a breach?
You buy you email in and then the result it a website that got breached. Together this should give you enough information.
> It does give you an awful lot of information about the specific hacks
No it doesn't. Enter <old email address> → 5 data breaches → first one says:
> During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources
It doesn't tell me which site or which of the many passwords used together with that address. Just that it has been in a generic data dump.
So it gives me the information that my email has been exposed.
Where? In what service? Did my password got leaked too? I can't change password / delete the account if I don't know where.
Did any other data got leaked? Anything sensitive? Do I have to cancel my credit card? Were any files leaked as well? My home location?
At this point HIBP is next to useless.
And how showing me WHAT is in the database about the email I proved I own would be spreading it? At this point if I want to learn it I need to either try to find the torrent with it (spreading it further!) or pay the criminals.
Btw they are not storing more info along the email address, because that would be way too risky. Just imagine the HIBP database being leaked.
Also, they don’t always know where your info has leaked. Some datasets are aggregates.
This information is given for each of the leaked incidents. Troy also explains this in his blog post.
At one point I responded to a haveibeenpwned notice by immediately having the user reset a password.
I've got over 200 users in a domain search (edit: for this particular incident), and nearly all of them were in previous credential breaches that were probably stuffed into this one. I'm not going to put them through a forced annoyance given how likely it is the breached password is not their current one, and I'm urging people to start moving in this direction unless you obtain a more concrete piece of advice.
Same here: reset on first beach (ROFB), but on subsequent ones only if it is no collection, eg a new infostealer breach.
This doesn't help. If the email address check says the address has been exposed it doesn't tell you which password that was used together with that has been exposed. Was it one from 10 years ago you don't even remember? Or that's still actively in use? Which one of my hundreds of passwords?
You can use the API to check all of your passwords. Then you'll know the security state of all of your passwords.
Doesn't help. Some accounts are old and may not be in my current PW DB. Or they were memorized, or forgotten.
If the thing suggests the EMAIL (+ associated password) has been compromised for some unknown account then to do a risk assessment I would have find which account it belongs to, not which currently-in-use passwords match the same datasets.
Those are different queries, providing different bits of information.
Here's what I'm suggesting: query all your current passwords against the password API. Then you'll know which of your current password are compromised. Change them.
You don't need to query old passwords, only current passwords. If you're talking about accounts that you've forgotten the password to: then do you care about those accounts? If yes, probably best to do a password reset and set a new password. If you don't care about the account, then why bother?
As for why HIBP doesn't provide an API linking passwords to emails: HIBP has no database that links passwords and emails. So they can't provide any way to query that. They don't want to be in the business of linking passwords to emails.
Of course it helps.
How's this for making it actionable:
Regardless of whether or not someone can associate it with your email, if your password has been seen in the wild, change it.
There you go.
my password: 2,408
password: 46,628,605
your password: 609
good password: 22
long password: 2
secure password: 317
safe password: 29
bad password: 86
this password sucks: 1
i hate this website: 16
username: 83,569
my username: 4
your username: 1
let me login: 0
admin: 41,072,830
abcdef: 873,564
abcdef1: 147,103
abcdef!: 4,109
abcdef1!: 1,401
123456: 179,863,340
hunter2: 50,474
correct horse battery staple: 384
Correct Horse Battery Staple: 19
to be or not to be: 709
all your base are belong to us: 1
Spaces are skewing the numbers lower. Remove them from any of those and see the number increase at least an order of magnitude. That “let me login” goes from 0 to 4,714 just by removing spaces (“letmelogin”).
I was trying random phrases just out of curiosity, and couldn't help but chuckle when it said "epsteinfiles" wasn't found :-)
[flagged]
You can check against the API with just the first characters of your hashed password (SHA-1 or NTLM), for example: https://api.pwnedpasswords.com/range/21BD1 or you can download the entire dataset.
How can you download the entire dataset?
You can download the entire dataset using curl (will be 40+ GB)
curl -s --retry 10 --retry-all-errors --remote-name-all --parallel --parallel-max 150 "https://api.pwnedpasswords.com/range/{0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F}{0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F}{0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F}{0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F}{0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F}"It's not that I couldn't have written that oneliner, it's that I assumed you'd get blocked very quickly.
It is officially recommended by the Troy Hunt: https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader/i...
That speaks to a certain confidence in one's servers ability to hold up under load, doesn't it?
"Oh you want your own copy? Sure, just thrash seven shades of shit out of the database. Here's how."