Why not just use different passwords for different things. I'd recommend something like privacy.com so you can generate a bunch of one-use cc cards when doing shopping on sites you don't trust and the like.
Also don't willingly give up valuable personal information unless it's absolutely necessary, it's also not illegal to give online services outright false information (incorrect birthdates for example) which, in the event of a future data breach of that service, now at least those who would plan to benefit from your personal information might have some difficulties resetting important accs and the like.
You just gotta be smart, it's not about being powerless, HIBP and the service is just one tool to make you aware of what's out there before it gets used against you. (I would highly recommend setting up notifications for important e-mail addresses)
My card has been skimmed a couple of times and by far the most annoying part of the experience is having to reset and update regular accounts with the new number.
Of course for online purchases the whole flow here should be inverted: businesses should just be registering against my payment provider directly, no account numbers involved (under the hood maybe have it be managed by ED25519 public keys for identity?)
EDIT: while we're at it, why even have persistent numbers for in person cards? Let me tap it against my phone, invalidate the stored key from that time on, and generate a new one.
My latest card (debit) one has a feature I've not seen elsewhere, but I think kind of solves that too. It has a new CVC number every 10 minutes, which I kind of both hate and love. Love it for the obvious reasons of "not even having the physical card lets you use it digitally" but also because I cannot have it 100% in my password manager, I have to use the banking app to get the latest CVC code when I need it.
Plus then my gibberish name on my card number will match the gibberish secret question answers.
That's going to be one hell of a lot of an issue in practice. Hotels, car rentals and AFAIK even some airlines want that the name of the card holder matches the name on the ID card.
If your physical address gets leaked having a unique random password doesn't help with that. It's still a good idea though.
Uncaught (in promise) Error: Invalid response from fetch: 401 -
at emailSearch.ts:295:19
at async HTMLButtonElement.<anonymous> (emailSearch.ts:43:23)
Maybe I'm reading it wrong but it looks like it might be a little off. I get:
- October 2013
- June 2008
- ...a bunch more...
- November 2021
- December 2020
I've been added to door/visitor notifications. I have received medical information for them. Retirement package info. A telecom internal tracker. A Doubleclick account for a while. Lessons for their children. Countless rewards accounts.
Most probably some ancient legacy mainframe or whatnot other integration that nobody really has the time and budget to clean up and migrate to something more modern.
The larger the company, the larger the risk for ossification of anything deemed "business critical" because even a minuscule outage of one hour now is six if not seven figures worth of "lost" time.
It’s really just been a similar problem as with AI code, that without strong and competent management that can set intelligent expectations and requirements and test for them, you will surely get what appears to all the business and leadership types like an equivalent product, without any sense that it’s slop underneath the surface.
They just went into retirement?
You may have some kind of logging / tracking / analytics somewhere that logs request bodies. You don't even have to engage in marketing shenanigans for that to be a problem, an abuse prevention system (which is definitely a necessity at their scale) is enough.
Storing unsalted passwords in the "passwords database" is uncommon. Storing request logs from e.g. the Android app's API gateway, and forgetting to mark the `password` field in the forgot password flow as sensitive? Not so uncommon.
Yes, it's easy to fuck up. But a responsible company implements mitigations. And LinkedIn can absolutely afford to do much more.
If the method works, and it shows that the logging feature Fred got so much credit for is storing passwords, what are the political implications of that? Can our intrepid middle manager steal some of Fred's glory? Or is Fred an ally and it should be carefully handled? Or do they sit on it and wait until an opportune moment to destroy Fred?
This is the kind of reasoning process I think goes on, because I've seen very few large organisations make actually-good technical decisions.
Are their psychopaths and Machiavellian schemers in management? Certainly. Are they the majority? Almost certainly not, unless you're working for absolutely the wrong company.
As the Brits would say, "cock-up before conspiracy."
And unfortunately, a lot of people aren't emotionally intelligent enough to recognize that many managers use emotional reactions to redirect the room away from them. Because if you're the angry one, people won't ask questions like "didn't someone mention the possibility of this to you 6 months ago?"
I don't really agree with that, but let's say I do. Middle management is a unique position where their sensitivity is a bigger liability to everyone else. They have some power, but not a lot. They ironically have higher visibility in the company than upper management. And the job requires 0 technical understanding of what they manage.
So that puts them in an awkward position that is often abused. If they feel someone is going to get in trouble, they will make sure that's not them, which is a terribly common instinct. When a developer tells the company there is a problem to address that could threaten the product, that's a good thing that should be welcomed. Instead, many middle managers see that developer as the problem.
> Someone who can't factor that into their actions and communications is frankly lacking basic social skills.
No argument there.
If your logging is on an obscure enough endpoint (password reset flow in the Android app's API gateway), you may forget to add that endpoint to the bot, just like you may forget to mark it as sensitive in your logging system.
At this scale, the developers working on these esoteric endpoints might not even be aware that such a bot exists.
It does have some challenges in introducing a read-before-write to fetch the session key at the start of the session, but given the relatively low call volume of such flows that might be a small price to pay to simplify security audits and de-risk changes to any service in the call chain.
Unfortunately my understanding is that it’s trivial to implement unsoundly but it’s also not something for which there are an abundance of good implementations across languages.
It’s been awhile since I’ve looked though so maybe there is a newer, less radioactive approach. But yes, never actually sending the authenticator itself (and doing so in a way that the proof is valid only once) would stop this sort of thing cold.
So yeah, LinkedIn have never been exactly a bastion of IT Security.
And if you decline, it asks you again. Two times using different wording.
I was not only talking about that though, but also that they can build shadow profiles and recommend people to you that way.
On a related note, I no longer have an active linkedin account.
It did allow me to cheekily run a SQL GROUP BY once to see what the most common passwords were, though. Top password was actually "trustno1" IIRC, followed by all the usual suspects, e.g. abcdefg, 12345678 etc. (there were no meaningful password rules)
Instead, they could stagger them. Some blank space would still make it easier to understand visually, just not as much. If they did this, it would be a bit harder to see how which date-circle on the timeline corresponds to which tile, but that could be fixed somehow, like a dotted line that joins a tile to its circle or by moving the circle to one side of the center line.
They could also shrink the contents of the tiles themselves.
(1) There's no reason to have MORE space after "Compromised data:" than before it. It wastes space, and (IMHO) aesthetically it looks very awkward and clumsy.
(2) Personally, I'd also not double-space the bullet items. I can see how it adds emphasis, but it wastes a lot of space and to me it looks bad.
(3) Too much vertical space above the "View Details" button. Sure, some padding is nice, but why so much more here than between the icon (at the top of the tile) and the first paragraph?
I do find the timeline to be a little confusing- it seems to be ordered from earliest breach to most recent, but the dates on the timeline don't match that, as they seem to be when the data was leaked?
Display: breach date Ordering: breach published date?
I think it might be clearer to order + display the published date, and in the cards themselves show the breach date in a standard way.
Small bug report: I've been pwnd a few dozens times, and my timeline is not in calendar order. I see Adobe (October 2013), then LinkedIn (May 2012), then Dropbox (June 2012), then Lastfm (March 2012), then some 2016 ones, then Kickstarter in 2014, and then after that they start being more in order of the listed dates.
Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)
Optional: Sell data of imminent lawsuits, to an investment firm.
Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.
I wish I could easily donate my tiny settlements to a good cause. It might make it worth the time to register for the class.
Isn't this just regulation?
1. How else would you penalize businesses?
2. What else would you do with fines?
If fines exist, it would seem foolish not to budget around that.
So that means that any kind of system that would improve traffic other than repressive measures would cost them twice, once to fix the situation and again when they can issue less fines.
The fines, and loss of license hurt them personally, professionally, and financially, but didn't change their behavior outside of the very short term.
In NZ we have people that are in and out of prison due to burglaries, robberies, etc... but the penalties don't change their longer term behavior.
There's a deeper problem, and penalties are important, but not the entire fix.
I just want to say that in modern times safety is put as #1 priority, while it's actually always a balance. E.g. we wanted the safest airline industry, we'd close the airports. But we balance the safety vs usefulness.
I don't think that's a logically self-consistent idea. The "actual occurrence of the offense" is not an inevitable pre-existing fact, it exists downstream of the size of the fine and efficiency of enforcement. If you fine people 5% of their annual income for going 1 mph over the speed limit, and put more traffic enforcement on the road, fewer people are going to speed.
So to answer the question "what's the ideal collection amount", you have to consider what the costs (economic and social) of rule breaking behavior are, and trade those off with how much behavior can be modified by fines, as well as the costs of enforcement.
Furthermore, just taking the statement at face value, the only way to actually collect the size of the fine multiplied by the actual occurrence of the offense is to successfully fine 100% of offenders or fine some non-offenders, but even if this is possible it's almost certainly not the "ideal" amount of enforcement.
That says a whole lot all by itself. You acknowledge that reform doesn’t work? There is always money to be made because people don’t like the set of rules set? So when people follow all those rules, make new rules that people will break to keep it going? Where does it stop?
I agree with the overal position. Though I believe optimizing to collect zero fines is a bad measure.
A fine can be a relatively just mechanism to show that actions have consequences. And even the best people will occasionally make honest mistakes, so they will just get a fine instead of being persecuted for minor offences.
If fines degrade to a revenue stream, it's an indication something else is off with the financial structure inside the government. At least around here fines don't go into some official's private accounts, but I can see how they might "help" an underfunded department. Thinking about it this way, maybe we should consider funneling fines into a separate pool of money. Though I am not sure what to do when the fines are used to fix damage caused by the action (e.g. ecological damage). Governing is hard :(
Maybe this time we can come up with a better way to disincentivize corruption and bribery.
https://en.wikipedia.org/wiki/Sortition
[1] But the real solution is getting rid of money.
Getting a company to publicly announce a breach is hard today. Your suggestion would make it even harder, and more data breaches would be kept from the public because of the consequences.
I would rather know that a company messed up and change my password, than not knowing
How? Disclosure should already be legally required--class-actions and lawsuits should already be a thing. The Have I Been Pwned data sets aren't volunteered by these companies. It's a catalog of leaked data.
The class-action response of "identity monitoring" is nonsense. More companies, if they can't afford to or don't want secure data, shouldn't collect it or should aggressively purge it. User data should be a liability.
and how long until that data is breached?
I bet companies even buyback after these dips.
He is a Microsoft employee.
https://www.troyhunt.com/about/ says "I don't work for Microsoft"
We can debate semantics but if you describe yourself with a job title attached to a company then I suggest that you have an association which looks rather like ... employment.
Extending your logic, I have a CCIE, so if I ever state I'm a CCIE, I'm an employee of Cisco? I have a masters degree by coursework from a university, so I I ever state I have an Msc, I'm an employee of the university? I have an electrical licences issued by EnergySafe Victoria, so if I say I'm an A-Grade Electrician, I'm an employee of EnergySafe Victoria?
I don't think many people would be confused into thinking a Microsoft Certified Application Developer or an AWS Certified Cloud Practitioner are actually employees of those particular companies
You might want to reread, nobody was arguing that.
> We can debate semantics but if you describe yourself with a job title attached to a company then I suggest that you have an association which looks rather like ... employment.
"Debating semantics" is arguing about which definition to use. There is no valid definition under which you can say that Troy is a Microsoft employee.
You can't say "I'm not wrong, You're just debating semantics", all you can say is "I was wrong because I was confused by a misleading title I wasn't familiar with."
cupofnotjoe pointed this out and got a bunch of responses from people with poor reading comprehension who entirely missed his point.
Edit: I use 'you' in the general sense here, not specifically the person I'm responding to.
> Its not semantics at all, you just are excusing your own misunderstanding. He didn't describe himself with a job title, and he even explicitly states directly after listing those awards, that he is not an employee of Microsoft.
Yes, I agree. (I believe you think I am arguing against this; for clarity, I am not).
> Extending your logic, I have a CCIE, so if I ever state I'm a CCIE, I'm an employee of Cisco? I have a masters degree by coursework from a university, so I I ever state I have an Msc, I'm an employee of the university? I have an electrical licences issued by EnergySafe Victoria, so if I say I'm an A-Grade Electrician, I'm an employee of EnergySafe Victoria?
I think these are poor examples and reinforce that the confusion was reasonable. That is the only point I've been arguing in this thread.
Just because the name for something is confusing, that doesn't change the nature of the thing named.
You might think the award has a confusing name, and you would be correct. What you cannot be correct in asserting is that an award makes someone an employee because that award has a confusing name. That isn't a question of "semantics", if you assert that award makes him an employee, you are simply wrong.
1. "Extending your logic, I have a CCIE, so if I ever state I'm a CCIE, I'm an employee of Cisco? [other examples follow]"
2. "All your examples are not things that commonly are job titles, so you are not 'extending logic'."
3. "They are the same class"
4. "No they aren't, those are not job titles, thus they don't imply employment"
...
#. "those weren't attempts to argue the title isnt confusing."
I don't know what you're reading but #1 is doing just that; roughly translated: "Why would 'Microsoft Regional Director' imply he works for Microsoft? If I have a CCIE does that mean I'm an employee of Cisco?"
#1 Troy works for Microsoft.
#2 No Troy doeys, as he clearly states.
#3 Being a Microsoft Regional Director makes him an employee and any claims otherwise are based on some arbitrary semantic distiction, not a real difference
#4 No, there is a real difference. That award is like these other awards and none of them take you anywhere near being an employee.
#5 the arguemnt in #3 is flawed because MRD is confusing and the example title others aren't. (Which misses the point, that using non-confusing examples is much better than using other confusing examples if you want to explain something.)
#6 that doesn't affect the argument being made in #4
#6 repeat ad nauseum
Troy is not a Microsoft employee, no ammount of semantic wiggling will make him a Microsoft employee, no matter how confused people are by the title of the MRD award. That confusion may be justifiable, but doubling down when your error has been explained is not.
You ar correct, "Microsoft Region Director" is an award, not a certification like the others mentioned so they aren't quite the same class, but the analogy still holds. Neither being given an award nor a certification makes you an employee.
That reads to me like he's a Microsoft Employee. It's obviously important/significant enough to include it prominently on his website.
He made it clear that he is not MS but this is the only time I saw such a misleading "title"
The RD site linked from Troy's site isn't loading for me at the moment, but if you search "what is the microsoft regional director program" you get back information making it clear that it's not for MS Employees.
https://rd.microsoft.com/en-us/
> The Microsoft Regional Directors program recognizes industry professionals for their cross-platform technical expertise, community leadership, public speaking[...]
As I see it, it's a way for MS to profit from free labour for it's support service and a marketing stunt to benefit by association from the good reputation of this researcher and his initiative.
Even if it is not the case, people like the one previously will think: it is Microsoft employees that are managing this website, they know security.
That's not much of a motivation, given that Troy already is a folk hero.
Meanwhile in EU, we have laws like NIS2, where if negligent in non-compliance. Fines are 10mil. EUR or 2% of global annual revenue. Eg.: If Apple gets $8bil. fine, yep that changes quite a lot I think. :)
I'm not trying to make an argument against strong regulatory bodies. We need those for sure. It would just be nice if the users were compensated for the exploitation and abuse they're subjected to.
The EU solution meaningfully changes the offending company's behavior. I would rather have significantly less breaches of my information than a check for $6 in the mail every couple months.
Citation needed. I'd imagine they just add a tiny markup to their prices to pay the eventual fine instead of investing huge amounts of money into fixing their broken processes. Comparing the list of EU-issued fines against the respective companies' profits shows that they can simply afford to make those mistakes instead of preventing them.
Ironically, this counter-argument applies perfectly to the "US solution".
On the contrary, EU's huge fines have a better chance of being effective.
That just seems dysfunctional.
How are those cookie consent popups working out?
Meaningful does not mean a solution.
Basically, we have a high-corruption society, especially in 2025, but there's still vestiges of a system that can be leveraged in the public's interest, if you contort just so.
Actually no, the end result of this will be a return to deny, deny, deny, because the worst case scenario then becomes the truth getting out.
IMHO we should be crucifying the liars and the truly negligent, but forgiving the honest and good faith efforts. At least for now, automating that judgment is pretty difficult and will result in more of the "customer service" like experiences that we already get from most big tech, except now it has the power to make or break companies.
Man we have sure moved on from the era of Blackstone's Ratio being a thing people united around. I'm not saying it should be applied literally, but punishing an innocent person should be considered a lot more wrong than not punishing a guilty person IMHO.
https://oag.ca.gov/system/files/Partnership%20HealthPlan%20o...
“Based on the investigation into this incident, it was determined that the information involved may include your name, Social Security number, date of birth, Driver’s License number (if provided), Tribal ID number (if provided), medical record number, treatment, diagnosis, prescription and other medical information, health insurance information, member portal username and password, email address, and address.”
It’s not about innocence or guilt. If you leak so much information these people will have to monitor every single account, credit card, etc for life, on top of all their personal sensitive info being leaked and possibly accessed by unscrupulous employers. The damage is incredible. It’s not about innocence. It’s about responsibility.
What I don't think should happen is some automated lawyer combing the internet looking for any disclosures and then automatically filing lawsuits based on it.
Can we make it so that companies I've never heard of before don't have my data in the first place?
john@hotmail.com has 340!
For anyone considering, here are the 3 opt-outions that appear after you email verify:
1. Just remove my email address from public search
No one using the public HIBP search feature will be able to see your email address in the results. You’ll still be able to search your own address through the notification service, which verifies that you control the email before showing any results. If your email is part of a domain monitored by someone else (e.g., your employer), the domain controller will still be able to see it in domain-level searches.
2. Remove my email address from public search and delete the list of breaches it appears in
Your email address is no longer searchable — neither through the public service nor by you, even if you verify ownership — because the associated breaches have been deleted from the database. However, your email address is still retained by HIBP to ensure it is excluded from any future breaches and not added to your record.
3. Delete my email address completely
The record containing your email address will be completely deleted, meaning it will no longer appear in search results — for you or the public — at the time of deletion. However, if your email address appears in future data breaches, it will become publicly searchable again, as the opt-out record itself has also been deleted.
I'd make the language around that promo banner stronger (ie. "We strongly recommend") and make it stand out more on the page.
So many social media accounts get hacked[0] because of shared passwords and those affected users often end up on the site - funnelling them to a password manager and a reason why it's good hygiene is great.
ps. congrats on the relaunch!
[0] I've probably assisted 20+ such cases in the past ~12 months
I've been a 1Password user for over a decade. It's user friendly, and I'd rather not have the responsibility to self-host my company and extended family's credentials.
Critically though, Bitwarden is open source, meaning that if the encryption is weakened, it would be noticed in the source.
With 1Password the clients are closed source: you have to trust the company to encrypt the secrets properly and an (malicious or accidental) change of the encryption cannot be detected by the user.
After Lastpass's fiasco around encryption, I don't feel like blindly trusting another company.
Obtaining and storing TBs of leaked databases is another part of the puzzle that is always growing and a bit more complex.
Will Cloudflare sell data to US TLA agencies? Probably.
I'm not sure I really need it for personal use, more just a cool thing to see, so I'm a bit undecided on paying for the domain feature. I can see it being useful for a business though where each email is a different employee dealing with accounts everywhere.
I wish HIBP had a solution for those of us who are individuals but use domain catchall forwarding as our method for separating accounts.
It feels good to see adobe@mydomain.com, newrelic@mydomain.com, internetarchive@mydomain.com, etc. there but not any of the addresses I use for normal communication.
I wish there was a "I'm just one person, or a small family" tier for this.
https://en.wikipedia.org/wiki/Ashley_Madison_data_breach
Using different random email aliases for each service is as much best practice as is different random passwords.
If they have other PII of yours, it's a heads up that scammers might target you and/or your family with that information.
For work use: To monitor which sites/services employees use with work email addresses, and use it as a reminder/re-enforcement that they should rotate credentials used on that service, and if they're reusing them at work - to change there, too.
- Apple: me.apple@example.com - Google: me.google@example.com - Uber: me.uber@example.com - Tinder: me.tinder@example.com - random business: me.randombusinessname@example.com
This helps me with the following:
- unique usernames and passwords for each service
- easily able to tell when a service sells my information or gets hacked/breached
- "haveibeenpwned" also allows mail server owners to get access to reports for all addresses on a domain and receive notifications on breaches
- much easier to remember and communicate with others as compared to iCloud hide my e-mail addresses
- on the outgoing/sending, re-writing the "from" address field in e-mails is very easy to do
I wish HIBP had a solution for those of us who are individuals but use a domain catchall to manage online accounts.
The ultimate tracking tool
Edit: it's also statet in the announcement:
> Just one little thing first - we've dropped username and phone number search support from the website
But it's really a bad time to remove this feature since there's a ongoing law suite against facebook in germany (https://www.vzbv.de/pressemitteilungen/facebook-datenleck-be..., hgerman link) that utilized the search there to know if one can participate or not.
The reasons for dropping the feature as outlined in the announcement seem very reasonable to me considering the larger implications.
I think we’re backed to hacked
I just added my domain to the site again and I see "2,243 Total Breached Addresses", and "18 Addresses excluding Spam Lists", but I have no idea what they are. Attempting to click the links shows me I need to "upgrade" to see them, and the download of excel and JSON result in 404 errors.
Too bad, I guess if you have only a single email address it might be good to get informed, but if you use a domain with multiple addresses it's way less useful.
And yes, the subscribe restrictions for domain searches are annoying.
But Troy and family also need to eat, so I understand the need for a payment part, especially for companies.
We just ended up in the grey zone in between. I wish there were some more nuances, but then again, HIBP can't cater for every edge case unless they want to hire lots of devs and customer services.
I ended up signing up for a subscription, checked my domains, and then cancelled the subscription. It felt a little cumbersome, but ok. A non-recurring 2-day access would have worked for me...
If so, this is called “email tumbling” and services exist to strip the “per-company” part to expose your main email.
But in the end I settled on facebook@example.com, instagram@example.com, and similar obvious names.
As opposed of having facebook@smthg.com only
Checking the passwords, "password" has been pwned >21 million times. I don't know what I expected.
on the other hand, they will be great for the api/business pages
2) When clicking "details" on one of the search results, and then the back button, the search results disappear.
3) Other than that, thanks man great service!
Sorry that's happened to you. The only remedy I can think of is get a non-commercial proxy in some "recommended" country like through a friend.
I understand the rational to hide the details, but bad actors like criminal probably have the source file with the details anyway.
What annoys me is that it is good to know that your email appears in a random pastebin agglomerating hundreds of leaks but if they don't give the exact name and date of the site, and without seeing the password it is hard to know who leaked your data and which password to change.
The worse is that I was used to use a very shitty simple password for all the sites that ask one without needing one (let's say media with free subscription needed to read a single article, Free conference or online webinar), ... and these one are the best targets to have leaks despite them being totally harmless if you take care to not give your personal info inside.
> I wanted to make a quick note of this here, as AI seems to be either constantly overblown or denigrated.
This just gestures at middle-of-the-road thinking.
So what’s this begrudging note about? To set us on the correct course in the middle of the road?
> I'd say it was right 90% of the time, too, and if you're not using AI aggressively in your software development work now (and I'm sure there are much better ways, too) I'm pretty confident in saying "you're doing it wrong".
Well done. AI plug done.
I don’t see how that statement fulfills the implied middle-of-the-road opinion though.
The fallback suggestions mentioned in the article are "try clicking the box again" and "try reloading the page"
I'm slowly starting to wonder if I should start sending snail mail to companies that block me, instead of resigning to go somewhere else. HIBP is a free web service and shops have no obligation to serve a given individual, but it everyone puts CloudFlare Turnstile, Google Recaptcha, etc. in front of their services, a "single-digit percentage" of people simply cannot participate in modern society. Similar markers (IP address misclassified as bot range, unusual/old/infected browser, ...) will constantly be triggering for the same group
I'm blocked logging into Slack due to an invisible captcha: https://snipboard.io/h1E86S.jpg
I was surprised I was failing to type this code over from my email but no, that wasn't the issue. In the developer tools, the server fesses up I'm detected as "bot" again. As it's an invisible process, there's nothing I can do about it. This is a clean browser because it's for pentesting websites at work. No add-ons installed, no uBlock, no noscript, no corporate configuration, nothing
If even people within the same company fell victim to these filters, what chance would the wider public have? On the other side of my tenuous work/life balance, multiple friends that were long-time users of our product were also getting locked out of the site, and of course they had no means of understanding that they were false positives of a fraud detection heuristic, much less of getting individualized support. I know those people and that they were genuine good-faith users, but naturally, while I could pass on word of their struggle, I couldn't offer any actual help since that would disclose details about those heuristics that we were apparently paying good money for and wouldn't want the public to know anything about. I also saw social media discussions where other affected users were helplessly telling each other to try different browsers or reinstall Windows.
Of course, I understand the need to combat abuse of services (and I applaud this employer for many other measures taken in that effort), but it definitely did a number on my loyalty to the company and excitement to be part of the industry to realize that my friends and I would be readily sacrificed if push came to shove.
I feel the red circle with "Password compromised" is way too simplistic if this wants to be a TRUE trusty site regarding cybersecurity. If they just want to show fear and sell 1Password ads, I understand it, I won't consult it anymore. But if they want to really step up their game from a technical perspective, they should include more details.
I've leveraged this site a few times to show family members the pervasiveness of breaches and to recommend pw managers.
If a tool like this can help a few people increase their posture then I consider it a success.
Shouldn't it at least send you a link to verify that you control the address before showing your results?
EDIT: Seems like https://haveibeenpwned.com/OptOut does the trick.
I think it is a reasonable trade-off. For non-technical people (i.e. ~everyone) it provides a really useful service where you can see if your data has been leaked and what passwords to reset. For bad guys it makes their lives a little easier by creating a quick lookup and potentially knowledge about some leaks they weren't aware of, but ultimately there'd be a dark web version if HIBP didn't exist.
I think there's also a lot of PR value in a site like HIBP. If a non-technical person sees a headline like "400 million customer records leaked by Big Corp" it feels pretty abstract, but if you go and type your email address into HIBP and see a list of companies who have leaked your email address (and most likely some other data) it feels more personal.
I know some people use email tags, but maybe just rolling a new email might be better, followed by deleting unused dead accounts you will never use again.
mNovak•1mo ago
aetherspawn•1mo ago
MarcelOlsz•1mo ago
burgerrito•1mo ago
rainonmoon•1mo ago
kevinsundar•1mo ago
https://medium.com/design-bootcamp/the-rise-of-linear-style-...
SchemaLoad•1mo ago
Brajeshwar•1mo ago
A similar design wave is also happening with internal dashboard, admin interfaces. Thanks to https://ui.shadcn.com Personally, I'm fine with the standardization of such functional interface designs.
btw, for Have I Been Pwned, this is Bootstrap[2] and I'm not surprised it is also inheriting those design styles.
1. https://tailwindcss.com/plus
2. https://getbootstrap.com
kps•1mo ago