There have been enough data breaches at this point that I'm sure all my info has been exposed multiple times (addresses, SSN, telephone number, email, etc). My email is in over a dozen breaches listed on the been pwned site. I've gotten legal letters about breaches from colleges I applied to, job boards I used, and other places that definitely have a good amount of my past personal information. And that's not even counting the "legal" big data /analytics collected from past social media, Internet browsing, and whatever else.

I now use strong passwords stored in bitwarden to try to at least keep on top of that one piece. I'm sure there are unfortunately random old accounts on services I don't use anymore with compromised passwords out there.

Not really sure what if anything can be done at this point. I wish my info wasn't out there but it is.

On the plus side, Troy can save a lot of DB space now. Instead of storing which emails have been compromised at this point he can replace that with just

    def email_compromised(email):
        return True

Are there any email services which allow basically unlimited aliases with long, random names?

I'm using my own domain right now, but that can only uncover who has leaked my data; does not provide additional privacy.

The downside to having many vanity urls and giving out a unique email address to each website you visit is that you cannot use haveibeenpwned without paying (despite being a single human). I have no idea how many email addresses I've given out over the years, probably hundreds across at least 6 or 7 domains, and they want to charge me a monthly fee to see which of those have been pwned.

I understand they gotta make a buck, but I find it interesting this is the first real negative to running a unique email address per company/site I work with.

[delayed]

I respect Troy Hunt's work. I searched for my email address on https://haveibeenpwned.com/, and my email was in the latest breach data set. But the site does not give me any way to take action. haveibeenpwned knows what passwords were breached, the people who breached the data knows what passwords were breached, but there does not seem to be any way for _me_, the person affected, to know what password were breached. The takeaway message is basically, "Yeah, you're at risk. Use good password practices."

There is no perfect solution. Obviously, we don't want to give everybody an easy form where you can enter an email address and see all of the password it found. But I'm not going to reset 500+ password because one of them might have been compromised. It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.

My data was exposed in one of the Facebook leaks and it turned out I had an old email on my Facebook account with a domain I had since let lapse and abandoned. Someone else registered the domain and tried to take over my Facebook account by sending a password reset request using it. Luckily I had 2FA and I guess Facebook's fraud alerts picked it up so It wasn't successful.

I guess what I want to say is beware that even something as innocuous as an email being leaked can cause problems, and make sure you delete any unused addresses from your accounts!

I’ve always had a bit of a chip on my shoulder about HIBP’s switch to charging for domain searches. It felt a bit like those travel visa scalpers who charge 50 CURRENCY_UNIT to file an otherwise gratis form on your behalf.

Law enforcement should provide this kind of service as a public good. They don’t, but if you do instead, I don’t think it’s cool to unilaterally privatize the service and turn it into a commercial one.

I voted with my feet but this post feels like a good enough place to soapbox a bit!

Post should've been titled "1.3 billion passwords were exposed", because, even though the number is slightly smaller, it actually represents something much more important.

Cynicism is everywhere these days but these events really don't register for me anymore. Companies aren't punished by the government for these leaks and they aren't punished by consumers either. What incentive is there to reduce this data collection in the first place or to lock down your databases?

Even if someone's security is awful as the consumer and their account gets hacked because of these leaks, what are the actual consequences of that? Oh bummer, they need to reset their password and make a few phone calls to their bank to reverse the fraudulent charges then life goes on. Techies view that as unacceptable but most don't really care.

-Setup a website with article that 3 billion emails were exposed -Offer a form to check if your email was leaked -start getting confirmed emails list

The bit at the end about email deliverability was also interesting:

Notifying our subscribers is another problem... in terms of not ending up on a reputation naughty list or having mail throttled by the receiving server .... Not such a biggy for sending breach notices, but a major problem for people trying to sign into their dashboard who can no longer receive the email with the "magic" link.

And this observation he got from someone:

the strategy I've found to best work with large email delivery is to look at the average number of emails you've sent over the last 30 days each time you want to ramp up, and then increase that volume by around 50% per day until you've worked your way through the queue

It boggles my mind that most email providers don't have a way to generate aliases for sign ups. Looks like proton and fastmail support it.

I think we should stop seeing email address as a secret or something that can be "stolen". Password? who is still storing passwords on their servers, instead of a hash?

Is there any real drawback to just never giving your real name or address to service providers to minimise the chance of identity theft? Most likely it’s against terms of service, but other than account suspension are you likely to suffer any legal consequences?

Amidst all of these pwnings, we still don't have a standard way to update our passwords from our password managers automatically.

I have really started to use the 'Hide my email' feature from iCloud. It's been so nice. If an email gets pwned, which often happens from a service I stopped using many moons ago, then I just deactivate or delete the email address. I imagine many other services provide this feature as well, but it's what's most convenient for me at this time.

Can anyone enlighten me why an exposed email address is an issue? I get it if its some kinda admin@foo.com but my private mail, why would I care? Its not like they have my password?

It's honestly very hard to even care at that scale.

I have a throwaway email adresses for every website that requires signup. And a new password for every signup. Using Fastemail and a password manager. When emails adresses/passwords leak, I know which one I have to replace.