He should partner with a law firm, for class action lawsuits, for every breach due to negligence (which is probably all of them).
Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)
Optional: Sell data of imminent lawsuits, to an investment firm.
Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.
nyokodo · 3h ago
> do direct deposits to many millions of people, every time there's new settlements paid
I wish I could easily donate my tiny settlements to a good cause. It might make it worth the time to register for the class.
Avicebron · 3h ago
Probably impossible, but create a slush fund where companies that behave badly are forced to pay into so we can do things like fix roads and build housing.
_heimdall · 1h ago
We could also design some kind of electoral process for picking those in charge of defining the rules and creating yet more bodies to enforce it.
Maybe this time we can come up with a better way to disincentivize corruption and bribery.
GuinansEyebrows · 2h ago
HN Invents Taxes And Fines
mulmen · 2h ago
The idea of fines as a revenue stream has never sat well with me. Fines are meant to be a disincentive. The ideal collection amount is zero. Treating them as a revenue stream creates a perverse incentive to enforce the penalty without disincentivizing the behavior.
OptionOfT · 1h ago
This is literally what happened in Belgium when politicians did budget. A piece of the expected slice was traffic fines.
So that means that any kind of system that would improve traffic other than repressive measures would cost them twice, once to fix the situation and again when they can issue less fines.
mcmcmc · 1h ago
If your ideal is a perfect society where everyone follows the all rules all the time you are going to be sorely disappointed. The ideal collection amount is the size of the fine multiplied by the actual occurrence of the offense. And that revenue should be strictly used for rehabilitative or restorative justice. For example, speeding fines should go to road improvements that deter speeding making roads safer. If no one’s speeding, there’s no need for that. But people will always break the law.
deepsun · 45m ago
The safest road is the closed one.
I just want to say that in modern times safety is put as #1 priority, while it's actually always a balance. E.g. we wanted the safest airline industry, we'd close the airports. But we balance the safety vs usefulness.
mulmen · 58m ago
Yes I agree. I was replying to the suggestion to put the proceeds from fines into a general slush fund. Doing that creates an incentive to use speeding tickets to pay for police overtime and radar guns instead of traffic calming infrastructure.
tutorialmanager · 1h ago
Just like police departments use asset forfeiture to get money to buy their “toys” while innocent people lose their cash and cars because carrying cash is suspicious.
anamexis · 1h ago
I think the problem is:
1. How else would you penalize businesses?
2. What else would you do with fines?
If fines exist, it would seem foolish not to budget around that.
watercolorblind · 1h ago
Maybe a uniform tax credit/refund for each citizen that is covered by that level of government. We the citizens can then decide if we fix the issue or continue to generate fines, but at least the budget isn't expecting revenue that could disappear (like the lack of traffic tickets during the beginning of COVID).
j_w · 1h ago
Governments should not operate fiscally like corporations. A financial institution will budget around fees because it's in their benefit for their customers to incur fees. A government should not budget around fines because they want the behavior which was fined to not occur at all.
craigdalton · 1h ago
How about fines go into a sovereign wealth fund (but not be seen as major source for the fund- more a bonus) so there is no short term budget planning based on fine revenue.
idiotsecant · 3h ago
Wow I think you just launched a political party I would vote for
tylerflick · 2h ago
We shall call it the Turtle Party, inspired by the Turtle Religion. Turtles all the way down.
glial · 1h ago
> companies that behave badly are forced to pay
Isn't this just regulation?
brewdad · 31m ago
It’s a form of regulation. We could also put the sysadmin and the CIO to death every time there is a data breach but we, as a society, have decided that is too extreme. We could also choose to simply wag our fingers and hope the shame they feel will prevent a repeat. Fines seem to strike a balance.
hx8 · 2h ago
Fine companies to fund bridges.
gruez · 2h ago
That sounds like a great slogan, but you really don't want a justice system that's has an additional mandate to collect revenue. It's basically civil forfeiture all over again
idiotsecant · 1h ago
Isn't that...taxation? Seems alright to me!
kevindamm · 1h ago
fines ≠ taxes
Covzire · 3h ago
I'd donate a bit to make this a reality if someone had a chance at pulling such a service off.
dylan604 · 1h ago
>Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
and how long until that data is breached?
Tubelord · 32m ago
Stock market is too illogical. Seems like a dip buy opportunity every time.
I bet companies even buyback after these dips.
throwaway8eor · 2h ago
I think this would have a negative effect.
Getting a company to publicly announce a breach is hard today. Your suggestion would make it even harder, and more data breaches would be kept from the public because of the consequences.
I would rather know that a company messed up and change my password, than not knowing
pfranz · 21m ago
> I think this would have a negative effect.
How? Disclosure should already be legally required--class-actions and lawsuits should already be a thing. The Have I Been Pwned data sets aren't volunteered by these companies. It's a catalog of leaked data.
The class-action response of "identity monitoring" is nonsense. More companies, if they can't afford to or don't want secure data, shouldn't collect it or should aggressively purge it. User data should be a liability.
mock-possum · 2h ago
Only get a couple bucks from these class action lawsuits - give ‘em a 15% discount or something if they own up to it publicly, I don’t mind getting $18 instead of $20
No he isn't, MVP and MRD are recognition programs for contributions to the community.
bix6 · 2h ago
Take my money. Still waiting for Blue Shield to pay me for selling my health info to Google.
AdamH12113 · 3h ago
Amazing that even within the last decade a site as large as LinkedIn could be storing unsalted passwords. How does anyone fail at this in the modern era?
miki123211 · 2h ago
It's actually really easy to do unintentionally. For an intervening middleware, a password field in a JSON object is just like any other field in a JSON object.
You may have some kind of logging / tracking / analytics somewhere that logs request bodies. You don't even have to engage in marketing shenanigans for that to be a problem, an abuse prevention system (which is definitely a necessity at their scale) is enough.
Storing unsalted passwords in the "passwords database" is uncommon. Storing request logs from e.g. the Android app's API gateway, and forgetting to mark the `password` field in the forgot password flow as sensitive? Not so uncommon.
jeffparsons · 2h ago
A company as big as LinkedIn should have bots continually accessing their site with unique generated passwords etc., and then be searching for those secrets in logging pipelines, bytes on disk, etc. to see where they get leaked. I know much smaller companies that do this.
Yes, it's easy to fuck up. But a responsible company implements mitigations. And LinkedIn can absolutely afford to do much more.
some_random · 1h ago
There are so many things that companies as big as linkedin should be doing but aren't :(
knowitnone · 1h ago
that would require hiring a security personnel which they can't afford to do. /s
_heimdall · 1h ago
I think the new approach is to "hire" LLM agents to do the job, unless the hiring manager can prove they exhausted all ways an LLM could possibly have done the task.
korm · 3h ago
They must have not asked enough Leetcode Hard questions in interviews.
Svoka · 3h ago
I am stealing this. Made my day :)
paranoidrobot · 8m ago
LinkedIn at one point were continually pressuring people into handing over their email credentials in the name of making it easy to find your contacts.
So yeah, LinkedIn have never been exactly a bastion of IT Security.
hoseyor · 2h ago
For all the talk of AI Slop, I don’t hear much about the fact that we have been suffering from Outsourced Slop for decades now. I suspect that is how this kind of thing also fail at LinkedIn. I say that based on my experience dealing with outsourcing companies and the product they produce through outsourced programmers.
It’s really just been a similar problem as with AI code, that without strong and competent management that can set intelligent expectations and requirements and test for them, you will surely get what appears to all the business and leadership types like an equivalent product, without any sense that it’s slop underneath the surface.
sally_glance · 2h ago
I'm on board with the cheap offshore and bad incentives motiv, but feel this has to be augmented with a mention of the senior cowboy coder (who just went into retirement). Most likely in the future these stereotypes will be joined by vibe coders and AI-powered juniors, but as someone working this industry for a couple of decades give or take - we've learned how to deal with these by now.
mschuster91 · 3h ago
> How does anyone fail at this in the modern era?
Most probably some ancient legacy mainframe or whatnot other integration that nobody really has the time and budget to clean up and migrate to something more modern.
The larger the company, the larger the risk for ossification of anything deemed "business critical" because even a minuscule outage of one hour now is six if not seven figures worth of "lost" time.
fwip · 3h ago
LinkedIn isn't old enough to have anything ancient. It was launched in 2003, and even then you'd get laughed at for suggesting storing passwords in plaintext.
Sohcahtoa82 · 3h ago
Plaintext, sure, but it was certainly common still to use SHA-256 which is very quickly cracked if your password is short.
bongodongobob · 2h ago
Doesn't mean that the infra is still ancient. What I see a lot is tech debt from migrations. Lots of times both the old and new systems have to work together for a period of time, so you leave certain legacy protocols and flags in place for the transition period and then the new system is never fully "updated" to the new standards. Pre win2k AD, file path lengths, encryption protocols, etc etc. Sure, the new system is "up to date" but the old compatibility settings remain.
malfist · 2h ago
This is also how feature flag services become mission critical because everything gets launched behind feature flags that never get cleaned up
nikcub · 2h ago
Lots of regular people use Have I Been Pwned and sending them to 1Password is probably the single best thing you could do for them (I know it's a sponsorship - but it's a very complimentary one).
I'd make the language around that promo banner stronger (ie. "We strongly recommend") and make it stand out more on the page.
So many social media accounts get hacked[0] because of shared passwords and those affected users often end up on the site - funnelling them to a password manager and a reason why it's good hygiene is great.
ps. congrats on the relaunch!
[0] I've probably assisted 20+ such cases in the past ~12 months
BubbleRings · 36m ago
I’ve never been able to figure out how haveibeenpwned.com can be useful to me, since I have had the same email address for many years and I don’t want to give it up. Do people get a new primary email address every time their address shows up in a breach list like haveibeenpwned ?
paranoidrobot · 11m ago
For personal use: To know what services you use have been breached.
You can then follow it up with ensuring you rotate the password on that site/service.
If they have other PII of yours, it's a heads up that scammers might target you and/or your family with that information.
For work use: To monitor which sites/services employees use with work email addresses, and use it as a reminder/re-enforcement that they should rotate credentials used on that service, and if they're reusing them at work - to change there, too.
MarioMan · 21m ago
It's more than just the email. If you're in the breach, it might now publicly tie your email to things like your real name. You also have to worry if you reuse passwords (which you shouldn't do even if you haven't been in a breach), because now the password in the breach is known to be used with that email address, and attackers will pivot to other services to try those same credentials elsewhere.
gerdesj · 19m ago
Your identity isn't a problem! Its the password bit.
salomonk_mur · 15m ago
They change their passwords...
standardUser · 3h ago
It shows you a vertically scrolling timeline (with logos and blurbs) of all the data breaches that have exposed your email. How delightfully horrifying.
MattSayar · 3h ago
Makes me feel a little powerless. The only thing I can really do is freeze my credit
rainonmoon · 1m ago
Use multi-factor authentication and strong, unique passwords for everything and you'll never have to worry about this.
SLWW · 3h ago
what?
Why not just use different passwords for different things. I'd recommend something like privacy.com so you can generate a bunch of one-use cc cards when doing shopping on sites you don't trust and the like.
Also don't willingly give up valuable personal information unless it's absolutely necessary, it's also not illegal to give online services outright false information (incorrect birthdates for example) which, in the event of a future data breach of that service, now at least those who would plan to benefit from your personal information might have some difficulties resetting important accs and the like.
You just gotta be smart, it's not about being powerless, HIBP and the service is just one tool to make you aware of what's out there before it gets used against you. (I would highly recommend setting up notifications for important e-mail addresses)
XorNot · 3h ago
Application specific credit card numbers really needs to be a legally required thing.
My card has been skimmed a couple of times and by far the most annoying part of the experience is having to reset and update regular accounts with the new number.
Of course for online purchases the whole flow here should be inverted: businesses should just be registering against my payment provider directly, no account numbers involved (under the hood maybe have it be managed by ED25519 public keys for identity?)
EDIT: while we're at it, why even have persistent numbers for in person cards? Let me tap it against my phone, invalidate the stored key from that time on, and generate a new one.
diggan · 3h ago
> Application specific credit card numbers really needs to be a legally required thing.
My latest card (debit) one has a feature I've not seen elsewhere, but I think kind of solves that too. It has a new CVC number every 10 minutes, which I kind of both hate and love. Love it for the obvious reasons of "not even having the physical card lets you use it digitally" but also because I cannot have it 100% in my password manager, I have to use the banking app to get the latest CVC code when I need it.
koolba · 1h ago
I’ve want a physical one of these that changes both the CVC and the entire 16-digit number. Heck let the name submitted with the number be a longer checksum that can be verified at point of sale to figure out who’s actual account it is.
Plus then my gibberish name on my card number will match the gibberish secret question answers.
YPPH · 3h ago
For those who would prefer to stay a little more under the radar, you can hide results from a search of your email appearing on this service.
For anyone considering, here are the 3 opt-outions that appear after you email verify:
1. Just remove my email address from public search
No one using the public HIBP search feature will be able to see your email address in the results. You’ll still be able to search your own address through the notification service, which verifies that you control the email before showing any results. If your email is part of a domain monitored by someone else (e.g., your employer), the domain controller will still be able to see it in domain-level searches.
2. Remove my email address from public search and delete the list of breaches it appears in
Your email address is no longer searchable — neither through the public service nor by you, even if you verify ownership — because the associated breaches have been deleted from the database. However, your email address is still retained by HIBP to ensure it is excluded from any future breaches and not added to your record.
3. Delete my email address completely
The record containing your email address will be completely deleted, meaning it will no longer appear in search results — for you or the public — at the time of deletion. However, if your email address appears in future data breaches, it will become publicly searchable again, as the opt-out record itself has also been deleted.
85392_school · 3h ago
Does anyone else feel like the new design feels less trustworthy? I've probably just been conditioned on too many templates that all look the same, and there's nothing inherently wrong with it, yet it makes me wonder if I've accidentally opened a ripoff instead of the real thing.
pocketarc · 3h ago
No, I agree. This new version looks like someone using a cheap template with cheap gradients (I don’t know how else to describe the gradients), and it immediately makes it look less trustworthy.
No comments yet
diggan · 3h ago
Who has the record for being in the most breaches? My main email seems to currently be in 40 breaches, earliest one in from June 2011 (HackForums, don't even remember what that is), and last one in September 2024 (FrenchCitizens, although I'm not French nor have I ever lived in France).
edm0nd · 17m ago
HackForums is a popular skid forum ran by an FBI informant who lives in Vegas
montag · 2h ago
You’ve got me beat by 1. Congratulations
mtmail · 2h ago
john@yahoo.com is in 322 breaches.
aaronharnly · 26m ago
This is fun.
john@hotmail.com has 340!
mNovak · 3h ago
Is there a term for this trend in web design, with defaulting to dark mode and having slick gradients everywhere?
aetherspawn · 3h ago
I think GitHub kinda did it first on their desktop home page, but that has been out for years.
burgerrito · 3h ago
I actually think I saw it on Linear (the issue tracker app) first. Who knows
MarcelOlsz · 3h ago
I feel like that was a subtype within the style that Stripe popularized.
The new design looks great, and I always love following Troy's updates (although sometimes with semi-morbid curiosity).
I do find the timeline to be a little confusing- it seems to be ordered from earliest breach to most recent, but the dates on the timeline don't match that, as they seem to be when the data was leaked?
Display: breach date
Ordering: breach published date?
I think it might be clearer to order + display the published date, and in the cards themselves show the breach date in a standard way.
jmward01 · 2h ago
This is a great site. Thanks for making it! I wish governments would take this kind of thing seriously though. Identity theft/stealing accounts/etc etc all starts with breaches like this and in the modern world it is often less devastating to have someone break into your house than to break into your digital life. With a break in you will get actual support in the form of a phone number to call (911 in the US) and real people doing real work to track down who did it and stop them. With the digital world you have nobody to call and even if you did I doubt much followup would happen. Society needs to change gears on this stuff and actually take it seriously.
CobrastanJorji · 3h ago
Very cool.
Small bug report: I've been pwnd a few dozens times, and my timeline is not in calendar order. I see Adobe (October 2013), then LinkedIn (May 2012), then Dropbox (June 2012), then Lastfm (March 2012), then some 2016 ones, then Kickstarter in 2014, and then after that they start being more in order of the listed dates.
Casteil · 2h ago
Might be related to the 'breach disclosed/discovered' date? I noticed some of mine appeared out of chronological order, too.
nipperkinfeet · 3h ago
Too much scrolling. I prefer the old page.
gpi · 3h ago
Feels like doom scrolling
grg0 · 1m ago
It also scrolls like shit if you happen to be on a GPU not made in the last 10 years.
Saris · 1h ago
I really wish I could put in my domain name, I have so many aliases that it's basically impossible to search each one individually.
flas9sd · 1h ago
it's right there after the "The Domain Search Feature" heading. Verify ownership, then you get results
Saris · 32m ago
Ahh I see it on the footer of the website, a bit hidden!
I'm not sure I really need it for personal use, more just a cool thing to see, so I'm a bit undecided on paying for the domain feature. I can see it being useful for a business though where each email is a different employee dealing with accounts everywhere.
aaronharnly · 25m ago
You can pay for just one month at a time. I pay now and then and check in on my personal domain – like you, I use dozens of email addresses with a catchall.
luchris429 · 1h ago
I love this site! Though I do wonder how much this site also helps amateur hackers find where to search for a specific person's password. One way to deal with it could be to email the person their pwns.
edm0nd · 14m ago
As a security researcher who is into OSINT, HIBP is my first go to when obtaining an email address of interest. If it's found, it immediately helps me know which leaked DBs to go grep through and find more info about the target email addy.
Obtaining and storing TBs of leaked databases is another part of the puzzle that is always growing and a bit more complex.
glandium · 1h ago
There's something interesting in the domain search: some breaches contain addresses that... simply don't exist. Like B2BUSABusinesses has sales@mydomain.
hanatanaka1984 · 1h ago
Great service. I use regularly with extended family to convince use of MFA.
lynnharry · 38m ago
In our country, email has never been widely adopted among non-tech-savvy citizens. SMS verification remains the most popular—and likely safer—method.
geor9e · 47m ago
The input box doesn't work
tech234a · 3h ago
I regularly use plus codes on my email addresses when I sign up for services, is there a way to search for an email address and all associated plus codes? Last I checked I couldn’t find that functionality.
jsheard · 3h ago
If you use a custom domain, in the dashboard you can claim the whole domain and then see every breach for every address under it. Otherwise I don't think so.
bix6 · 2h ago
Awesome! My timeline is showing out of order though (starts with a 2013 then a 2019 then a 2011).
Buttons840 · 3h ago
A lot of companies I've never heard of before are leaking my data. :(
Can we make it so that companies I've never heard of before don't have my data in the first place?
lovich · 3h ago
My latest one was from these guys https://www.eye4fraud.com/ who I have never knowingly done business with. Almost too absurd to be true
dsissitka · 3h ago
> But now it's on a timeline you can scroll through in reverse chronological order, with each breach summarising what happened.
Maybe I'm reading it wrong but it looks like it might be a little off. I get:
- October 2013
- June 2008
- ...a bunch more...
- November 2021
- December 2020
dandellion · 3h ago
Not only is not in order, I tried a few emails and in all of them I get a bunch of sites that I've never used. I wonder if it's fetching the wrong data?
kbrosnan · 2h ago
I regularly have doppelgangers that sign up for services with my email address.
I've been added to door/visitor notifications. I have received medical information for them. Retirement package info. A telecom internal tracker. A Doubleclick account for a while. Lessons for their children. Countless rewards accounts.
rtrgrd · 2h ago
Am I the only one who is experiencing severe lag when scrolling on the new site (Firefox android)?
h1fra · 2h ago
nit: timeline should be most recent to least recent
charcircuit · 3h ago
This new design no longer links to the pastebins you were included in.
jpopesculian · 3h ago
It does at the very bottom of the list for me
charcircuit · 1h ago
For me it only shows a list of them and none of them are clickable.
rasz · 3h ago
Uncaught (in promise) Error: Invalid response from fetch: 401 -
at emailSearch.ts:295:19
at async HTMLButtonElement.<anonymous> (emailSearch.ts:43:23)
johnklos · 1h ago
I really wish Troy would've put a little more thought in to this before deciding to host using a for-profit corporation based in the US that wants to be a monopoly.
Will Cloudflare sell data to US TLA agencies? Probably.
Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)
Optional: Sell data of imminent lawsuits, to an investment firm.
Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.
I wish I could easily donate my tiny settlements to a good cause. It might make it worth the time to register for the class.
Maybe this time we can come up with a better way to disincentivize corruption and bribery.
So that means that any kind of system that would improve traffic other than repressive measures would cost them twice, once to fix the situation and again when they can issue less fines.
I just want to say that in modern times safety is put as #1 priority, while it's actually always a balance. E.g. we wanted the safest airline industry, we'd close the airports. But we balance the safety vs usefulness.
1. How else would you penalize businesses?
2. What else would you do with fines?
If fines exist, it would seem foolish not to budget around that.
Isn't this just regulation?
and how long until that data is breached?
I bet companies even buyback after these dips.
Getting a company to publicly announce a breach is hard today. Your suggestion would make it even harder, and more data breaches would be kept from the public because of the consequences.
I would rather know that a company messed up and change my password, than not knowing
How? Disclosure should already be legally required--class-actions and lawsuits should already be a thing. The Have I Been Pwned data sets aren't volunteered by these companies. It's a catalog of leaked data.
The class-action response of "identity monitoring" is nonsense. More companies, if they can't afford to or don't want secure data, shouldn't collect it or should aggressively purge it. User data should be a liability.
He is a Microsoft employee.
https://www.troyhunt.com/about/ says "I don't work for Microsoft"
You may have some kind of logging / tracking / analytics somewhere that logs request bodies. You don't even have to engage in marketing shenanigans for that to be a problem, an abuse prevention system (which is definitely a necessity at their scale) is enough.
Storing unsalted passwords in the "passwords database" is uncommon. Storing request logs from e.g. the Android app's API gateway, and forgetting to mark the `password` field in the forgot password flow as sensitive? Not so uncommon.
Yes, it's easy to fuck up. But a responsible company implements mitigations. And LinkedIn can absolutely afford to do much more.
So yeah, LinkedIn have never been exactly a bastion of IT Security.
It’s really just been a similar problem as with AI code, that without strong and competent management that can set intelligent expectations and requirements and test for them, you will surely get what appears to all the business and leadership types like an equivalent product, without any sense that it’s slop underneath the surface.
Most probably some ancient legacy mainframe or whatnot other integration that nobody really has the time and budget to clean up and migrate to something more modern.
The larger the company, the larger the risk for ossification of anything deemed "business critical" because even a minuscule outage of one hour now is six if not seven figures worth of "lost" time.
I'd make the language around that promo banner stronger (ie. "We strongly recommend") and make it stand out more on the page.
So many social media accounts get hacked[0] because of shared passwords and those affected users often end up on the site - funnelling them to a password manager and a reason why it's good hygiene is great.
ps. congrats on the relaunch!
[0] I've probably assisted 20+ such cases in the past ~12 months
If they have other PII of yours, it's a heads up that scammers might target you and/or your family with that information.
For work use: To monitor which sites/services employees use with work email addresses, and use it as a reminder/re-enforcement that they should rotate credentials used on that service, and if they're reusing them at work - to change there, too.
Why not just use different passwords for different things. I'd recommend something like privacy.com so you can generate a bunch of one-use cc cards when doing shopping on sites you don't trust and the like.
Also don't willingly give up valuable personal information unless it's absolutely necessary, it's also not illegal to give online services outright false information (incorrect birthdates for example) which, in the event of a future data breach of that service, now at least those who would plan to benefit from your personal information might have some difficulties resetting important accs and the like.
You just gotta be smart, it's not about being powerless, HIBP and the service is just one tool to make you aware of what's out there before it gets used against you. (I would highly recommend setting up notifications for important e-mail addresses)
My card has been skimmed a couple of times and by far the most annoying part of the experience is having to reset and update regular accounts with the new number.
Of course for online purchases the whole flow here should be inverted: businesses should just be registering against my payment provider directly, no account numbers involved (under the hood maybe have it be managed by ED25519 public keys for identity?)
EDIT: while we're at it, why even have persistent numbers for in person cards? Let me tap it against my phone, invalidate the stored key from that time on, and generate a new one.
My latest card (debit) one has a feature I've not seen elsewhere, but I think kind of solves that too. It has a new CVC number every 10 minutes, which I kind of both hate and love. Love it for the obvious reasons of "not even having the physical card lets you use it digitally" but also because I cannot have it 100% in my password manager, I have to use the banking app to get the latest CVC code when I need it.
Plus then my gibberish name on my card number will match the gibberish secret question answers.
https://haveibeenpwned.com/OptOut
For anyone considering, here are the 3 opt-outions that appear after you email verify:
1. Just remove my email address from public search
No one using the public HIBP search feature will be able to see your email address in the results. You’ll still be able to search your own address through the notification service, which verifies that you control the email before showing any results. If your email is part of a domain monitored by someone else (e.g., your employer), the domain controller will still be able to see it in domain-level searches.
2. Remove my email address from public search and delete the list of breaches it appears in
Your email address is no longer searchable — neither through the public service nor by you, even if you verify ownership — because the associated breaches have been deleted from the database. However, your email address is still retained by HIBP to ensure it is excluded from any future breaches and not added to your record.
3. Delete my email address completely
The record containing your email address will be completely deleted, meaning it will no longer appear in search results — for you or the public — at the time of deletion. However, if your email address appears in future data breaches, it will become publicly searchable again, as the opt-out record itself has also been deleted.
No comments yet
john@hotmail.com has 340!
https://medium.com/design-bootcamp/the-rise-of-linear-style-...
I do find the timeline to be a little confusing- it seems to be ordered from earliest breach to most recent, but the dates on the timeline don't match that, as they seem to be when the data was leaked?
Display: breach date Ordering: breach published date?
I think it might be clearer to order + display the published date, and in the cards themselves show the breach date in a standard way.
Small bug report: I've been pwnd a few dozens times, and my timeline is not in calendar order. I see Adobe (October 2013), then LinkedIn (May 2012), then Dropbox (June 2012), then Lastfm (March 2012), then some 2016 ones, then Kickstarter in 2014, and then after that they start being more in order of the listed dates.
I'm not sure I really need it for personal use, more just a cool thing to see, so I'm a bit undecided on paying for the domain feature. I can see it being useful for a business though where each email is a different employee dealing with accounts everywhere.
Obtaining and storing TBs of leaked databases is another part of the puzzle that is always growing and a bit more complex.
Can we make it so that companies I've never heard of before don't have my data in the first place?
Maybe I'm reading it wrong but it looks like it might be a little off. I get:
- October 2013
- June 2008
- ...a bunch more...
- November 2021
- December 2020
I've been added to door/visitor notifications. I have received medical information for them. Retirement package info. A telecom internal tracker. A Doubleclick account for a while. Lessons for their children. Countless rewards accounts.
Will Cloudflare sell data to US TLA agencies? Probably.