Have I Been Pwned 2.0
137 comments
·May 19, 2025neilv
nyokodo
> do direct deposits to many millions of people, every time there's new settlements paid
I wish I could easily donate my tiny settlements to a good cause. It might make it worth the time to register for the class.
Avicebron
Probably impossible, but create a slush fund where companies that behave badly are forced to pay into so we can do things like fix roads and build housing.
_heimdall
We could also design some kind of electoral process for picking those in charge of defining the rules and creating yet more bodies to enforce it.
Maybe this time we can come up with a better way to disincentivize corruption and bribery.
GuinansEyebrows
HN Invents Taxes And Fines
mulmen
The idea of fines as a revenue stream has never sat well with me. Fines are meant to be a disincentive. The ideal collection amount is zero. Treating them as a revenue stream creates a perverse incentive to enforce the penalty without disincentivizing the behavior.
idiotsecant
Wow I think you just launched a political party I would vote for
Covzire
I'd donate a bit to make this a reality if someone had a chance at pulling such a service off.
throwaway8eor
I think this would have a negative effect.
Getting a company to publicly announce a breach is hard today. Your suggestion would make it even harder, and more data breaches would be kept from the public because of the consequences.
I would rather know that a company messed up and change my password, than not knowing
BrenBarn
I'm not sure, the effect would be to increase the riskiness of nondisclosure. If you disclose and get fined, that would be bad, but if you don't reveal and the penalty for nondisclosure is bankruptcy for the company and all its executives, that would be worse.
pfranz
> I think this would have a negative effect.
How? Disclosure should already be legally required--class-actions and lawsuits should already be a thing. The Have I Been Pwned data sets aren't volunteered by these companies. It's a catalog of leaked data.
The class-action response of "identity monitoring" is nonsense. More companies, if they can't afford to or don't want secure data, shouldn't collect it or should aggressively purge it. User data should be a liability.
mock-possum
Only get a couple bucks from these class action lawsuits - give ‘em a 15% discount or something if they own up to it publicly, I don’t mind getting $18 instead of $20
dylan604
>Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
and how long until that data is breached?
Tubelord
Stock market is too illogical. Seems like a dip buy opportunity every time.
I bet companies even buyback after these dips.
bix6
Take my money. Still waiting for Blue Shield to pay me for selling my health info to Google.
gerdesj
"He should partner with a law firm"
He is a Microsoft employee.
paranoidrobot
No, he's not.
https://www.troyhunt.com/about/ says "I don't work for Microsoft"
gerdesj
"Microsoft Regional Director"
We can debate semantics but if you describe yourself with a job title attached to a company then I suggest that you have an association which looks rather like ... employment.
null
AdamH12113
Amazing that even within the last decade a site as large as LinkedIn could be storing unsalted passwords. How does anyone fail at this in the modern era?
miki123211
It's actually really easy to do unintentionally. For an intervening middleware, a password field in a JSON object is just like any other field in a JSON object.
You may have some kind of logging / tracking / analytics somewhere that logs request bodies. You don't even have to engage in marketing shenanigans for that to be a problem, an abuse prevention system (which is definitely a necessity at their scale) is enough.
Storing unsalted passwords in the "passwords database" is uncommon. Storing request logs from e.g. the Android app's API gateway, and forgetting to mark the `password` field in the forgot password flow as sensitive? Not so uncommon.
jeffparsons
A company as big as LinkedIn should have bots continually accessing their site with unique generated passwords etc., and then be searching for those secrets in logging pipelines, bytes on disk, etc. to see where they get leaked. I know much smaller companies that do this.
Yes, it's easy to fuck up. But a responsible company implements mitigations. And LinkedIn can absolutely afford to do much more.
some_random
There are so many things that companies as big as linkedin should be doing but aren't :(
knowitnone
that would require hiring a security personnel which they can't afford to do. /s
taberiand
Would this be solved by providing the client with a (frequently rotated) public key to encrypt the password field specifically before submitting to the server, so that the only place it can be decrypted and stored is the authentication service at the very end of its journey through the network?
riknos314
A new public key per password-mutating session is quite an interesting idea.
It does have some challenges in introducing a read-before-write to fetch the session key at the start of the session, but given the relatively low call volume of such flows that might be a small price to pay to simplify security audits and de-risk changes to any service in the call chain.
korm
They must have not asked enough Leetcode Hard questions in interviews.
Svoka
I am stealing this. Made my day :)
paranoidrobot
LinkedIn at one point were continually pressuring people into handing over their email credentials in the name of making it easy to find your contacts.
So yeah, LinkedIn have never been exactly a bastion of IT Security.
hoseyor
For all the talk of AI Slop, I don’t hear much about the fact that we have been suffering from Outsourced Slop for decades now. I suspect that is how this kind of thing also fail at LinkedIn. I say that based on my experience dealing with outsourcing companies and the product they produce through outsourced programmers.
It’s really just been a similar problem as with AI code, that without strong and competent management that can set intelligent expectations and requirements and test for them, you will surely get what appears to all the business and leadership types like an equivalent product, without any sense that it’s slop underneath the surface.
sally_glance
I'm on board with the cheap offshore and bad incentives motiv, but feel this has to be augmented with a mention of the senior cowboy coder (who just went into retirement). Most likely in the future these stereotypes will be joined by vibe coders and AI-powered juniors, but as someone working this industry for a couple of decades give or take - we've learned how to deal with these by now.
null
mschuster91
> How does anyone fail at this in the modern era?
Most probably some ancient legacy mainframe or whatnot other integration that nobody really has the time and budget to clean up and migrate to something more modern.
The larger the company, the larger the risk for ossification of anything deemed "business critical" because even a minuscule outage of one hour now is six if not seven figures worth of "lost" time.
fwip
LinkedIn isn't old enough to have anything ancient. It was launched in 2003, and even then you'd get laughed at for suggesting storing passwords in plaintext.
Sohcahtoa82
Plaintext, sure, but it was certainly common still to use SHA-256 which is very quickly cracked if your password is short.
bongodongobob
Doesn't mean that the infra is still ancient. What I see a lot is tech debt from migrations. Lots of times both the old and new systems have to work together for a period of time, so you leave certain legacy protocols and flags in place for the transition period and then the new system is never fully "updated" to the new standards. Pre win2k AD, file path lengths, encryption protocols, etc etc. Sure, the new system is "up to date" but the old compatibility settings remain.
nikcub
Lots of regular people use Have I Been Pwned and sending them to 1Password is probably the single best thing you could do for them (I know it's a sponsorship - but it's a very complimentary one).
I'd make the language around that promo banner stronger (ie. "We strongly recommend") and make it stand out more on the page.
So many social media accounts get hacked[0] because of shared passwords and those affected users often end up on the site - funnelling them to a password manager and a reason why it's good hygiene is great.
ps. congrats on the relaunch!
[0] I've probably assisted 20+ such cases in the past ~12 months
standardUser
It shows you a vertically scrolling timeline (with logos and blurbs) of all the data breaches that have exposed your email. How delightfully horrifying.
MattSayar
Makes me feel a little powerless. The only thing I can really do is freeze my credit
rainonmoon
Use multi-factor authentication and strong, unique passwords for everything and you'll never have to worry about this.
SLWW
what?
Why not just use different passwords for different things. I'd recommend something like privacy.com so you can generate a bunch of one-use cc cards when doing shopping on sites you don't trust and the like.
Also don't willingly give up valuable personal information unless it's absolutely necessary, it's also not illegal to give online services outright false information (incorrect birthdates for example) which, in the event of a future data breach of that service, now at least those who would plan to benefit from your personal information might have some difficulties resetting important accs and the like.
You just gotta be smart, it's not about being powerless, HIBP and the service is just one tool to make you aware of what's out there before it gets used against you. (I would highly recommend setting up notifications for important e-mail addresses)
XorNot
Application specific credit card numbers really needs to be a legally required thing.
My card has been skimmed a couple of times and by far the most annoying part of the experience is having to reset and update regular accounts with the new number.
Of course for online purchases the whole flow here should be inverted: businesses should just be registering against my payment provider directly, no account numbers involved (under the hood maybe have it be managed by ED25519 public keys for identity?)
EDIT: while we're at it, why even have persistent numbers for in person cards? Let me tap it against my phone, invalidate the stored key from that time on, and generate a new one.
85392_school
Does anyone else feel like the new design feels less trustworthy? I've probably just been conditioned on too many templates that all look the same, and there's nothing inherently wrong with it, yet it makes me wonder if I've accidentally opened a ripoff instead of the real thing.
BubbleRings
I’ve never been able to figure out how haveibeenpwned.com can be useful to me, since I have had the same email address for many years and I don’t want to give it up. Do people get a new primary email address every time their address shows up in a breach list like haveibeenpwned ?
paranoidrobot
For personal use: To know what services you use have been breached. You can then follow it up with ensuring you rotate the password on that site/service.
If they have other PII of yours, it's a heads up that scammers might target you and/or your family with that information.
For work use: To monitor which sites/services employees use with work email addresses, and use it as a reminder/re-enforcement that they should rotate credentials used on that service, and if they're reusing them at work - to change there, too.
MarioMan
It's more than just the email. If you're in the breach, it might now publicly tie your email to things like your real name. You also have to worry if you reuse passwords (which you shouldn't do even if you haven't been in a breach), because now the password in the breach is known to be used with that email address, and attackers will pivot to other services to try those same credentials elsewhere.
salomonk_mur
They change their passwords...
gerdesj
Your identity isn't a problem! Its the password bit.
diggan
Who has the record for being in the most breaches? My main email seems to currently be in 40 breaches, earliest one in from June 2011 (HackForums, don't even remember what that is), and last one in September 2024 (FrenchCitizens, although I'm not French nor have I ever lived in France).
Brajeshwar
I'm almost there with you with 35. I checked both of most used emails, and they are at 35 and 32.
edm0nd
HackForums is a popular skid forum ran by an FBI informant who lives in Vegas
YPPH
For those who would prefer to stay a little more under the radar, you can hide results from a search of your email appearing on this service.
cypherpunks01
Thanks for the info!
For anyone considering, here are the 3 opt-outions that appear after you email verify:
1. Just remove my email address from public search
No one using the public HIBP search feature will be able to see your email address in the results. You’ll still be able to search your own address through the notification service, which verifies that you control the email before showing any results. If your email is part of a domain monitored by someone else (e.g., your employer), the domain controller will still be able to see it in domain-level searches.
2. Remove my email address from public search and delete the list of breaches it appears in
Your email address is no longer searchable — neither through the public service nor by you, even if you verify ownership — because the associated breaches have been deleted from the database. However, your email address is still retained by HIBP to ensure it is excluded from any future breaches and not added to your record.
3. Delete my email address completely
The record containing your email address will be completely deleted, meaning it will no longer appear in search results — for you or the public — at the time of deletion. However, if your email address appears in future data breaches, it will become publicly searchable again, as the opt-out record itself has also been deleted.
coolcase
What if the opt out list gets pwned?
eddythompson80
I assume if that ever happens, someone will register https://haveibeenpwnedbyhaveibeenpwned.com. It'll be the top post of HN for a couple of says while everyone argues in the comments about how the state of online security is "fundamentally broken" while someone asks if they can sue. Then we'll all forget and move on.
mNovak
Is there a term for this trend in web design, with defaulting to dark mode and having slick gradients everywhere?
Brajeshwar
Not too far in the past, when Bootstrapped themes were becoming the face of the Internet, a new framework came to town — TailwindCSS. The smart thing they did was introduced the framework with a few brilliant template and a lot of styled components. I bought the initial copy and does a lot of people. Those templates, TailwindUI.com (now TailwindCSS.com/plus)[1] became the gradien-y, dark-ish, glow-y design you see a lot these days.
A similar design wave is also happening with internal dashboard, admin interfaces. Thanks to https://ui.shadcn.com Personally, I'm fine with the standardization of such functional interface designs.
btw, for Have I Been Pwned, this is Bootstrap[2] and I'm not surprised it is also inheriting those design styles.
aetherspawn
I think GitHub kinda did it first on their desktop home page, but that has been out for years.
rainonmoon
As someone who frequented a lot of video game-centric Invision Power Boards in the early 2000s, this is deeply insulting.
burgerrito
I actually think I saw it on Linear (the issue tracker app) first. Who knows
MarcelOlsz
I feel like that was a subtype within the style that Stripe popularized.
kevinsundar
It was first popularized by Linear
https://medium.com/design-bootcamp/the-rise-of-linear-style-...
SchemaLoad
Not sure which was first, but I associate this style a lot with Apple's product pages like https://www.apple.com/au/macbook-pro/
mslev
The new design looks great, and I always love following Troy's updates (although sometimes with semi-morbid curiosity).
I do find the timeline to be a little confusing- it seems to be ordered from earliest breach to most recent, but the dates on the timeline don't match that, as they seem to be when the data was leaked?
Display: breach date Ordering: breach published date?
I think it might be clearer to order + display the published date, and in the cards themselves show the breach date in a standard way.
msephton
Interestingly, the timeline is not chronological for me? I can't seem to figure it out the order it is in.
jmward01
This is a great site. Thanks for making it! I wish governments would take this kind of thing seriously though. Identity theft/stealing accounts/etc etc all starts with breaches like this and in the modern world it is often less devastating to have someone break into your house than to break into your digital life. With a break in you will get actual support in the form of a phone number to call (911 in the US) and real people doing real work to track down who did it and stop them. With the digital world you have nobody to call and even if you did I doubt much followup would happen. Society needs to change gears on this stuff and actually take it seriously.
He should partner with a law firm, for class action lawsuits, for every breach due to negligence (which is probably all of them).
Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)
Optional: Sell data of imminent lawsuits, to an investment firm.
Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.