Two billion email addresses were exposed
93 comments
·November 6, 2025naet
kccqzy
Addresses? Most of the time addresses are a matter of public record. I have used https://www.fastpeoplesearch.com/ a couple of times to search for people's addresses and it really works. One day a close friend excitedly told me she bought a new house and I told her the address before she told me about it.
Telephone number? There used to be phone books. And I still instinctively think they should be public.
animex
I think the headline is a bit vague, it includes passwords as well. Does anyone know if Troy's HIBP'd site reveals the passwords to verified users? I'd like to know if my current or what generation of passwords has been breached to evaluate if I have a current or past problem with my devices.
birdman3131
They do not want to have such a list as it makes them a target.
What they do have is a searchable password list not connected to any usernames.
kulahan
I was in the military. China stole my freaking DNA profile. I've given up on worrying about this stuff.
rdl
Even better "please give us all the things which could be used by a foreign power to blackmail you, or apply pressure to relatives or other close contacts" and then poorly secure that database.
eyeundersand
+1 for Bitwarden. It is literally the best solution out there. Been getting to increase uptake in personal circles with (very) limited success. The wife keeps trying to convince me that the ship has sailed in trying to protect info online. She's probably right.
NewsaHackO
I use a similar service, I always wonder what sort of risk having one point of failure has though. I know 2FA helps, but a particularly motivated person with access to you physical still may be able to get both, espically if it for an investigation of some sort.
Xerox9213
I convinced my wife to start using a password manager, too (Bitwarden). Now she stores all of her very guessable, short, similar passwords in a manager. Sigh.
stronglikedan
> Bitwarden
Best when paid for so you can do 2FA with TOTP codes!
jerf
On the plus side, Troy can save a lot of DB space now. Instead of storing which emails have been compromised at this point he can replace that with just
def email_compromised(email):
return Trueptrl600
Are there any email services which allow basically unlimited aliases with long, random names?
I'm using my own domain right now, but that can only uncover who has leaked my data; does not provide additional privacy.
worldfoodgood
The downside to having many vanity urls and giving out a unique email address to each website you visit is that you cannot use haveibeenpwned without paying (despite being a single human). I have no idea how many email addresses I've given out over the years, probably hundreds across at least 6 or 7 domains, and they want to charge me a monthly fee to see which of those have been pwned.
I understand they gotta make a buck, but I find it interesting this is the first real negative to running a unique email address per company/site I work with.
kccqzy
The domain search feature on haveibeenpwned is/was free. I registered my domain on haveibeenpwned back in 2017 and I got two emails about breaches, one in 2020 and another in 2022. I did not pay.
username44
I wasn’t aware of this feature, but can confirm. Just tried and it is free.
Log into dashboard, under business there is a domains tab. Enter your domain there and verify ownership. Didn’t ask for payment.
null
EvanAnderson
It tells you that an address in your domain has been included in a breach. It doesn't tell you which address was included. That's what the OP and I are opining about.
osculum
It does. I just checked mine today. I can see exactly which individual email addresses in my domain where exposed and in which data leak. I have never paid for it.
huijzer
Isn’t the idea that you don’t need haveibeenpowned since you’ll see mails coming in and then know your details have leaked?
For ID fraud, more than an email address has to be leaked.
worldfoodgood
Have I been pwned will tell me if the associated password for that site leaked. I create unique passwords per site, but lets say my mastercard login gets pwned -- that'd be one I want to change the password for right away.
I might not get an email if someone gets that account info.
dpoloncsak
In theory, I agree.
In practice, anything that high-profile will be plastered all over every tech news site, twitter, reddit, probably even the news. It would be difficult for MasterCard/Visa to have dataleaks, even just email/pass, fly under the radar (I imagine...)
Oracle tried to cover up a data leak, and it didn't go great. Oracle touches nowhere near as many every-day people as MasterCard does
ekjhgkejhgk
I don't understand... The password is the secret, right? If your mastercard login ends up in some breach, your password is protecting. You without or without vanish urls, if you have strong passwords you'll be fine.
XorNot
Cybercrime has a logistics pipeline.
Harvesting potential targets is one part of it i.e. establishing someone was using an email address is the entry point. There's a lot of emails, so associating them to any particular website is right near the start. Establishing that they're active increases their value further.
The people responding to Troy here for example are technically doing that: they clearly monitor the email or still use it, so addresses which respond to up in value.
EvanAnderson
I'm in the same boat. I track all of the unique addresses I use (via my password manager) so I guess I could just check them all against HiBP's database. Kind of a pain in the ass, though.
warkdarrior
My password manager (Bitwarden) does that automatically.
EvanAnderson
I use Bitwarden with a Vaultwarden server so I have some familiarity. Bitwarden checks new passwords against HiBP. I'm not aware of functionality where it can retroactively check old email addresses or passwords to see if they're included in a breach.
SoftTalker
Just assume they have all been exposed.
Email addresses are not secrets under any stretch of the meaning of that word.
worldfoodgood
It's not the email address itself that I care about, and that's not the service that the site provides. It tells you for which email addresses a related password has been pwned.
null
null
guelo
I have the more typical one email used with hundreds of passwords on many websites. haveibeenpwned is also useless for me, it will tell me that my email was compromised but not which sites or passwords. I guess I could check each password individually, hope each password is globally unique to me, and then try to match it back to the website where I used it so I can change the password.
debugnik
[delayed]
jimmar
I respect Troy Hunt's work. I searched for my email address on https://haveibeenpwned.com/, and my email was in the latest breach data set. But the site does not give me any way to take action. haveibeenpwned knows what passwords were breached, the people who breached the data knows what passwords were breached, but there does not seem to be any way for _me_, the person affected, to know what password were breached. The takeaway message is basically, "Yeah, you're at risk. Use good password practices."
There is no perfect solution. Obviously, we don't want to give everybody an easy form where you can enter an email address and see all of the password it found. But I'm not going to reset 500+ password because one of them might have been compromised. It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
elzbardico
> It seems like we must rely on our password managers (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell us if individual passwords have been compromised.
Yes.
technion
At one point I responded to a haveibeenpwned notice by immediately having the user reset a password.
I've got over 200 users in a domain search, and nearly all of them were in previous credential breaches that were probably stuffed into this one. I'm not going to put them through a forced annoyance given how likely it is the breached password is not their current one, and I'm urging people to start moving in this direction unless you obtain a more concrete piece of advice.
kbrkbr
Same here: reset on first beach (ROFB), but on subsequent ones only if it is no collection, eg a new infostealer breach.
junon
ekjhgkejhgk
Right, I'm going to put my password into some website. You people will believe anything.
MattSteelblade
You can check against the API with just the first characters of your hashed password (SHA-1 or NTLM), for example: https://api.pwnedpasswords.com/range/21BD1 or you can download the entire dataset.
sunaookami
HaveIBeenPwned has been around for ages and it does not send your password to the server - you can check it with the browser console. It hashes it, sends a range of the hash to the server, server replies with a list of hashes that match that range and it's checked locally for a match.
jolmg
> Passwords are protected with an anonymity model, so we never see them (it's processed in the browser itself), but if you're wary, just check old ones you may suspect.
That could mean one might be able to disconnect from the internet while checking.
fckgw
The problem with breaches like the latest data set is that there's no source on where the breach came from, it's an aggregate from multiple breaches. They can't tell you that info because it's not in the initial data set.
karencarits
One possible solution could be to give you an option to send the affected password as a list to the mail address you specify, then only people with access to that mail address will see them
imgabe
My data was exposed in one of the Facebook leaks and it turned out I had an old email on my Facebook account with a domain I had since let lapse and abandoned. Someone else registered the domain and tried to take over my Facebook account by sending a password reset request using it. Luckily I had 2FA and I guess Facebook's fraud alerts picked it up so It wasn't successful.
I guess what I want to say is beware that even something as innocuous as an email being leaked can cause problems, and make sure you delete any unused addresses from your accounts!
giobox
One of the drawbacks of using a custom domain for personal email is you essentially have to pay for it for life, otherwise anyone can just buy your old email address if the domain expires and start receiving mail, resetting accounts... I think some folks don't fully consider this consequence when setting up a fun vanity email address or similar etc, especially now both iCloud and gmail have made it so trivial to link a custom domain.
hn_acc1
Conversely, if yahoo/google ever stop offering free email, I'll probably end up paying them much higher prices to keep going for a bit until I can transition.
If either ever stop period, especially one day to the next, FML...
esafak
What a lot of work to capture one account.
twodave
I can think of a lot of ways that would be worth it.
* blackmail the account owner
* make up an illness, create a donation page and get all their friends to donate
* find all connections over a certain age and disguise a phishing vector as literally anything!
* so many more
guywithahat
Which is incredible because it means they paid to get the domain and try to access that account. I can't imagine why anyone would care that much about your Facebook (assuming you're not someone who's especially influential) and yet here we are
gorgoiler
I’ve always had a bit of a chip on my shoulder about HIBP’s switch to charging for domain searches. It felt a bit like those travel visa scalpers who charge 50 CURRENCY_UNIT to file an otherwise gratis form on your behalf.
Law enforcement should provide this kind of service as a public good. They don’t, but if you do instead, I don’t think it’s cool to unilaterally privatize the service and turn it into a commercial one.
I voted with my feet but this post feels like a good enough place to soapbox a bit!
jlund-molfese
Post should've been titled "1.3 billion passwords were exposed", because, even though the number is slightly smaller, it actually represents something much more important.
hypeatei
Cynicism is everywhere these days but these events really don't register for me anymore. Companies aren't punished by the government for these leaks and they aren't punished by consumers either. What incentive is there to reduce this data collection in the first place or to lock down your databases?
Even if someone's security is awful as the consumer and their account gets hacked because of these leaks, what are the actual consequences of that? Oh bummer, they need to reset their password and make a few phone calls to their bank to reverse the fraudulent charges then life goes on. Techies view that as unacceptable but most don't really care.
cryptoegorophy
-Setup a website with article that 3 billion emails were exposed -Offer a form to check if your email was leaked -start getting confirmed emails list
sfilmeyer
Troy Hunt has been running Have I Been Pwned for years. He even uses the k-anonymity model to allow you to search if a password has been pwned without giving him the password if you don't trust him.
I get your general point, but he's been a leader in this space and walking the walk for a decade. I'm not even into security stuff or anything particularly related to this, and I still recognized his name in the OP domain.
rkagerer
The bit at the end about email deliverability was also interesting:
Notifying our subscribers is another problem... in terms of not ending up on a reputation naughty list or having mail throttled by the receiving server .... Not such a biggy for sending breach notices, but a major problem for people trying to sign into their dashboard who can no longer receive the email with the "magic" link.
And this observation he got from someone:
the strategy I've found to best work with large email delivery is to look at the average number of emails you've sent over the last 30 days each time you want to ramp up, and then increase that volume by around 50% per day until you've worked your way through the queue
legitster
This is also known as "warming a domain" in the email world. A large rush of emails from an email server is an indicator of a hack or takeover, so anti-spam software may flag an IP address that surges in activity.
There have been enough data breaches at this point that I'm sure all my info has been exposed multiple times (addresses, SSN, telephone number, email, etc). My email is in over a dozen breaches listed on the been pwned site. I've gotten legal letters about breaches from colleges I applied to, job boards I used, and other places that definitely have a good amount of my past personal information. And that's not even counting the "legal" big data /analytics collected from past social media, Internet browsing, and whatever else.
I now use strong passwords stored in bitwarden to try to at least keep on top of that one piece. I'm sure there are unfortunately random old accounts on services I don't use anymore with compromised passwords out there.
Not really sure what if anything can be done at this point. I wish my info wasn't out there but it is.