Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Troy's response:

> Think through what would mean: we’d have to sit on billions of plain text passwords (among other personal info) and return that visitors with no more validation than control of a single email address. The risk is huge, both to us and people in breaches.

His stance is reasonable.



I don't entirely agree it's reasonable. This dump apparently contains the source of the email+password combo. You can go on his website and look up sources of leaks with just an email address. That's what people really want to know: what was the source?

So yes sifting through billions of records will take a while, but it's possible, but telling the user the source of the details (and not the leaked passwords themselves) is exactly what his website mostly already does so it's not a risk.


The risk is not in sifting through billions of records.

The risk is enabling a service that unlocks a capability like “give me the password for this email address that may or may not be mine”.

The source of a breach is a single attribute that can be associated with an entire dataset, unlike passwords.


We only need to get the domain name of the service.

The compromised password can and should be deleted by them, and ignored by us.


But I'm saying it should be possible to view the source of the password, not the password itself. Which is what his site already shows for individual breaches.


00deadbeef@gmail.com is in the leak-name-here leak!

Google: "leak-name-here download"


No I don't mean download the dump.

I want to know which service (https://www.troyhunt.com/content/images/2024/01/image.png) my details were linked with.


Are you saying that's the risk of providing the website URL? Or that it's the risk of the HIBP?

Because he does provide the email and the leak name... He even provide indirectly where to download it from his blogpost.

Providing the website won't give more dangerous information, that's exactly what he usually does when it's not a stuffing list, he say where the password come from (Linkedin, Facebook, etc...).


It's reasonable for displaying with nothing more than knowing the email on haveibeenpwned.com but for everyone subscribed to notifications it would have been very helpful to include the source in the notification email and that would have avoided the biggest part of the privacy implications. Right now for a lot of people the latest breach notification email is unactionable because there's no way to figure out what account may have been breached. For me personally I received the notification but when I checked the actual list directly, not only was it immediately clear that it wasn't an account I care about, it was also a password that I've used but never with the account listed. Had the email from HIBP included just a tiny bit of additional information I wouldn't have needed to waste my time on it, especially when it seems that this breach has some unknown amount of bogus data in it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: