The downside to having many vanity urls and giving out a unique email address to each website you visit is that you cannot use haveibeenpwned without paying (despite being a single human). I have no idea how many email addresses I've given out over the years, probably hundreds across at least 6 or 7 domains, and they want to charge me a monthly fee to see which of those have been pwned.
I understand they gotta make a buck, but I find it interesting this is the first real negative to running a unique email address per company/site I work with.
The domain search feature on haveibeenpwned is/was free. I registered my domain on haveibeenpwned back in 2017 and I got two emails about breaches, one in 2020 and another in 2022. I did not pay.
I wasn’t aware of this feature, but can confirm. Just tried and it is free.
Log into dashboard, under business there is a domains tab. Enter your domain there and verify ownership. Didn’t ask for payment.
But I can't find the old list of what address was affected where. I only see my own address.
I have 15 pwned email addresses. It's free for under 10.
It tells you that an address in your domain has been included in a breach. It doesn't tell you which address was included. That's what the OP and I are opining about.
It does. I just checked mine today. I can see exactly which individual email addresses in my domain where exposed and in which data leak. I have never paid for it.
Interesting. I'd love to see where you're seeing that. I'll go poke at the site a little more.
Edit: When I try to do a domain search I get told:
> Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists).
My domain has 11 breached addresses.
I log in. Click on Business -> Domains. Then click on the looking glass under "Actions" on my domain. I can there see all my addresses an Pwned Sites.
But I think you are right, because I only have 3 breached addresses under my domain (I do see the 10 addresses wording under subscriptions)
Yep, if you have the good fortune of having many breaches while using companname@example.org, the service requires that either you pay up or you have to guess and check.
I understand, but it's frustrating.
It is only free if you have fewer than 10 pwned addresses.
Isn’t the idea that you don’t need haveibeenpowned since you’ll see mails coming in and then know your details have leaked?
For ID fraud, more than an email address has to be leaked.
Have I been pwned will tell me if the associated password for that site leaked. I create unique passwords per site, but lets say my mastercard login gets pwned -- that'd be one I want to change the password for right away.
I might not get an email if someone gets that account info.
In theory, I agree.
In practice, anything that high-profile will be plastered all over every tech news site, twitter, reddit, probably even the news. It would be difficult for MasterCard/Visa to have dataleaks, even just email/pass, fly under the radar (I imagine...)
Oracle tried to cover up a data leak, and it didn't go great. Oracle touches nowhere near as many every-day people as MasterCard does
Troy's response [1] on this use case from a couple of years ago was that you should buy a monthly fee and then cancel it.
[1]: https://www.troyhunt.com/welcome-to-the-new-have-i-been-pwne...
I'm in the same boat. I track all of the unique addresses I use (via my password manager) so I guess I could just check them all against HiBP's database. Kind of a pain in the ass, though.
Me too. It used to work for whole domains. Then I guess the limit was added as part of some kind of monetization push. I don't derive enough value to pay for a monthly subscription any time it occurs to me to check, nor figure out how to check addresses one-by-one programatically. So the site is basically dead to me now. It's a shame because there were a few breached lists where people were speculating on where exactly they came from, and I was able to add to the discussion based on which of my tagged addresses were in the list.
I've had that experience re: my personalized addresses being used to more closely identify the source and time of a breach. When I start getting spam to one of my personalized addresses I'll usually reach out to the party for whom the address was created to let them know. Usually I get treated like a crank but occasionally I get somebody who understands and appreciates the help.
My password manager (Bitwarden) does that automatically.
I use Bitwarden with a Vaultwarden server so I have some familiarity. Bitwarden checks new passwords against HiBP. I'm not aware of functionality where it can retroactively check old email addresses or passwords to see if they're included in a breach.
It's under Reports: https://bitwarden.com/help/reports/
Ahh, okay. I assume that's a part of the Bitwarden offering, presumably happening server-side. I'm just using their official client w/ a Vaultwarden server.
It is also available in the Vaultwarden web interface (which is just a rebranded Bitwarden web interface).
enpass.io does this automatically if you selected the option.
Just assume they have all been exposed.
Email addresses are not secrets under any stretch of the meaning of that word.
It's not the email address itself that I care about, and that's not the service that the site provides. It tells you for which email addresses a related password has been pwned.
I don't understand... The password is the secret, right? If your mastercard login ends up in some breach, your password is protecting. You without or without vanish urls, if you have strong passwords you'll be fine.
Cybercrime has a logistics pipeline.
Harvesting potential targets is one part of it i.e. establishing someone was using an email address is the entry point. There's a lot of emails, so associating them to any particular website is right near the start. Establishing that they're active increases their value further.
The people responding to Troy here for example are technically doing that: they clearly monitor the email or still use it, so addresses which respond to up in value.
You need a domain, and possibly a paid mail provider with catch all support.
So cost was always part of this strategy
The problem with catch-all inbox is when you have to reply to an email. Then you have to create the email address to be able to send emails from it. Or are there other solutions?
There's no solution to a non-problem. Precisely 3 of the hundreds of the generated email addresses I've given out over the past ~12 years have needed replies. When this happens, I simply reply from an address that actually does exist, while CCing the original generated address and setting it as the reply-to address.
If I ever have to give a generated address out to an actual person, then I'll let them know replies will come from a different address. So far I'd guess 99.999% of the emails I received are transactional emails and/or sent from noreply@...
Far more annoying are a few websites I use that only support magic links for login--my password manager doesn't auto fill them, and some of them I now have a number of accounts at due to inconsistent spelling/formatting.
True, I simplify it a bit based on the capacity of my mail provider. I have like 4 or 5 generic addresses that I give out and use for sending. Sometimes I mix up when sending, but my mail provider (zoho) is pretty decent at keeping track of the addresses anyways.
In a way if I reply, the other party gets upgraded to one of my 5 addresses, so if they send an email to ContosoCoffeeShop@myname.com I might reply from whatever flavour I'm using nowadays or is more appropriate like hello@myname.com
It's like a 3 layer security system, the least privileged get access to one very specific address, if they send me an email which makes sense and I reply, they get upgraded to a bucket. I might sign up directly with a bucket email and skip the most paranoid layer, that's fine.
In general I try to take more care of the newest alias and become more liberal with my older more ruined addresses, alias1@ has like 8 years of signups, while alias5@ has just 1 if any. And I'm sure the list will grow.
Downside is that if there's a leak it's harder to attribute exactly, but at least I can check the recipient to get some kind of hint.
It's more like art than it is a water-tight security protocol. You paint the world with your wacky addresses and occasionally surprise the observant employee with the inverted expectations (usually the name comes before the at)
Thank you for coming to my ted talk.
I have those things? Did you miss the part where I have multiple vanity URLs and hundreds of email addresses? Of course I have a paid mail provider and catch all. The problem is the cost of haveibeenpwned is too much for me as an individual.
Yeah I get it.
I meant that you are already paying for those, so being charged by providers to support our hacky email addresses is not a novelty introduced by Troy's service
I have the more typical one email used with hundreds of passwords on many websites. haveibeenpwned is also useless for me, it will tell me that my email was compromised but not which sites or passwords. I guess I could check each password individually, hope each password is globally unique to me, and then try to match it back to the website where I used it so I can change the password.
If you don’t know which web site uses a particular password, how do you ever login to that website?
Reread the parent post more closely. It does not tell them: A) which site nor B) which password.
The parent can log in because they have a map of site<->password. But without either the site or the password, the notification that an email address is compromised is useless.