>why is it still needed?
It's not needed. There are already alternatives that could take its place. Some of them are able to actually show you what data leaked instead of leaving you blind of what was actually included in the breach.
>why is it still needed?
It's not needed. There are already alternatives that could take its place. Some of them are able to actually show you what data leaked instead of leaving you blind of what was actually included in the breach.
This is a bad idea, for multiple reasons.
https://www.troyhunt.com/here-are-all-the-reasons-i-dont-mak...
I don't think he meant "show the actual data," I think he meant "what leaked? My name, address, phone number, email, medical records, payment history, bank account number?"
We get a "your private data is now public" email, but knowing exactly what data turns that from a depressing statement on how much corporations value their customers' privacy into something actionable.
This information is shown on the site of the breach, as example: https://haveibeenpwned.com/Breach/BakerDistributing
Yes, I meant the actual data so you know what leaked. There is a difference between leaking a password 12345678 and leaking a password that was reused on a different site. There is a difference between leaking your actual birthday and leaking 01/01/1900. There is a difference between leaking a fake address, your previous address, and your current address.
Then feel free to browse the onion and buy data that you may be included in.
There seems to be some amount of entitlement by people in this thread to get information from a third party about what a first party to them lost.
The first party that lost your data should be the one that shows you exactly what was compromised.
>Most breaches already contain hashed passwords
It could show the hash instead.
>No, it's not ok that these passwords are already out there
So it's better that people have to pay for it instead of getting this information for free?
>Because it's important to say "I don't store passwords in HIBP"
This is a personal choice.
>I'm not your personal lookup service
The idea is that this would be done by the site itself and would not require manual work by the owner.
Hashes can be cracked, and end users won't understand how to create password hashes to check which one was leaked. Plus, salts exist.
Passwords shouldn't matter anyways. Use a password manager and be done with it. The real issue is metadata which can't easily be changed - phone numbers, addresses, and the like. If any of that data is leaked, it becomes much harder to contain impact. You can't move addresses every time your address gets leaked online.
Can you give examples of these alternatives?
I use Snusbase (https://snusbase.com). They've been around since around 2016 and haven't had any issues legally - they're the longest-standing data breach search engine besides HIBP, as far as I know.
(This is not an advertisement.)