Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't really get the utility of HIBP. The answer to the "have I been pawned?" question is, of course, yes, multiple times. I think about the only way to keep your email out of the hands of the bad guys is to not use it or give it to anyone ever, at which point you don't need an email address.

What am I supposed to do whenever I'm involved in a new breach? Burn all my accounts and start again?



If you use a password manager to give you unique passwords per site, then these alerts allow you to only change the impacted site's passwords.

...though in a case like this it wouldn't help since we don't know the site.


The monitoring service is useful, when a leak is detected you can reset that password.

Knowing that you have been historically breached is less useful.. Until I need to convince somebody to start taking account security seriously.

Its quite sobering to discover that data breaches are commonplace.


The biggest contribution HIBP makes is in teaching people not to reuse passwords (and use a password manager instead).


>What am I supposed to do whenever I'm involved in a new breach? Burn all my accounts and start again?

If you reuse passwords, then change your passwords for all the accounts that use the breached password. Hopefully, it'll spur you to start using a password manager so you can easily have strong, unique passwords.

If you don't reuse passwords, then change your password for the breached account. Sometimes services don't tell you about breaches and it is HIBP that first informs you about the breach.

If there is some email address that you really, really don't want bad guys to know about (perhaps a dedicated email address for your important financial accounts), then it helps you know when to switch to another email address.

HIBP helps you know how often a service has been breached in the past, and that might help guide what services you want to use/not-use in the future.


Check account recovery procedures, change password for that website, check login history and active sessions, see if anyone had done anything that could be done through that credentials, on top of using random generated passwords in the first place.

And I think you’re about to describe Sign In with Apple.


As the other comment also said, it's a public education service.

Remember that most of us on here have extremely advanced knowledge of the Internet and its workings. This is not the case for the vast majority of Internet users.


It depends how many emails do you keep. If you get a hit it’s a good idea to ensure that you keep control of the services related to that address (change passwords, set any extra security measures).

I mostly use it through 1Password, because it also notifies you when a service has enabled new security features like 2FA.


For me it's a shortcut to explain why it's always a risk to divulge personal information to 3rd parties, however trustworthy they seem.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: