Is it safe to give my email address to a service like haveibeenpwned in light of the publication of...












53















There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.



Is it safe to enter my email address there to find out whether I need to change my passwords?










share|improve this question









New contributor




godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 32





    Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)

    – Xander
    yesterday






  • 45





    Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)

    – Matthew
    yesterday






  • 11





    To be honest - can it be - has it been - independantly verified that haveibeenpwned.com is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)

    – Martin
    yesterday






  • 1





    @Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.

    – Tom K.
    yesterday






  • 13





    Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)

    – Kevin Voorn
    yesterday
















53















There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.



Is it safe to enter my email address there to find out whether I need to change my passwords?










share|improve this question









New contributor




godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 32





    Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)

    – Xander
    yesterday






  • 45





    Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)

    – Matthew
    yesterday






  • 11





    To be honest - can it be - has it been - independantly verified that haveibeenpwned.com is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)

    – Martin
    yesterday






  • 1





    @Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.

    – Tom K.
    yesterday






  • 13





    Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)

    – Kevin Voorn
    yesterday














53












53








53


14






There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.



Is it safe to enter my email address there to find out whether I need to change my passwords?










share|improve this question









New contributor




godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.



Is it safe to enter my email address there to find out whether I need to change my passwords?







passwords breach have-i-been-pwned






share|improve this question









New contributor




godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday









Tom K.

5,92032251




5,92032251






New contributor




godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









godwanagodwana

26623




26623




New contributor




godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






godwana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 32





    Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)

    – Xander
    yesterday






  • 45





    Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)

    – Matthew
    yesterday






  • 11





    To be honest - can it be - has it been - independantly verified that haveibeenpwned.com is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)

    – Martin
    yesterday






  • 1





    @Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.

    – Tom K.
    yesterday






  • 13





    Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)

    – Kevin Voorn
    yesterday














  • 32





    Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)

    – Xander
    yesterday






  • 45





    Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)

    – Matthew
    yesterday






  • 11





    To be honest - can it be - has it been - independantly verified that haveibeenpwned.com is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)

    – Martin
    yesterday






  • 1





    @Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.

    – Tom K.
    yesterday






  • 13





    Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)

    – Kevin Voorn
    yesterday








32




32





Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)

– Xander
yesterday





Yes, it is safe. haveibeenpwned.com is a well respected website run by a well respected individual. (Troy Hunt.)

– Xander
yesterday




45




45





Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)

– Matthew
yesterday





Note that @Xander's comment only applies to that specific site - there are others which are also fine, but by no means all. Any site which asks you to provide the email address and password to check is best avoided (note that while HIBP does offer a password checker, it doesn't require any other data for that function)

– Matthew
yesterday




11




11





To be honest - can it be - has it been - independantly verified that haveibeenpwned.com is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)

– Martin
yesterday





To be honest - can it be - has it been - independantly verified that haveibeenpwned.com is safe? I don't doubt it is, but really what I'm going on is little more than trust. Has there been any 3rd party penetration testing analysis? (open question)

– Martin
yesterday




1




1





@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.

– Tom K.
yesterday





@Martin Not that I know of, but even if there was a pentest or code audit a year ago, how would we know that the same code is used today? Even if the code was open source, how would we know if that was the version that was deployed? Then in theory a single request could be altered in such a way, that the data of specific users was handled differently.

– Tom K.
yesterday




13




13





Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)

– Kevin Voorn
yesterday





Well to be honest, the worst what could happen @Martin is that Troy Hunt (which is a well known respected security author) has your email address. I actually have an email address to give to people so they can contact me, if that is the only PII I am giving out I'm not so worried ;)

– Kevin Voorn
yesterday










4 Answers
4






active

oldest

votes


















62














This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com



See here:




When you search for an email address



Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.



Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.




See also the Logging paragraph



And from the FAQ:




How do I know the site isn't just harvesting searched email addresses?



You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.




Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.

But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.



But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?



At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.






share|improve this answer





















  • 45





    As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.

    – Tom K.
    yesterday






  • 15





    HIBP is a free service for you(!) that costs Troy Hunt money I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.

    – Aaron
    yesterday








  • 2





    Well, a lot of times there are pros and cons to a side. ;) I won't delete it, because other sites offer free services to then sell off your personal data. To infer that HIBP does the same without any proof seems very odd to me.

    – Tom K.
    yesterday






  • 3





    @Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.

    – Kevin Voorn
    yesterday






  • 18





    Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.

    – Future Security
    yesterday



















9














Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.



See for example, https://1password.com/haveibeenpwned/



As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.



Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.




The following StackExchange post has a response from Troy himself with
further clarification on this service:
Is "Have I Been Pwned's" Pwned Passwords List really that useful?







share|improve this answer





















  • 1





    The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.

    – Tom K.
    yesterday



















2














You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. In particular, some more details can give some clues on evaluating stuff like this.



The argument



haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. I could see this service being even more "questionable". After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic:





  • Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!


  • Skeptic: Yeah, but you have to give them your password


  • Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address


  • Skeptic: Except that they also have a form that asks for your email. They probably use a cookie to associate your two requests and get your email and password together. If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it!


  • Self: Wait! It says here that they don't send off my password, just the first few characters of my password's hash. They definitely can't get my password from that!


  • Skeptic Just because they say it doesn't mean its true. They probably do send off your password, associate it with your email (because you probably check your email in the same session), and then hack all your accounts.


Independent Verification



Of course, we can't verify what happens after we send them our data. Your email address definitely gets sent over, and there are no promises that they aren't secretly turning that into a gigantic email list that gets used for the next wave of Nigerian Prince emails.



What about the password though, or the fact that the two requests might be connected? With modern browsers, it is very easy to verify that your password isn't actually sent to their server. This service is designed so that only the first 5 characters of the hash of the password are sent off. The service then returns the hashes of all known passwords that start with that prefix. Then, the client simply compares the full hash against the returned ones to see if there is a match. Neither the password nor even the hash of the password are even sent.



You can verify this by going to the password search page, opening up your developer tools, and looking at the network tab (chrome, firefox). Put in a password (not yours if you're still worried) and hit submit. If you do this for password you'll see an HTTP request that hits https://api.pwnedpasswords.com/range/5BAA6 (5BAA6 being the first 5 characters of the hash of password). There are no cookies attached, and the actual submitted password never shows up in the request. It responds with a list of ~500 entries, including 1E4C9B93F3F0682250B6CF8331B7EE68FD8 which (at the moment) lists 3645804 matches - aka the password password has showed up about 3.5 million times in separate password leaks. (the SHA1 hash of password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8).



With only that information the service has no way to know what your password is, or even if it shows up in their database. There are a near limitless variety of hashes that might come after those first 5 digits, so they can't even guess whether or not your password is in their database.



Again, we can't know for sure what happens to the data after it leaves our browser, but they have certainly put a lot of effort into making sure that you can check to see if your password has leaked without actually sending them your password.



In summary, Troy is definitely a respected member of the community, and there are aspects of this that we can verify. Certainly, there have never been any cases where trusted members of a community later break that trust :) I definitely use these services, although I don't know if you want to trust some random person on the internet. Then again, if you weren't willing to trust some random person on the internet, then why are you here?






share|improve this answer































    -2














    If you don't trust HIBP enough to give it your email, you can use Firefox Monitor, a service Mozilla built in collaboration with HIBP. They query HIBP database without ever sending your email to HIBP. (I'm not sure if Mozilla receives your email address or if it's being hashed on the client side.)






    share|improve this answer








    New contributor




    user31389 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.




















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      godwana is a new contributor. Be nice, and check out our Code of Conduct.










      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201654%2fis-it-safe-to-give-my-email-address-to-a-service-like-haveibeenpwned-in-light-of%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      62














      This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com



      See here:




      When you search for an email address



      Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.



      Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.




      See also the Logging paragraph



      And from the FAQ:




      How do I know the site isn't just harvesting searched email addresses?



      You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.




      Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.

      But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.



      But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?



      At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.






      share|improve this answer





















      • 45





        As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.

        – Tom K.
        yesterday






      • 15





        HIBP is a free service for you(!) that costs Troy Hunt money I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.

        – Aaron
        yesterday








      • 2





        Well, a lot of times there are pros and cons to a side. ;) I won't delete it, because other sites offer free services to then sell off your personal data. To infer that HIBP does the same without any proof seems very odd to me.

        – Tom K.
        yesterday






      • 3





        @Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.

        – Kevin Voorn
        yesterday






      • 18





        Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.

        – Future Security
        yesterday
















      62














      This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com



      See here:




      When you search for an email address



      Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.



      Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.




      See also the Logging paragraph



      And from the FAQ:




      How do I know the site isn't just harvesting searched email addresses?



      You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.




      Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.

      But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.



      But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?



      At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.






      share|improve this answer





















      • 45





        As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.

        – Tom K.
        yesterday






      • 15





        HIBP is a free service for you(!) that costs Troy Hunt money I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.

        – Aaron
        yesterday








      • 2





        Well, a lot of times there are pros and cons to a side. ;) I won't delete it, because other sites offer free services to then sell off your personal data. To infer that HIBP does the same without any proof seems very odd to me.

        – Tom K.
        yesterday






      • 3





        @Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.

        – Kevin Voorn
        yesterday






      • 18





        Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.

        – Future Security
        yesterday














      62












      62








      62







      This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com



      See here:




      When you search for an email address



      Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.



      Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.




      See also the Logging paragraph



      And from the FAQ:




      How do I know the site isn't just harvesting searched email addresses?



      You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.




      Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.

      But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.



      But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?



      At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.






      share|improve this answer















      This question was explained by Troy Hunt several times on his blog, on Twitter and in the FAQ of haveibeenpwned.com



      See here:




      When you search for an email address



      Searching for an email address only ever retrieves the address from storage then returns it in the response, the searched address is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.



      Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.




      See also the Logging paragraph



      And from the FAQ:




      How do I know the site isn't just harvesting searched email addresses?



      You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.




      Of course we have to trust Troy Hunt on his claims, as we have no way of proving that he is not doing something else, when handling your specific request.

      But I think it is more than fair to say, that haveibeenpwned is a valuable service and Troy Hunt himself is a respected member of the infosec community.



      But let's suppose we don't trust Troy: what do you have to lose? You might disclose your email address to him. How big of a risk is that to you, when you can just enter any email address you want?



      At the end of the day, HIBP is a free service for you(!) that costs Troy Hunt money. You can choose to search through all the password databases of the world yourself if you don't want to take the risk that maybe a lot of people are wrong about Troy Hunt, just because then you would disclose your email address.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited 10 hours ago









      jdv

      1033




      1033










      answered yesterday









      Tom K.Tom K.

      5,92032251




      5,92032251








      • 45





        As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.

        – Tom K.
        yesterday






      • 15





        HIBP is a free service for you(!) that costs Troy Hunt money I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.

        – Aaron
        yesterday








      • 2





        Well, a lot of times there are pros and cons to a side. ;) I won't delete it, because other sites offer free services to then sell off your personal data. To infer that HIBP does the same without any proof seems very odd to me.

        – Tom K.
        yesterday






      • 3





        @Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.

        – Kevin Voorn
        yesterday






      • 18





        Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.

        – Future Security
        yesterday














      • 45





        As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.

        – Tom K.
        yesterday






      • 15





        HIBP is a free service for you(!) that costs Troy Hunt money I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.

        – Aaron
        yesterday








      • 2





        Well, a lot of times there are pros and cons to a side. ;) I won't delete it, because other sites offer free services to then sell off your personal data. To infer that HIBP does the same without any proof seems very odd to me.

        – Tom K.
        yesterday






      • 3





        @Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.

        – Kevin Voorn
        yesterday






      • 18





        Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.

        – Future Security
        yesterday








      45




      45





      As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.

      – Tom K.
      yesterday





      As mentioned before: this only applies to haveibeenpwned.com. Other services might be sketchy and sell your data off to spam providers.

      – Tom K.
      yesterday




      15




      15





      HIBP is a free service for you(!) that costs Troy Hunt money I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.

      – Aaron
      yesterday







      HIBP is a free service for you(!) that costs Troy Hunt money I find this detracts from your answer as such services usually find a way to make money from the data you send them (e.g. targeted advertising). It doesn't answer the "is it safe" question anyway.

      – Aaron
      yesterday






      2




      2





      Well, a lot of times there are pros and cons to a side. ;) I won't delete it, because other sites offer free services to then sell off your personal data. To infer that HIBP does the same without any proof seems very odd to me.

      – Tom K.
      yesterday





      Well, a lot of times there are pros and cons to a side. ;) I won't delete it, because other sites offer free services to then sell off your personal data. To infer that HIBP does the same without any proof seems very odd to me.

      – Tom K.
      yesterday




      3




      3





      @Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.

      – Kevin Voorn
      yesterday





      @Aaron The way Troy Hunt makes is money is by sponsorships on his blog and he is actually a keynote speaker on a lot of notable events. Besides that, he also creates Pluralsight courses which he obviously also makes money of.

      – Kevin Voorn
      yesterday




      18




      18





      Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.

      – Future Security
      yesterday





      Besides only applying to haveibeenpwned.com, this answer only applies to haveibeenpwned.com as of the time this answer was posted. A necessary caveat to any endorsement is that a service isn't guaranteed to be trustworthy for the remainder of its lifetime. A server can be hacked, a policy can be changed, a buyout can happen, a domain name can be seized, or a trustworthy guy could stumble into his supervillain origin story.

      – Future Security
      yesterday













      9














      Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.



      See for example, https://1password.com/haveibeenpwned/



      As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.



      Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.




      The following StackExchange post has a response from Troy himself with
      further clarification on this service:
      Is "Have I Been Pwned's" Pwned Passwords List really that useful?







      share|improve this answer





















      • 1





        The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.

        – Tom K.
        yesterday
















      9














      Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.



      See for example, https://1password.com/haveibeenpwned/



      As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.



      Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.




      The following StackExchange post has a response from Troy himself with
      further clarification on this service:
      Is "Have I Been Pwned's" Pwned Passwords List really that useful?







      share|improve this answer





















      • 1





        The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.

        – Tom K.
        yesterday














      9












      9








      9







      Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.



      See for example, https://1password.com/haveibeenpwned/



      As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.



      Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.




      The following StackExchange post has a response from Troy himself with
      further clarification on this service:
      Is "Have I Been Pwned's" Pwned Passwords List really that useful?







      share|improve this answer















      Troy Hunt is a very respected Information Security professional and this service is being used by millions of people worldwide, even by some password managers to verify if the passwords selected by the users have been involved in a data breach.



      See for example, https://1password.com/haveibeenpwned/



      As per the website, 1Password integrates with the popular site Have I Been Pwned to keep an eye on your logins for any potential security breaches or vulnerabilities.



      Entering your email address on this site will tell you which data breaches involve this email address, so that you can go back to the affected website and change your password. This is esp. important if you have used the same password for multiple websites, where credentials stolen from one site can be used to attack other sites in a technique also called Credential Stuffing attack.




      The following StackExchange post has a response from Troy himself with
      further clarification on this service:
      Is "Have I Been Pwned's" Pwned Passwords List really that useful?








      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited yesterday

























      answered yesterday









      VishalVishal

      1015




      1015








      • 1





        The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.

        – Tom K.
        yesterday














      • 1





        The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.

        – Tom K.
        yesterday








      1




      1





      The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.

      – Tom K.
      yesterday





      The linked question and answer by Hunt specifically deals with the "Pwned Password" feature.

      – Tom K.
      yesterday











      2














      You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. In particular, some more details can give some clues on evaluating stuff like this.



      The argument



      haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. I could see this service being even more "questionable". After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic:





      • Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!


      • Skeptic: Yeah, but you have to give them your password


      • Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address


      • Skeptic: Except that they also have a form that asks for your email. They probably use a cookie to associate your two requests and get your email and password together. If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it!


      • Self: Wait! It says here that they don't send off my password, just the first few characters of my password's hash. They definitely can't get my password from that!


      • Skeptic Just because they say it doesn't mean its true. They probably do send off your password, associate it with your email (because you probably check your email in the same session), and then hack all your accounts.


      Independent Verification



      Of course, we can't verify what happens after we send them our data. Your email address definitely gets sent over, and there are no promises that they aren't secretly turning that into a gigantic email list that gets used for the next wave of Nigerian Prince emails.



      What about the password though, or the fact that the two requests might be connected? With modern browsers, it is very easy to verify that your password isn't actually sent to their server. This service is designed so that only the first 5 characters of the hash of the password are sent off. The service then returns the hashes of all known passwords that start with that prefix. Then, the client simply compares the full hash against the returned ones to see if there is a match. Neither the password nor even the hash of the password are even sent.



      You can verify this by going to the password search page, opening up your developer tools, and looking at the network tab (chrome, firefox). Put in a password (not yours if you're still worried) and hit submit. If you do this for password you'll see an HTTP request that hits https://api.pwnedpasswords.com/range/5BAA6 (5BAA6 being the first 5 characters of the hash of password). There are no cookies attached, and the actual submitted password never shows up in the request. It responds with a list of ~500 entries, including 1E4C9B93F3F0682250B6CF8331B7EE68FD8 which (at the moment) lists 3645804 matches - aka the password password has showed up about 3.5 million times in separate password leaks. (the SHA1 hash of password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8).



      With only that information the service has no way to know what your password is, or even if it shows up in their database. There are a near limitless variety of hashes that might come after those first 5 digits, so they can't even guess whether or not your password is in their database.



      Again, we can't know for sure what happens to the data after it leaves our browser, but they have certainly put a lot of effort into making sure that you can check to see if your password has leaked without actually sending them your password.



      In summary, Troy is definitely a respected member of the community, and there are aspects of this that we can verify. Certainly, there have never been any cases where trusted members of a community later break that trust :) I definitely use these services, although I don't know if you want to trust some random person on the internet. Then again, if you weren't willing to trust some random person on the internet, then why are you here?






      share|improve this answer




























        2














        You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. In particular, some more details can give some clues on evaluating stuff like this.



        The argument



        haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. I could see this service being even more "questionable". After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic:





        • Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!


        • Skeptic: Yeah, but you have to give them your password


        • Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address


        • Skeptic: Except that they also have a form that asks for your email. They probably use a cookie to associate your two requests and get your email and password together. If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it!


        • Self: Wait! It says here that they don't send off my password, just the first few characters of my password's hash. They definitely can't get my password from that!


        • Skeptic Just because they say it doesn't mean its true. They probably do send off your password, associate it with your email (because you probably check your email in the same session), and then hack all your accounts.


        Independent Verification



        Of course, we can't verify what happens after we send them our data. Your email address definitely gets sent over, and there are no promises that they aren't secretly turning that into a gigantic email list that gets used for the next wave of Nigerian Prince emails.



        What about the password though, or the fact that the two requests might be connected? With modern browsers, it is very easy to verify that your password isn't actually sent to their server. This service is designed so that only the first 5 characters of the hash of the password are sent off. The service then returns the hashes of all known passwords that start with that prefix. Then, the client simply compares the full hash against the returned ones to see if there is a match. Neither the password nor even the hash of the password are even sent.



        You can verify this by going to the password search page, opening up your developer tools, and looking at the network tab (chrome, firefox). Put in a password (not yours if you're still worried) and hit submit. If you do this for password you'll see an HTTP request that hits https://api.pwnedpasswords.com/range/5BAA6 (5BAA6 being the first 5 characters of the hash of password). There are no cookies attached, and the actual submitted password never shows up in the request. It responds with a list of ~500 entries, including 1E4C9B93F3F0682250B6CF8331B7EE68FD8 which (at the moment) lists 3645804 matches - aka the password password has showed up about 3.5 million times in separate password leaks. (the SHA1 hash of password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8).



        With only that information the service has no way to know what your password is, or even if it shows up in their database. There are a near limitless variety of hashes that might come after those first 5 digits, so they can't even guess whether or not your password is in their database.



        Again, we can't know for sure what happens to the data after it leaves our browser, but they have certainly put a lot of effort into making sure that you can check to see if your password has leaked without actually sending them your password.



        In summary, Troy is definitely a respected member of the community, and there are aspects of this that we can verify. Certainly, there have never been any cases where trusted members of a community later break that trust :) I definitely use these services, although I don't know if you want to trust some random person on the internet. Then again, if you weren't willing to trust some random person on the internet, then why are you here?






        share|improve this answer


























          2












          2








          2







          You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. In particular, some more details can give some clues on evaluating stuff like this.



          The argument



          haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. I could see this service being even more "questionable". After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic:





          • Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!


          • Skeptic: Yeah, but you have to give them your password


          • Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address


          • Skeptic: Except that they also have a form that asks for your email. They probably use a cookie to associate your two requests and get your email and password together. If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it!


          • Self: Wait! It says here that they don't send off my password, just the first few characters of my password's hash. They definitely can't get my password from that!


          • Skeptic Just because they say it doesn't mean its true. They probably do send off your password, associate it with your email (because you probably check your email in the same session), and then hack all your accounts.


          Independent Verification



          Of course, we can't verify what happens after we send them our data. Your email address definitely gets sent over, and there are no promises that they aren't secretly turning that into a gigantic email list that gets used for the next wave of Nigerian Prince emails.



          What about the password though, or the fact that the two requests might be connected? With modern browsers, it is very easy to verify that your password isn't actually sent to their server. This service is designed so that only the first 5 characters of the hash of the password are sent off. The service then returns the hashes of all known passwords that start with that prefix. Then, the client simply compares the full hash against the returned ones to see if there is a match. Neither the password nor even the hash of the password are even sent.



          You can verify this by going to the password search page, opening up your developer tools, and looking at the network tab (chrome, firefox). Put in a password (not yours if you're still worried) and hit submit. If you do this for password you'll see an HTTP request that hits https://api.pwnedpasswords.com/range/5BAA6 (5BAA6 being the first 5 characters of the hash of password). There are no cookies attached, and the actual submitted password never shows up in the request. It responds with a list of ~500 entries, including 1E4C9B93F3F0682250B6CF8331B7EE68FD8 which (at the moment) lists 3645804 matches - aka the password password has showed up about 3.5 million times in separate password leaks. (the SHA1 hash of password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8).



          With only that information the service has no way to know what your password is, or even if it shows up in their database. There are a near limitless variety of hashes that might come after those first 5 digits, so they can't even guess whether or not your password is in their database.



          Again, we can't know for sure what happens to the data after it leaves our browser, but they have certainly put a lot of effort into making sure that you can check to see if your password has leaked without actually sending them your password.



          In summary, Troy is definitely a respected member of the community, and there are aspects of this that we can verify. Certainly, there have never been any cases where trusted members of a community later break that trust :) I definitely use these services, although I don't know if you want to trust some random person on the internet. Then again, if you weren't willing to trust some random person on the internet, then why are you here?






          share|improve this answer













          You didn't explicitly ask about this, but it is very related to your question (and mentioned in the comments), so I thought I'd bring it up. In particular, some more details can give some clues on evaluating stuff like this.



          The argument



          haveibeenpwned also has a service that let's you look up to see if a given password has been leaked before. I could see this service being even more "questionable". After all, who wants to go around stuffing their password in a random website? You could even imagine a conversation with a skeptic:





          • Self: If I type my password in here it will tell me if it has showed up in a hack before! This will help me know if it is safe!


          • Skeptic: Yeah, but you have to give them your password


          • Self: Maybe, but even if I don't trust them, if they don't also know my email then it isn't a big deal, and they don't ask for me email address


          • Skeptic: Except that they also have a form that asks for your email. They probably use a cookie to associate your two requests and get your email and password together. If they are really sneaky they use non-cookie based methods of tracking so it's even harder to tell they are doing it!


          • Self: Wait! It says here that they don't send off my password, just the first few characters of my password's hash. They definitely can't get my password from that!


          • Skeptic Just because they say it doesn't mean its true. They probably do send off your password, associate it with your email (because you probably check your email in the same session), and then hack all your accounts.


          Independent Verification



          Of course, we can't verify what happens after we send them our data. Your email address definitely gets sent over, and there are no promises that they aren't secretly turning that into a gigantic email list that gets used for the next wave of Nigerian Prince emails.



          What about the password though, or the fact that the two requests might be connected? With modern browsers, it is very easy to verify that your password isn't actually sent to their server. This service is designed so that only the first 5 characters of the hash of the password are sent off. The service then returns the hashes of all known passwords that start with that prefix. Then, the client simply compares the full hash against the returned ones to see if there is a match. Neither the password nor even the hash of the password are even sent.



          You can verify this by going to the password search page, opening up your developer tools, and looking at the network tab (chrome, firefox). Put in a password (not yours if you're still worried) and hit submit. If you do this for password you'll see an HTTP request that hits https://api.pwnedpasswords.com/range/5BAA6 (5BAA6 being the first 5 characters of the hash of password). There are no cookies attached, and the actual submitted password never shows up in the request. It responds with a list of ~500 entries, including 1E4C9B93F3F0682250B6CF8331B7EE68FD8 which (at the moment) lists 3645804 matches - aka the password password has showed up about 3.5 million times in separate password leaks. (the SHA1 hash of password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8).



          With only that information the service has no way to know what your password is, or even if it shows up in their database. There are a near limitless variety of hashes that might come after those first 5 digits, so they can't even guess whether or not your password is in their database.



          Again, we can't know for sure what happens to the data after it leaves our browser, but they have certainly put a lot of effort into making sure that you can check to see if your password has leaked without actually sending them your password.



          In summary, Troy is definitely a respected member of the community, and there are aspects of this that we can verify. Certainly, there have never been any cases where trusted members of a community later break that trust :) I definitely use these services, although I don't know if you want to trust some random person on the internet. Then again, if you weren't willing to trust some random person on the internet, then why are you here?







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 9 hours ago









          Conor ManconeConor Mancone

          9,99132147




          9,99132147























              -2














              If you don't trust HIBP enough to give it your email, you can use Firefox Monitor, a service Mozilla built in collaboration with HIBP. They query HIBP database without ever sending your email to HIBP. (I'm not sure if Mozilla receives your email address or if it's being hashed on the client side.)






              share|improve this answer








              New contributor




              user31389 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.

























                -2














                If you don't trust HIBP enough to give it your email, you can use Firefox Monitor, a service Mozilla built in collaboration with HIBP. They query HIBP database without ever sending your email to HIBP. (I'm not sure if Mozilla receives your email address or if it's being hashed on the client side.)






                share|improve this answer








                New contributor




                user31389 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.























                  -2












                  -2








                  -2







                  If you don't trust HIBP enough to give it your email, you can use Firefox Monitor, a service Mozilla built in collaboration with HIBP. They query HIBP database without ever sending your email to HIBP. (I'm not sure if Mozilla receives your email address or if it's being hashed on the client side.)






                  share|improve this answer








                  New contributor




                  user31389 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.










                  If you don't trust HIBP enough to give it your email, you can use Firefox Monitor, a service Mozilla built in collaboration with HIBP. They query HIBP database without ever sending your email to HIBP. (I'm not sure if Mozilla receives your email address or if it's being hashed on the client side.)







                  share|improve this answer








                  New contributor




                  user31389 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  share|improve this answer



                  share|improve this answer






                  New contributor




                  user31389 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  answered 16 hours ago









                  user31389user31389

                  971




                  971




                  New contributor




                  user31389 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.





                  New contributor





                  user31389 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






                  user31389 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






















                      godwana is a new contributor. Be nice, and check out our Code of Conduct.










                      draft saved

                      draft discarded


















                      godwana is a new contributor. Be nice, and check out our Code of Conduct.













                      godwana is a new contributor. Be nice, and check out our Code of Conduct.












                      godwana is a new contributor. Be nice, and check out our Code of Conduct.
















                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201654%2fis-it-safe-to-give-my-email-address-to-a-service-like-haveibeenpwned-in-light-of%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Ponta tanko

                      Tantalo (mitologio)

                      Erzsébet Schaár