You very kindly just sent me an email that my email address and unsalted password were included in the 2012 LinkedIn breach.

I can't remember which password I was using in 2012, and hence don't know which other accounts need a password change. Could you send the leaked hash (or otherwise, depending on the breach) to the effected email?

Hi,
It will be nice to have an "acknowledge" option if i subscribe - so when i see list of sites/accounts i changed my password too i would be able to acknowledge and then see only new threats as red

thanks,

Using the crowd, I have finally solved the mystery which database a certain paste represents: http://security.stackexchange.com/questions/108191/what-can-i-do-if-i-discover-that-my-password-hash-has-been-leaked-in-pastebin

Can I/Could you add that information?

There was a breach on wpengine.com, maybe data about accounts will be available somewhere
https://wpengine.com/support/infosec/

Title explains it.

Thunderbird refuses to open either your breaches or pastes RSS feeds, claiming failed validation. The w3c feed validator fails both: https://validator.w3.org/feed/
Whether they are broken or not is beyond my experience :-)

Because people often use the same user and password combination on multiple sites. If you can search here if you have an account on multiple sites, others can too. If you can slow down automatic search, abusers can be scared away

This service is awesome and user will be warned if they are pwned.
But the registration confirmation email says "...and you can unsubscribe at any time if you don't want the notifications."
Please, make an unsubscribe button. I can't find any unsubscribe button or form on the website or in the email.
Thanks.

Recover verification notice.

The domain registration page says "Verifying by email is the fastest way to confirm ownership of the domain. You can either verify using an email address on the domain registration record or by using one of several pre-defined addresses for the domain." However, in fact I cannot find any way to use the email address actually on my domain registration record (paleo.org), as it is not one of the four standard addresses listed.

Question: Can a Subsequently Deleted EMail Address be accurately confirmed via HIBP, if the EMail Address was confirmed Registered (via EMail Link) PRIOR TO Deleting the E-Mail Address ? Thank You.

Under the suspicion that submitted email addresses are being harvested, a privacy conscious user could feel safer checking for the presence of their email in the database by submitting a hash of it rather than the email address itself. I, for instance, have two email addresses: one which everyone knows, and one which very few people know. I'm very curious about the latter, but there's no way I'd enter it into any web form.

Gmail will ignore periods in an email when it comes to rounding. So email@gmail.com and e.mail@gmail.com will both go to the same address. Someone might want to use the email because it lets them filter those messages from within Gmail.

I tested it, and as of right now, haveibeenpwned sees them as seperate emails which may give users a false sense of security.

Develop a way to find all permutations of an email based off of their filterless email address.