... make it easy to see what data are associated with a breach for a given account.
The mere fact of a breach means very little if the associated website or other details are not findable. (I have to admit I have no idea whether the API addresses this, but I have no idea how to use it anyway.)
HPI gives heaps of info: Affected Service Date Verified Password First and last name Date of birth Address Telephone number Credit card Bank account details Social security number IP Address
Am I missing something?
This should be emailable to the account holder in the same way, I would have thought.
There’s two important comments on this:
Firstly, HIBP describes the data classes that were exposed. If it says “email addresses and phone numbers”, for example, then your email address and phone number were almost certainly in the breach. The vast majority of the time, this is the data you gave the website.
More importantly though – and the reason for closing this as “declined” – is that it’s just too great a risk to store this information. Often the data is extremely personal and it was also often improperly secured in the first place. For example, plain text passwords, something I would never consider storing in my system.
So in short, the risks are too great and the benefits are minor given it’s data you’ve normally already provided yourself anyway.
how do i delete my account or info on this site you were breeched back on dec 2016 i was never notified of this
Not using Twitter I would not know about that.
But, OK, understood.
Thanks for your patience.
I only have email addresses for RCM: https://twitter.com/troyhunt/status/839632424740888577
I appreciate your input but the vast majority of incidents already list the compromised data classes and I've explained why it poses too great a risk to load personal info of this nature. There's nothing further I can add to this.
Those I understand. What about "River City Media Spam List"? (I referred to such like as "general lists".)
I have a feeling you're missing something here - each hacked site is listed under the search results. For example, you'll see 37 sites listed here, each one named and the exposed data classes appearing alongside it: https://firstname.lastname@example.org
... and if it is not identified I cannot ascertain which site has leaked. Therefore I can do nothing.
In addition, if the details are for old (i.e. defunct) phone numbers and physical addresses (of which I have several) I would have little or no concern. I would need to know if they were likely to be current.
It *should* cause worry - you've just learned your data has been exposed - but it's also actionable: If it says that site X has leaked your password then go and change it there and anywhere else you've used it. It's harder with other data attributes that are not mutable, but at the very least it serves as awareness.
I have to say then that since the information is essentially incapable of being used, all the notice does for these general lists is cause worry. Specific websites or companies are rather different.
There's some interpretation open on some fields (IP is a perfect example), but regardless of how valuable it would be, it poses an insurmountable risk both ethically and legally and is definitely out.
Yes, but that is pretty vague and seems to say only that each represented over the entire set, not that it applies to me. If I see "IP addresses" and I have never had one associated with that email address, what am I to think? I cannot associate it in anyway with anything useful. HPI indicates, for example "avast.com" and I can then take some steps. When it gives a website with which I have never had any dealing, ever, I think I can ignore it. As it stands, I can do nothing except try to find all instances of the use of the email address and change *all* passwords - not exactly practical. The key here is knowing which sites present a risk and needing action. As its stands, I have no clue.
When you search for your email address, immediately below each result there's a message similar to this:
Compromised data: Email addresses, Password hints, Passwords, Usernames
Thanks for the prompt response. I understand the point about storage, but I have no idea of the kinds of information that are compromised - that is all I need to know. You seem to say that I can get that - but I cannot see how to do so. All I am asking is how does the ordinary user get to understand the nature of the problem? I was not asking for transmission of the actual data.