I suggest you ...

Indicate if the same credentials have appeared in another breach

Nice, now I know that my mail-address was included in the Exploit.In and Adobe breach. But the Exploit.In breach does not hint any clue whether we talk about the same service (=Adobe) or not. I can understand that you cannot mail me a password. After all you don't know me. I might as well be an imposter. But it would be cool if you could internally setup your database such that it outputs whether the password in an amalgamated-list-breach that did not specify a service like Exploit.In was identical to the one in another breach like the Adobe breach. That would allow me and other users to assess the damage much better and take action. So the output I would wish for should look as follows:

Credentials associated with your email appeared N times in this list. 1 entry matched information leaked through >link< XYZ breach. 1 entry matched information leaked through >link< XYZ breach. .... and so on.

37 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Matt shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    2 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • AK Prashant commented  ·   ·  Flag as inappropriate

        @Matt: To compare if an obtained credential set (username, email address, password) were identical from breaches of different services, Troy Hunt needs to copy and store passwords (in plane text or hashed form) with their respective email address and breached service name. Troy Hunt has categorically denied to store data that way.

        Or did you mean that after using https://haveibeenpwned.com/Passwords service, you wish to know if a particular password (either in hashed form or successfully cracked into plaintext) "Pa55w0rd" has been exposed in the following breaches like Adobe & linkedIn, but without linking it to a particular email address or username. But I do wonder what purpose does it serve!
        If I find that a particualr password has already been pwned, I would proactively change the password of all my registered services that are currently set as that one, irrespecive of the service being breached or not.

        @Troy Hunt: Please clarify.

      Feedback and Knowledge Base