Showing results via Mail
I think it is a matter of privacy what services (that were breached) I used. This site allows me to type in any e-mail I know and to verify whether or not the person did use a special service. It might seem that this information is not too big of a deal, still I'd consider it private. So my suggestion is that the services only sends back a link to the email that shall be checked and provides the results there.
The reasons for the current approach are detailed in this blog post: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Vicky commented
There's a right to privacy and people may have forgotten which sites they've got accounts at. Some more private than others! It could be an intrusive data gathering platform if no second element of authentication is introduced to verify that the email address entered is genuinely belonging to the requester.
It's great I can opt out, but the majority of people don't know this is an option -
Anonymous commented
I disagree. Scammers have been able to target special spear phishing attacks on me because they were able to recognizes sites where I have accounts at. Also I am not okay with the fact that everyone with my e-Mail in mind can check out what (breached) companies I do business with. Also: What will you do if pornhub will get exposed? Makes me kinda anxious to know that everyone will be able to see that I use that service (for example).
Last but not least, I live in the EU and I am absolutely certain about the fact that your service violates GDPR. So you might want to reconsider.
-
Hrcak commented
Right now just by providing an e-mail address you can get pastes with plain password for that address. I can see how this can be abused. Could You implement some kind of verification that it's the actual owner of the e-mail? For example, sending an email which leads to a list of pastes where the password was found.