Include last seen / affected date in stealer results
As we are already aware (and have implemented) - it is not enough to know that an email appeared in stealer logs, the actual website credential was affected matters.
This is surfaced through the v3 API from the email address, email domain, and website domain point of view, however much of this data is aggregated.
This means that if an email address appears in multiple stealer logs it's not possible to know when it appeared for a given website domain.
From an operator point of view this makes it difficult to know which end users are susceptible to new attacks from new stealer log entries (assuming that remediation action was taken).
This could come from parsed log data (hard) or at a simplest level when it was last loaded / updated in HIBP (easy).
Nicholas Hairs
shared this idea
The reason we don’t do this is that we often don’t have any date in the source and the same data often gets recycled between logs. There’s just no date we can reliably put on the logs with any degree of accuracy.