Allow users to remove entries associated with their email address from the database
Or give folks the option to hide their own results from the larger public. As currently configured, the site makes information that is otherwise only available on the darkweb (e.g., saliently, that you were an AdultFriendFinder user) readily accessible to anybody with an internet connection.
This would only really make sense for pwned email addresses, since there would be no easy way to prove you are the owner of a given account otherwise.
Alex, check the laws in your local jurisdiction, many countries (such as those in the EU), have laws that require companies to permanently remove your identity if requested.
HI, I have a problem which I can't seem to find the answer anywhere on the web, I use to be a member of AFF & then I deleted my account, I also asked & gave them notice that I want my email address to be removed from their database & website too, however it seems that my email address is still in their database & each time I send them an email asking them to remove/delete my email address I get an automated reply which basically says they will hold my email address to stop people having duplicated accounts !!! to me that is just pure B.S. as they want to make people PAY extra to change their username or profile or something else, and anyone can have millions of profile on there with just creating new Hotmail account & sign in.
so is there a law or privacy protection which does allow me to DEMAND from them to remove my email address from their website & get a confirmation?
I've now applied the "sensitive" flag to the AFF breach as well. The additional curiosity and scrutiny that's resulted from the Ashley Madison breach has tipped the scales in favour of it being more advantageous to hide the data from public view than to make it easily accessible.
In Danger commented
In regards to topic on salacious hacks (AM and AFF). I really think there are lot of people, mainly innocent people, who for whatever reason had an email associated with these sites. What you did with AM makes sense. I urge you to make the same change for the AFF data. Why? The AM hack is going to get a lot of attention. This means people will be driving to your site to check emails. Both hacks are the same in nature; a gross invasion of privacy, obtained illegally. For some, having an email come up under the AFF data is just as damaging as AM. I urge you, for the sake of safety for some, to implement the same measures for AFF as you have responsibly done for AM. People who need to know can still know using the AM strategy. Tinder, OK Cupid, Grindr, what's next.
For those that haven't seen it, this recent blog post on how I intend to handle the Ashley Madison data (or equivalent) is pretty important: http://www.troyhunt.com/2015/07/heres-how-im-going-to-handle-ashley.html
The intention of that post is to keep sensitive data away from people casually browsing it. In terms of @Anonymous' comments, I may well still add the ability to remove individuals from being searchable as well, at least in the immediate term there's a mechanism to hide any new sensitive data.
Seems like this fix would help some people and hurt none. The rest of the debate is just getting clearer on *how many people* it'd help, and *how much*. Since going with @Ian's suggestion presents no downside (given the stated goals of HIBP), I suppose the question becomes whether @Troy judges it's worth his time to implement.
Not knowing most of the particulars, it's hard to say much about that, but I do think @Troy's incorrect when he minimizes the potential downsides. Your employer or spouse isn't likely to be trawling the darkweb or punching random addresses into a recover-email page on AFF, but it's easy to imagine people punching your email address into HIBP. As @Ian says, part of the reason is that HIBP is such a successful tool in that it makes the barrier to accessing this info essentially nil. This is great if you're looking up *your own info*, and not so great if you're looking up other people's.
I agree with @Troy. This is silly.
Ian Andrew Bell commented
Get your perspective on the matter, @Troy, but as with the AFF example you use (and Ashley Madison when that drops) you're going to potentially 'out' a lot of people. One defense these folks can lean on for the time being is the relative obscurity of the data once it gets released. What about folks who are closeted gay, and it is revealed they have a profile on a gay dating sites?
The power of this wonderful tool is its simplicity. That also makes it a little bit dangerous. Or, put another way, really dangerous to a small number of folks.
A consideration might be to, once someone has entered their email address, allow them to make their listings private, using an email confirmation sent to that address.. but that won't catch folks who, as you say, no longer have access to that email address.
A fair amount of added work, but...
One of the premises I've always held onto with data breaches is that they're easy to obtain by those with malicious intent and hard for impacted victims' to verify their exposure. Tor is *the* way most of these data breaches are distributed and even when I obtained it originally, it was just a matter of opening up the Tor browser, plugging in the URL and that's it. It doesn't get any easier than that and the guys looking at exploiting this data are right at home in Tor!
I do want to keep this idea here though and I have a few ideas of how this might be implemented. Thanks for contributing and stay tuned!
Thanks so much for that considered reply. I would add a couple things. First, though this is basically a matter of opinion, I don't think the data in this case is all that easily obtainable. In 15 minutes, I wasn't able to turn anything up that didn't require a Tor browser. There's also, I'd say, a real difference between downloading one of these spreadsheets (not so easy for your average person, and perhaps illegal) and doing a HIBP search (totally easy and legal).
Second, your point about the info already being available on AFF is well-taken. However, in this particular instance, much of the leaked info belongs to people whose accounts had been deleted -- sometimes, anecdotally, as much as 5 years ago. In such cases, I believe the password reset trick won't work.
So I think there is more than just marginal value to be gained from such a feature.
Many thanks, again, for being responsive, and for all the work you've done already.
Thanks for adding this, let me give some context as to why this doesn't exist as a feature already:
Firstly, by the time data ends up on this site, the proverbial horse has already well and truly bolted. The data is public and usually obtainable by anyone who can do a few searches. Removing individual records from here won't change that.
Secondly, in pretty much every instance of a breach, the presence of an email on the source system can easily be verified. Usually the password reset will disclose whether an email has been sent for the reset or if the address wasn't found in the database. If not the reset then the registration ("You've already registered with this address").
That second point is really important because the information *isn't* only available on the dark web, it's available on adultfriendfinder.com. Right now it's still reporting "Invalid email" versus confirming a reset was sent. Regardless, I'll leave this suggestion open so it can be voted on if it's important to people.