An error occurred while saving the commentJoe Kirwin commented
Lead with an example:
Search for firstname.lastname@example.org and (if this was a real account) email@example.com and you'd get different results. Yet for all intents and purposes it's all your data that had been leaked as they are the same account.
Would it be possible to define some canonicalizers for very popular email providers that remove superfluous things such as periods from the address both in the breach corpus and when searching?
I realize that there could be some user that likes to leverage things like
pwned.hibp+salesConference@ to track down which party exposed some breach, but I feel like that use case is not as broadly useful as giving people a full breach list.Joe Kirwin supported this idea ·