963 votesAK Prashant commented
I do use email alias services from email service providers (ESPs) like GMail, Outlook & Yahoo. All three have different implementation of alias email address w.r.t. usage of syntax and domain names. Such inconsistencies among ESPs have already been commented here.
I was wondering why these popular ESPs, aren't using the domain search (https://haveibeenpwned.com/DomainSearch) or API (https://haveibeenpwned.com/API/v2) to inform its end-users of the possible breaches of pwned websites. This is similar to how domain administrators are expected to use HIBP.
For example: Yahoo informing me that my private details stored at Adobe were unintentionally exposed and stating that it got this information as-is from HIBP.
Advantages of ESP directly using the services of HIBP instead of the end-user:
1. ESP is better equipped to inform the end-user with an enumerated list of breaches associated with each of their alias email addresses (Yahoo allows up to 500 disposable email address to be created by a user) and also the primary email address. Hence, the implementation of handling of exposed alias addresses is handled by respective ESP and not HIBP. User also need not register all alias email address with HIBP.
• FirstNameLastName@yahoo.com was pwned in LinkedIn, Twitter, Yahoo.
• BaseName-Adobe@yahoo.com was pwned in Adobe.
• BaseName-FreshMenu@yahoo.com was pwned in FreshMenu.
2. I read https://www.troyhunt.com/the-legitimisation-of-have-i-been-pwned/ Unlike Amazon or Opentable, most of the internet-related service providers (IRSP) are neither proactive in handling nor do they provide timely alerts to the user of possible breaches. Example: FreshMenu decided NOT to notify its impacted customers. https://www.thenewsminute.com/article/data-breach-freshmenu-leaked-data-110k-users-2016-co-didn-t-inform-users-88195 This might be due to multiple reasons like economic reasons to reduce cost, avoid time spent in pacifying impacted customers, reduce the chances of start-up losing to competition in a new & growing market, weaker Data Protection law and enforcement in India. So it would be better if the appropriate ESP using the services of HIBP alerts the user irrespective of the breached IRSP doing it or not.
3. The total number of ESPs (free, govt., educational & corporate) is smaller than that of all other varied kind of IRSP. Hence the efforts of HIBP, ESPs and IRSP are better channelized in mitigating the effects of a breach and each of them doing what they do the best.
37 votesAK Prashant commented
@Matt: To compare if an obtained credential set (username, email address, password) were identical from breaches of different services, Troy Hunt needs to copy and store passwords (in plane text or hashed form) with their respective email address and breached service name. Troy Hunt has categorically denied to store data that way.
Or did you mean that after using https://haveibeenpwned.com/Passwords service, you wish to know if a particular password (either in hashed form or successfully cracked into plaintext) "Pa55w0rd" has been exposed in the following breaches like Adobe & linkedIn, but without linking it to a particular email address or username. But I do wonder what purpose does it serve!
If I find that a particualr password has already been pwned, I would proactively change the password of all my registered services that are currently set as that one, irrespecive of the service being breached or not.
@Troy Hunt: Please clarify.