zeno's paradox speedrunnerMay 10, 2024

🚨 HOT TAKE TIME 🚨

the #enshittification of HaveIBeenPwnd (HIPB) has begun

#1. they now charge for domain searches for domains with emails over 10 leaked addresses. i don't mind charging companies for API access, etc but not just to see who you need to worry about in your company needs to change their password.

#2. they don't, and have never deleted/archived old old leaks. ffs, ashley madison is still in there, it's 10 years old now. we have employees in their lists that have left 5 years ago.

1 + 2 = eventually all not-tiny domains will have to pay to get the information.

#3. they are doing a poor job of notification. the latest breach of thepostmillennial.com is an example.

there was 3 "tiers" of the leak.
1. >200 authors and contributors on the site, this was "official". this had the most information (incluiding physical addresses for a small portion)
2. ~40k users of the site, this was "official" had the next most information (password, emails, and phone number for a large chunk)
3. 20+ million newsletter signups, this was NOT "official" and was sourced from go knows where. which, HIBP even says themselves. (as far as i understand this would only have email, and possibly zip code, but it was not in the "official" leak)

*however* HIBP still sent out a single notification to all possible users saying that "Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames" were leaked.

1 + 2 + 3 = more and more domains will be notified for smaller issues that look like big issues, then forced to pay to see the breached users, who may or may not even use the domain's email anymore.

my company got notification that several of our users were breached. so, i looked into it. i have the full "official" leak, but not the newsletter one. none of our employees are on either "official" leak, so they must be from the newsletter.

which brings me to my next point...

#4. they aren't vetting as well anymore.

ONE MAJOR PROBLEM WITH THE NOTIFICATION MY COMPANY GOT...

we don't subscribe to HIBP, so i dug a bit into my company's email history. there are no emails in our system from the last 90 days from thepostmillennial.com. so, i have no idea where that information comes from.

... HIBP *was* a good service ...

(edited to fix structure and add information i forgot, sorry for all the edits. thanks to @paul for the correction in replies)

edit as they just added 30 million (!) emails. there's no chance that website had 50+ million email addresses in their mailing list. i doubt CNN or MSNBC has that many people on their mailing list let alone a smaller conservative new site.

this is engagement farming for domains to sign up and pay to see

Show threadDavid

@pixelnull I couldn't agree more. Making it a paid service completely killed it for me. Went from being useful to another niche service I cant justify buying.

With the issues you mentioned, it doesn't sound like it's worth buying either...

May 10, 2024 at 3:18pmWeb
Show threadzeno's paradox speedrunnerMay 10, 2024

@furiousmustache

hey buddy.. friend.. pal... fix your profile