Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't entirely agree it's reasonable. This dump apparently contains the source of the email+password combo. You can go on his website and look up sources of leaks with just an email address. That's what people really want to know: what was the source?

So yes sifting through billions of records will take a while, but it's possible, but telling the user the source of the details (and not the leaked passwords themselves) is exactly what his website mostly already does so it's not a risk.



The risk is not in sifting through billions of records.

The risk is enabling a service that unlocks a capability like “give me the password for this email address that may or may not be mine”.

The source of a breach is a single attribute that can be associated with an entire dataset, unlike passwords.


We only need to get the domain name of the service.

The compromised password can and should be deleted by them, and ignored by us.


But I'm saying it should be possible to view the source of the password, not the password itself. Which is what his site already shows for individual breaches.


00deadbeef@gmail.com is in the leak-name-here leak!

Google: "leak-name-here download"


No I don't mean download the dump.

I want to know which service (https://www.troyhunt.com/content/images/2024/01/image.png) my details were linked with.


Are you saying that's the risk of providing the website URL? Or that it's the risk of the HIBP?

Because he does provide the email and the leak name... He even provide indirectly where to download it from his blogpost.

Providing the website won't give more dangerous information, that's exactly what he usually does when it's not a stuffing list, he say where the password come from (Linkedin, Facebook, etc...).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: