Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The risk is not in sifting through billions of records.

The risk is enabling a service that unlocks a capability like “give me the password for this email address that may or may not be mine”.

The source of a breach is a single attribute that can be associated with an entire dataset, unlike passwords.



We only need to get the domain name of the service.

The compromised password can and should be deleted by them, and ignored by us.


But I'm saying it should be possible to view the source of the password, not the password itself. Which is what his site already shows for individual breaches.


00deadbeef@gmail.com is in the leak-name-here leak!

Google: "leak-name-here download"


No I don't mean download the dump.

I want to know which service (https://www.troyhunt.com/content/images/2024/01/image.png) my details were linked with.


Are you saying that's the risk of providing the website URL? Or that it's the risk of the HIBP?

Because he does provide the email and the leak name... He even provide indirectly where to download it from his blogpost.

Providing the website won't give more dangerous information, that's exactly what he usually does when it's not a stuffing list, he say where the password come from (Linkedin, Facebook, etc...).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: