
How I verify data breaches - adamflanagan
https://www.troyhunt.com/heres-how-i-verify-data-breaches/
======
JorgeGT
As someone who subscribes to HIBP, thanks for running these kind of
verification instead of just trying logins. I found the "profile" of the
email/TLDs/passwords very interesting, I wonder if some correlation algorithm
could be build to statistically determine if a certain sample is indeed
representative/coherent with the expected distribution of passwords/emails.

------
ironchef
The main issue isn't the gmail or what not has been breached. It's that lots
of users tend to reuse passwords. So...once they know you signed up using
foo@gmail.com to service Alpha (and they have that password)..then they start
trying all of the common services to see where else foo@gmail.com might have
used that password or a slight variant (dropbox, etc.)

------
gruez
What I really want to know is how to get these dumps. Not for nefarious
reasons, just curious.

~~~
DyslexicAtheist
Troy Hunt is well know in InfoSec circles. step-2) people come to you. I guess
in a nutshell this started it for him but now he receives lots of new media
attention because of what he did with
[https://haveibeenpwned.com/](https://haveibeenpwned.com/) ...

Other than that you could get them on the darknet. That said any _respected_
security researcher usually would never pay for stolen booty. (paradoxically
the definition of respect here seems currently disputed, because sadly, we're
living in an era where governments use tax revenues to buy exploits either
directly or via proxy over the darkweb to infect and spy on their citizens
system)

------
eloy
That was an awesome insight, thanks. I guess that fakers in the future will
leave out Mailinator addresses... But that leaves still plenty of room for the
other methods.

