
Pastes on Have I Been Pwned are no longer publicly listed - gpvos
https://www.troyhunt.com/pastes-on-have-i-been-pwned-are-no-longer-publicly-listed/
======
jwcrux
I run the Twitter account @dumpmon[0] that HIBP gets the data from.

This is an interesting decision and I applaud Troy for, as always, doing
what's best for his users. He's a great example of the kind of person we need
more of in the industry.

Unfortunately, I run into the same problem. I have no doubt people can (and
probably do) use dumpmon for nefarious purposes. My take on the matter when I
first made dumpmon was that this data was clearly already known to the bad
guys. The goal of the Twitter bot was to give a sense of how prevalent these
"mini-breaches" were, but also to give the good guys (like HIBP!) a feed they
can use to help stop the problem. I've been fortunate that multiple services
have been able to use the feed to respond to these types of credential dumps
really quickly.

If anyone is interested in some of the stats behind dumpmon, here's a
shameless plug to an article I wrote a couple of years ago on the matter:
[https://jordan-wright.com/blog/2015/05/26/two-years-of-at-
du...](https://jordan-wright.com/blog/2015/05/26/two-years-of-at-dumpmon/)

Happy to answer any questions!

[0] [https://twitter.com/dumpmon](https://twitter.com/dumpmon)

------
dustinmoris
To be fair, I was saying this from the very beginning, but Troy should have
never even started to disclose user emails and in which data breaches they
have been affected publicly via HIBP.

There is no good reason why every random Joe should be able to type in my
mum's, daughter's or son's email address in HIBP and see whether one of them
has been signed up on a Cannabis website, gambles online, or trades with
bitcoin or is signed up with an organisation that tries to help people with a
certain condition. Troy decides based on his own personal world view which web
sites are unethical to disclose publicly (e.g. porn sites or Ashley Madison)
and which not, which is often very problematic in my view. Even though Troy
tries to act as ethical as possible, in the end his world view is only the one
of an old(er) white male Aussie who loves old petrol fuelled sports cars,
which is quite antique itself. Clearly there's issues then when services such
as Cannabis.com, crackcommunity.com, Foxy Bingo or Acne.org are publicly
disclosed by him, but Ashley Maddison not.

HIBP is a good service, but there should be two major changes made:

\- Don't let anonymous people type in email addresses and disclose information
to them. Just don't show people any information about an email which is not
theirs. Period.

\- Allow people to remove themselves from HIBP. Not everyone is comfortable to
think that some dude in Australia is collecting a huge database of all data
breaches in which they have been affected, ultimately building a user profile
about someone's interests, sexual preferences, political views and more
without their consent.

~~~
SmallDeadGuy
> There is no good reason why every random Joe should be able to type in my
> mum's, daughter's or son's email address in HIBP and see whether one of them
> has been signed up on a Cannabis website, gambles online, or trades with
> bitcoin or is signed up with an organisation that tries to help people with
> a certain condition.

Not only that, but seeing what pastes their email can be found in is an issue.
Just last week was a post on the front page of HN where someone did exactly
that: found what paste a friend's email was in, downloaded the paste, and
using a few extra steps recovered the hashed password [0]. While it's possible
to find all the leaked information and search it manually, aggregating in a
single place adds convenience for those with legitimate uses but also for
nefarious purposes.

[0]:
[https://news.ycombinator.com/item?id=14919845](https://news.ycombinator.com/item?id=14919845)

------
londons_explore
When something is leaked, it is leaked.

Trying to stop the spread the info after the fact is useless - the real bad
guys and those happy to do more research will always find it.

Stop thinking "hopefully not too many people see my password on pastebin", and
instead think "my password has leaked, change it asap".

------
busterarm
Wouldn't the easy solution for blackhats using HIBP's lists be to sign up an
account on thousands of services to get clear notification and a list of
accounts once there's been a breach?

------
ComodoHacker
>Now I'm sure there are "reasons" why their policies are as they are and maybe
it'd take Spotify themselves to lodge an abuse report here, but this sucks.

So Troy complains about Blogger not quickly removing credentials dump on
demand. What about other public sources of data for HIBP? Pastebin, file
hostings, etc.? Should they remove such data after first report, not bothering
to investigate anything (including whether credentials listed are real or
fake)? That way the whole HIBP project database may get stale soon. :)

------
IshKebab
This is just annoying.

------
giancarlostoro
I kinda hope he at least keeps the ability to notify the emails of those whose
passwords may have been breached, removing the public page is fine, but it
might be more useful if that paste service lives on in the background.

~~~
Xoros
Isn't that stated in the post ? That only concerned emails will have access to
the paste ?

